Google, Adobe, Citi, RSA Lead Week's Security News
RSA Security made waves this week when it offered to replace SecurID tokens for a certain subset of its customers in the wake of the March data breach where attackers apparently stole intellectual property relating to the company's two-factor authentication technology.
It claimed that attackers were interested in only a certain segment of the industry, so only those companies would qualify for the replacement.
RSA admitted that defense contractor Lockheed Martin was attacked using the stolen information from March. The problem is, the company still wouldn't admit what was stolen, so customers are still left unsure of how protected they are.
LulzSec and other hacking groups continued to have fun, breaching various Sony sites, but LulzSec expanded its focus to other sites as well, including Nintendo and a security organization with ties to the United States Federal Bureau of Investigation.
Against the backdrop of all these minor data breaches, financial giant Citigroup sent shockwaves through the banking industry when it disclosed that cyber-criminals had breached its customer Web portal in May and compromised sensitive data belonging to about 210,000 customers. While credit card numbers were exposed, the expiration dates and security codes were not. That breach wasn't for fun, or -lulz.'
Technology professionals around the country descended on New York City for Cloud Expo this week, and many of them were focused on security. As more organizations move their services and applications to the cloud, they are increasingly becoming worried about cloud security issues. Nowhere is that more evident as researchers uncover actual systems in Amazon Web Services serving up banking malware and people wonder how secure Google Wallet really is.
Google continued investigating the attack on Gmail, alleged to have originated in China. Needless to say, China vehemently denied all allegations. In more positive security news, Google shelled out nearly $10,000 to developers through its bug bounty program for Google Chrome.
Oracle pushed out a fairly large update for Java 6, addressing 17 vulnerabilities. They were all rated critical as attackers could exploit them to remotely execute code, the company said. The size of the update prompted many security researchers to start wondering whether most end-users even needed Java, especially considering most Websites nowadays use Flash to play video.
Not that Flash is any more secure, considering Adobe keeps having to issue out-of-band updates to close zero day vulnerabilities. The latest one allowed attackers to inject code into the user's browser, such as in the settings of the victim's Webmail accounts. An exploit in the wild was using this vulnerability to compromise user email accounts without even needing a password.
Next week, Microsoft will roll out 16 security bulletins for June's Patch Tuesday, but address "only" 34 vulnerabilities. While not as monstrous as April, which had 64, the update is still expected to be pretty extensive, addressing flaws in Microsoft Excel, all versions of Windows and all supported versions of Internet Explorer, from IE 6 to IE 9.
On the same day, Adobe is also expected to release its scheduled quarterly updates for Acrobat and Reader.