Skype Takes Heat for Security - Both Too Little and Too Much
Skype had an on-and-off kind of week, fixing an embarrassing flaw in its password reset system and then being called too secure for many corporate networks because its encryption could allow company secrets to escape undetected. Then, it had to deal with a report that it had given out information on one of its users to a private investigator who simply asked for it.
11/19/12 7:00 AM PT
Microsoft had to temporarily disable Skype's password reset feature last week after a Russian hacker revealed a simple way to lock users out of their accounts.
All an attacker needed to know was an email address associated with an account in order to hijack it. That address could be used to create a new account, which could then be used to reset the password and lock out the original user.
Ironically, Skype's robust security features are one reason some organizations bar it from their networks, said Tom Nichols, vice president for corporate marketing for Endace. "Skype is a risk because it's deeply encrypted and it can be used to transfer information out of an organization without anybody knowing what's going on," he told TechNewsWorld.
Skype is one of many applications running on corporate networks in defiance of company security policies, a study by Endace released last week revealed. Of the more than 100 senior network IT professionals from Fortune 500 companies, 53 percent confessed that their employees use applications that violate corporate policies, the study found.
After Skype fixed its password problem, it found itself in a bad light again when it was reported that the company had handed over the user information of a Dutch teenager and fan of WikiLeaks to a Texas cyber intelligence firm that just asked for it.
Workers Resent BYOD Logging
Workers like using their own devices to increase their productivity at the office, but they don't like the security measures that need to be imposed on those devices to keep their company's data safe.
That was the finding of a study released last week by Blue Coat, a provider of mobile device security services.
Fewer than a quarter -- 24 percent -- of the respondents were willing to have their companies log their access to corporate data through their personal device.
Even fewer wanted their bosses logging the Web content they accessed with their personal devices (19 percent) or restricting the types of sites and content they accessed (12 percent).
However, more than half the respondents were willing to have corporate-sponsored malware protection on their personal gadgets (55 percent) and comply with passcode requirements (58 percent).
"Users are knowledgeable enough now to want to have malware protection," Sasi Murthy, Blue Coat senior director of product marketing, told TechNewsWorld. "The contention shows up when we start talking about logging their personal data or personal access to the Web and also restricting personal access to things."
Malware's Future Is Mobile
As the end of the year approaches, it's customary to look forward and muse on what the next 12 months will bring. For malware researchers, those next 12 months will be mobile.
"You're going to see a continued shift into mobile vulnerability research," Brian Gorenc, manager of HP Enterprise Security's DVLabs, told TechNewsWorld. "There are conferences around the world now completely focused on mobile."
Malware will also become more of a team sport in the coming months, he added. "In the past, malware was done by one person," he observed. "Now you have things like Stuxnet and Flame with full-fledged development teams behind them."
"You're going to see stronger development efforts put behind this stuff in the future and an increase in those types of malware families," he predicted.
Data Breach Diary
- Nov. 12: Blizzard, the creator of "World of Warcraft," is sued by two players who allege that the company has failed to take necessary measures to secure the private information of its customers. Blizzard counters that the lawsuit is without merit and contains patently false information.
- Nov. 13: The Chicago Board of Elections Commissioners acknowledges that a database containing the names, addresses, driver's license numbers and the last four digits of Social Security numbers of some 1,200 people who had applied to work at the city's polling places on election day was exposed online. Earlier in the day, a security firm, Forensicon, claimed the breach was much larger and that it affected 1.7 million registered voters.
- Nov. 13: A survey of UK companies by the Ponemon Institute and sponsored by Faronics revealed that 54 percent of the organizations polled had experienced at least one data breach in the last year and that 19 percent of them had experienced more than four break-ins during the period.
- Nov. 14: Adobe acknowledges that it is investigating a data breach on Nov. 13 by a hacker calling himself ViruS_HimA which may have exposed contact information for 150,000 employees and partners of the company.
- Nov. 14 South Carolina Gov. Nikki Haley announces she is ordering cabinet-wide cyber security measures to be put in place following a data breach in September in which hackers compromised 3.5 million Social Security numbers and information on 387,000 credit and debit card accounts. According to one estimate, the breach could cost South Carolina businesses as much as US$330 million.
- Nov. 15: NASA sends warning to all employees and contractors that their personal information may have been compromised when a laptop locked in an employee's car was stolen. The agency could not determine the magnitude of the breach at the time of the warning.
Upcoming Security Events
- Nov. 28-29: Smart Strategies for Secure Identity. Washington convention Center, Washington, DC. Registration by Nov. 6: $1080. By Nov. 27: $1,200.
- Nov. 28-29: Strategic Security Response Summit: The Detecting and Preventing Emerging Threats. Washington Convention Center, Washington, DC. Regular registration: $470. Government registration: $230.
- Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration is now open.
- Dec. 3-6 Black Hat Abu Dhabi 2012. Emirates Palace, United Arab Emirates. Registration by Dec. 2: $1,895. On-site Registration: $2,595.
- Jan. 7-9: Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. sponsored by Oxford Computer Group. Early registration: $450. Registration after Nov. 21: $650.