Cloud Security, Weak Passwords, Data Breach Law Lead Week's Security News
A recap of the past week's IT security news includes a cloud security announcement from VMware, a worm exploiting weak passwords and California's data breach law.
Cloud security news was prominent at the VMworld user show in Las Vegas the week of Aug. 29 where Symantec and VMware announced a desktop-as-a-service offering, which would allow IT departments to integrate security protections integrated into their virtualized environments from the start.
Juniper also added antivirus capabilities to its virtual gateway platform, transforming the Web gateway into an integrated unified threat management system.
Windows administrators around the world were reminded again that there was no need for malware authors to come up with sophisticated malware targeting exotic and unknown server and network vulnerabilities. Not when so many critical servers were protected with ludicrously simple passwords.
Microsoft warned of a "Morto" worm which attacked Windows servers over the Remote Desktop Protocol. Instead of violating any vulnerability, the worm had a list of about 30 passwords that it systematically tried to break into the Administrator account. If the requests for help on the Windows Help forums were any indication, quite a few of the administrators had laughable passwords such as "letmein" and "pass123."
To foil brute-force password attempts, Confident Technologies rolled out a "Kill Switch" to its image-based authentication platform. The KillSwitch would automatically alert administrators if an attacker failed to enter the correct sequence of images or used a "banned" image.
SQL injection attacks continue to wreak havoc around the world, as unknown attackers exposed developer information from the Nokia forums Website. Nokia shut down the site as it investigated the incident and cleaned up.
As for data breaches, California has updated its pioneering data breach notification law with stronger provisions. Organizations are now required to file a notice with the state attorney general's office if a breach affects more than 500 California residents. This will make it harder for organizations to avoid disclosing "small" incidents.
The new law also outlined the information organizations must include in the breach notification law, including details of the attack, what exactly was stolen and when it happened. California led the way in having a breach notification law, it's expected other states will follow suit, unless the federal government passes a national breach notification law first.
Reviving worries about the SSL certificates and the Certificate Authority system that the entire Internet relies on, an Iranian user posted on Google Help forums asking about a fraudulent SSL certificate that his Chrome Web browser detected and blocked. After some investigation, it turned out that a certificate authority in the Netherlands, DigiNotar, had been compromised in July, and fake SSL certificates had been issued.
While the incident was reminiscent of the Comodo compromise earlier this year, DigiNotar worried security professionals when it admitted it didn't actually know how many fake certificates had been issued. Google, Microsoft and Mozilla has blocked all DigiNotar certificates outright in their respective Web browsers. This has some serious repercussions on all the businesses in the Netherlands and the Dutch government, who used DigiNotar to sign their certificates for their Websites.
Considering all the warnings about making sure all the endpoints are running up-to-date security protection software, vendors also rolled out new updates to their security suites. Trend Micro released its Deep Security 8 platform and AVG launched its Internet Security 2012 suite.
In what's looking more like a publicity stunt than anything else, rumors are circulating that Apple lost an iPhone 5 prototype in a San Francisco bar. There are reports that Apple never reported the supposed loss to the police, so it's a mystery as to what actually happened. If true this would be the second time that some klutzy Apple employee lost an iPhone prototype in a Silicon Valley region watering hole. The same thing happened to an iPhone 4 prototype in April 2010.