ICYMI: 'Banksy' sketches GCHQ, Heartbleed rumours & cloud confusion

As another week in information security zips by, we look at the top stories in our weekly In Case You Missed It (ICYMI) column.

ICYMI: 'Banksy' sketches GCHQ, Heartbleed rumours & cloud confusion
ICYMI: 'Banksy' sketches GCHQ, Heartbleed rumours & cloud confusion

Banksy: Full-time artist, part-time activist

Undercover graffiti artist Banksy's work has often been controversial so when an artwork appeared on the side of a house in Cheltenham – some three miles from the GCHQ's HQ – in typical Banksy style and showing three men wearing sunglasses and using listening devices to “snoop” on a telephone box, it was assumed to be his work. 

The artist has not yet claimed the work, although the design is strikingly similar earlier works. The picture though is further evidence that government surveillance has become a national issue. 

NSA knocks back Heartbleed rumours

The reports on Heartbleed keep flowing, with UK website Mumsnet and the Canadian Tax office the first in the public eye to be affected by the Open SSL vulnerability - an implementation bug on the heartbeat extension (RFC 6520), affecting OpenSSL versions 1.0.1 through 1.0.1f. The bug can allow hackers to access the memory of a system over the Internet, and steal information like private encryption keys, passwords and content.

More recently, it's been claimed that it can be used to identify Tor users or even slow down the Internet, and that 95 percent of the detection tools are inadequate in picking up on the vulnerability. The NSA, meanwhile, has been forced to deny reports that it knew about the Heartbleed flaw for two years. 

Meanwhile, some thousands of miles away in Moscow, former CIA contractor Edward Snowden – the man who leaked the first documents on NSA surveillance - was interviewing Russian president Vladimir Putin. 

He asked: “I've seen little public discussion of Russia's own involvement in the policies of mass surveillance," he said. "So I'd like to ask you: Does Russia intercept, store or analyse, in any way, the communications of millions of individuals?"

Putin, of course, denied any involvement and while some will applaud Snowden for his line of questioning, the sceptics are likely to point to bias – he is, after all, currently living in asylum in the country. 

Google to protect Android apps from malware

Malware authors are increasingly turning their gaze to mobile platforms and no more so than Google's Android. Indeed, a report from Arxan Technologies indicates that 100 percent of the top paid Android apps have been compromised.

But the search giant is at least making strides in hardening these apps, announcing recently that it is expanding its app verification service to monitor all apps on the users' devices – including those downloaded from Google Play.

Previously, the firm only scanned apps from third-party stores upon installation, but now Verify Apps will check every app before its installed. It will also regularly check apps to ensure they are “behaving in a safe manner.”

This is good news for Android in its quest to battle iOS, and for businesses embracing the open-source operating system on a BYOD basis. 

Cloud report reveals management chaos

SCMagazineUK.com met with Skyhigh Networks recently to discuss its latest report on cloud adoption in Europe, and it made for an eye-opening read – not least if you're a CISO or CSO charged with managing this chaos.

The report revealed – among other things – that the average European organisation had 588 cloud services in operation, while founder Rajiv Gupta and EMEA director Charlie Howe told SC that one unidentified bank CISO was running 966 services, of which only 46 were approved.

Other interesting findings from the study: employees need educating on data protection and privacy laws, and petabytes of data still stored in US data centres despite the Snowden revelations on NSA surveillance (72 percent of cloud services used in Europe store data in US). There's a lot of concern too around cloud security, with 12 percent encrypting data at rest, 21 percent providing MFM and 5 percent being ISO 27001 certified.

Start of Bring Your Own Security?

As ZDNet reports, Apple, Samsung, Google, Microsoft and Samsung are just some of the tech vendors that are pushing for an anti-theft smartphone kill switch to  be implemented on newer devices.

This would see anti-theft tools included for free on devices, and would allow contacts, emails, images and personal data to be wiped remotely. 

There have of course been numerous attempts already to secure devices from theft, from Find My iPhone/iPad on iOS 7 to Android Device Manager, and this is perhaps the next sign that end-users, including employees, themselves should be controlling their security.

Money, Money, Money

Slowly but surely business leaders are getting the message; you need to splash the cash on cyber security if you're to avoid even bigger financial losses from data breaches and jurisdiction fines. 

The US Federal Emergency Management Agency (FEMA) has just awarded an £476,000, three-year grant to a trio of American universities that will combine their efforts to help US states and communities to prepare against cyber attacks (via Digital Trends), while  JPMorgan is reportedly spending £150 million on cyber security (via Computerworld). 

This follows a report from Trustwave revealing that cyber security is now mentioned in 6 in 10 FTSE 100 company reports. 

Biometrics: New playground for hackers, government agencies

First the iPhone 5's touch sensor was hacked, now Samsung's new Galaxy S5 has suffered the same fate. Earlier this week, German researchers revealed that they were able to spoof the system by photographing a fingerprint on a smartphone screen (ironically using an iPhone) and then developing an etched PCB image.

From there, the researchers at Security Research Labs were able to create a mould of the fingerprint, swipe it across the sensor and fool it into thinking it's the real thing. And since the Android PayPal app allows for this as an authentication method, hackers could then access digital payments. 

In related news, the Electronic Frontier Foundation have complained – after submitting an FOI act – of FBI rolling out a plan to store biometric (facial, iris, palm and fingerprint) templates on at least a third of all American citizens.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US