Malware

SPOTLIGHT ON SECURITY

Web-Surfing Adults More Infection-Prone Than Teens

American teens spend a lot more time online than older Web surfers, yet it doesn’t seem to increase their vulnerability to malicious activity.

Teens last year spent a little more than four hours a day on the Net, while adults in the 50-to-64 age bracket burned two hours, 41 minutes online daily, MarketingCharts found.

Those numbers piqued the interest of Enigma Software, which makes an antimalware program called “SpyHunter.” Since teens were spending more time online, they should have been exposing themselves to threats more often and been more likely to come into contact with Internet nasties. What Enigma discovered, though, came as a surprise.

After analyzing more than 2 million infection reports — a Big Data exercise if there ever was one — Enigma found that Web surfers in the 50-64 year-old demographic had a 161 percent higher infection rate than their teen counterparts in the 13-17 age bracket.

Mobile Missing

Why the discrepancy? Older users typically have older computers with less-secure operating systems, according to Enigma. They fail to update drivers. They prefer PCs to Apple products, and they’re generally less aware of potential online scams or malicious links.

Infection rates were lower in cities with more youthful populations, Enigma also found. For example, the nation’s city with the highest median age, Scottsdale, Arizona, had infection rates 50 times higher than the burg with the lowest median age, Eagle Mountain, Utah.

What’s missing in Enigma’s analysis, however, is how much of the time teens spend online each day is spent on a mobile device. That could significantly impact the probability of infection, since PCs are far more susceptible than smartphones or tablets.

Gmail Password Dump

Ordinarily the dumping of 5 million Gmail addresses and passwords on the Internet would produce a wail of doom. However, that wasn’t the case when it happened last week — largely because the data, although real, appeared to be recycled from past data breaches.

Nevertheless, the dump did offer an opportunity for the security community to sound its mantra about reusing passwords.

“As it becomes increasingly clear that the Gmail password dump is a non-event, it’s still a useful reminder of the benefits of segmentation,” Mike Lloyd, CTO of RedSeal Networks, told TechNewsWorld.

“When we take the easy path, such as using the same password everywhere we go, then the bad guys will respond to that, because we’ve also made it easy for them,” he said. “Attackers go for easy targets because it works.”

However, while stale data may not have the headline-grabbing power of fresh meat, bad habits can add value to the information in the dump, noted Ryan Wilk, director of customer success at NuData Security.

“Although there are reports that some of the leaked Googlecredentials are multiple years old, there is still a great threat to user account security,” he told TechNewsWorld.

“How many people are actually changing their password on a regular basis, [and at] how many other sites does a compromised user use the same password?” Wilk asked.

“Hackers will test the stolen credentials on websites where valuable information can be gleaned, like those of banks and other email service providers,” he added. “The risk to users who have had their information compromised goes far beyond their Google accounts.”

Dyre Consequences

Reports that a banking Trojan called “Dyre” had broadened its horizons and was targeting users of Salesforce.com began appearing last week.

Salesforce confirmed the campaign, but said “a very small number of customers” were affected by the malware.

While in the past Dyre has targeted banking credentials, it can clip credentials from any kind of website. Dyre’s diversification could have ugly consequences for cloud service providers like Salesforce.

“This type of attack could mean there might be a new trend on the horizon, one that goes after Software as a Service users,” Jerome Segura, senior security researcher with Malwarebytes, told TechNewsWorld.

As organizations feel more comfortable with the cloud, more and more of them are considering it in order to shed the hassle of running services in-house.

“Businesses increasingly rely on third-party software providers for their needs, because it can be a cheaper option without all the headaches of doing it yourself,” Segura said.

Trends like that aren’t ignored by cybercriminals.

“This is a natural transition for malware,” Patrick Thomas, a security consultant with Neohapsis, told TechNewsWorld.

“Often, compromising a computer is a means to an end — criminals really want the data that lives on them,” he said. “As individuals and companies move more of their data to the cloud, credentials to the critical cloud services we rely on become more valuable and more of a target.”

Banking credentials are still the bread-and-butter of the majority of cybercrooks because they can be immediately used.

However, “the data harvested from many SaaS applications also holds a tremendous value,” Segura noted, “for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business.”

Data Breach Diary

  • Sept. 8. Symantec reports phishing campaign powered by Kelihos botnet aimed at Apple users concerned about security in wake of iCloud celebrity hack earlier this month. Phishing mail claims to be from Apple and contains link to fake login page where credentials of a target can be stolen.
  • Sept. 9. Five million Gmail addresses and passwords posted to a bitcoin forum by hacker called “tvskit.” At least 60 percent of data is legitimate, say researchers at CSIS Security Group. The data is up to three years old, but less than 2 percent of the data could be used to access user accounts, Google said.
  • Sept. 9. Cisco reports malicious advertising campaign targeting Amazon, YouTube, Yahoo and other websites was redirecting victims to Web pages where malware was automatically downloaded to Windows and OS X computers.
  • Sept. 9. Apple introduces Apple Pay, which it says is a secure method for performing mobile payments from its new iPhone 6 and 6 Plus.
  • Sept. 9. Bartells Hotels, a chain in the San Diego area, reports payment card information of 43,000-55,000 guests may have been stolen in data breach that occurred Feb. 16 to May 13.
  • Sept. 10. BillGuard estimates Home Depot data breach will affect 60 million credit cards and result in US$2 billion to $3 billion in fraud.
  • Sept. 10. Kelsey O’Brien files a lawsuit and seeks class action status in action filed against Home Depot for failing to properly safeguard its customers’ data against hackers.
  • Sept. 11. Temple University reveals personal information of 3,780 patients is at risk after a desktop computer containing unencrypted data was stolen from the office of a physician affiliated with the institution in late July.

Upcoming Security Events

  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, California.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 18. Building Secure Web Applications. 2 p.m. ET. Black Hat Webcast. Free.
  • Sept. 18-19. National Security Summit. Omni Shoreham Hotel, Washington, D.C. Registration: $595, members; $695, non-members; $50, government, military; $195, student.
  • Sept. 18-20. Sixth International Conference on Digital Forensics & Cyber Crime. University of New Haven, New Haven, Connecticut. Registration: $669, member; $839, non-member; $369, student.
  • Sept. 22. Cyber Intelligence Europe 2014. Renaissance Brussels Hotel, Rue du Parnasse 15, 19, 1050 Brussels, Belgium. Registration: 600-850 euros, military and public sector; 1,200-1,700 euros, private sector.
  • Sept. 23. Linking Enterprise and Small Business Security to Shore up Cyber Risks in the Supply Chain. 11 a.m. ET. InformationWeek webinar. Free with registration.
  • Sept. 23-24. St. Louis SecureWorld. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: $695, two days; $545, one day.
  • Sept. 23-24. APWG eCrime Researchers Symposium. DoubleTree by Hilton Hotel Birmingham, 808 South 20th St., Birmingham, Alabama. Registration: before Sept. 2, $400; after Sept. 1, $500.
  • Sept. 26. B-Sides St. John’s. Uptown Kenmount Road, St. John’s Newfoundland and Labrador. Free.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
  • Sept. 30. Can Your Website and Network Infrastructure Withstand Multi-vector Attacks? 1 p.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Oct. 1. Indianapolis SecureWorld. Sheraton Indianapolis at Keystone Crossing. Registration: $695, two days; $545, one day.
  • Oct. 3. B-Sides Portland. Refuge PDX, Portland, Oregon. Free.
  • Oct. 10-11. B-Sides Warsaw. Andersa 29, Warsaw, Poland. Free.
  • Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, the Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
  • Oct. 16. SecureWorld Denver. The Cable Center, Denver. Registration: $695, two days; $545, one day.
  • Oct. 18. B-Sides Raleigh. Raleighwood, Raleigh, North Carolina. Free.
  • Oct. 19-20. B-Sides Washington D.C. Washington Marriott Metro Center, Washington, D.C. Free.
  • Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nevada. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
  • Oct. 29-30. Security Industry Association: Securing New Ground. Millennium Broadway Hotel, New York City. Registration: before Oct. 4, $1,095-$1,395; after Oct. 3, $1,495-$1,895.
  • Oct. 29-30. Dallas SecureWorld. Plano Centre, 2000 East Spring Parkway, Plano, Texas. Registration: $695, two days; $545, one day.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesers Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels