Cybersecurity

SPOTLIGHT ON SECURITY

Americans Distrust Tech Companies

The steady stream of reports on government surveillance of Americans has taken a toll on the image of high-tech companies, according to a Harris poll.

More than two-thirds of Americans (67 percent) feel technology companies violate their users’ trust by helping the government spy on its citizens, suggests the poll of 2,000 consumers, which was sponsored by ESET. Sixty percent of respondents said they were less trusting of those companies because of their involvement in government surveillance.

“Technology companies have something to be seriously concerned about,” ESET Security Evangelist Stephen Cobb told TechNewsWorld. “That’s going to be especially true for those selling into the IT infrastructure — people in switches and routers and cloud services. All of them will face a longer selling cycle.”

More than half of the participants in the survey (52 percent) said technology companies should cooperate in government surveillance efforts, with an even higher number of respondents (57 percent) believing surveillance helped prevent terrorism.

Nevertheless, four of every five respondents (81 percent) said new laws were needed to better regulate government surveillance.

Rich/Poor Privacy Gap

The surveillance stories appear to be having an impact on consumer behavior. About a quarter of the respondents (26 percent) said they had done less online shopping since hearing about government spying on the Net, and an equal number said they had done less online banking.

In addition, nearly half those surveyed (47 percent) noted they’d changed their online behavior in light of the surveillance stories. They reported thinking more carefully about where they go online and what they do and say there.

There’s some interesting subtext to that 47 percent.

“The 18-34 age group seemed to show the greatest sensitivity to the surveillance stories,” Cobb said. “You wonder if they feel more exposed or they’re just more savvy.”

Concern also appears to be related to household income.

“People with high levels of household income appear less concerned than those with lower levels,” Cobb noted. “There’s definitely considerable differences between rich people and poor people when it comes to privacy concerns. Generally, the higher your social status, the less you’re concerned about privacy.”

Better Android Apps

Mobile app developers have been severely criticized for being too cozy with marketers. That’s resulted in lots of software that takes liberties with a user’s personal information after being installed on a phone. Google is tightening up some of the more seamy practices by developers with some new guidelines.

For example, placing ads or links to ads in notifications will be frowned on by Google. Notifications also need to be related to the functionality of an app.

Having false or misleading info in any part of an app is forbidden.

Apps are also barred from making changes to a device’s settings without a user’s permission or encouraging a user to remove other apps from their device.

Exploitation of Play Store rankings also is prohibited.

“The changes really talk to the integrity of the applications themselves,” said Elias Manousos, founder and CEO of RiskIQ.

“They insure that applications will meet a higher standard. It’s a step in the right direction to get rid of malicious behaviors,” he told TechNewsWorld.

APTs Become Common

The day when advanced attacks on an organization’s computer systems were rare appears to have passed, according Websense’s 2014 threat report.

“Advanced attacks, including the subset of targeted attacks, are now not only the de facto style of attack, they’re happening with increasing frequency,” it notes.

“Frequently, these attacks can be simple attempts to get past an organization’s defenses. However, it’s important to note that simplicity can be deceptive, for it often hides a complex process that an attacker used to reach that stage,” the Websense report observes.

“Indeed, a highly sophisticated attacker in pursuit of a high-value target typically will continue to subtly evolve an attack across all seven stages of the kill chain until it hits pay dirt,” it says.

A prominent development during the year was the repurposing of the Zeus Trojan. Long associated with banking attacks, variations have broadened the malware’s horizons.

“When you look at the industries affected by Zeus, finance was No. 3 — services was No. 1; manufacturing, No. 2,” Charles Renert, vice president of security research at Websense, told TechNewsWorld.

“Some of these point-of-sales systems attacks that we’ve seen in the last few months were actually using Zeus variations,” he said. “They took the code and completely repurposed it for a point-of-sale attack.”

Breach Diary

  • March 30. Study by William Duckworth, of Creighton University, shows mandatory “kill switches” in cellphones could save consumers US$2.6 billion.
  • March 31. Symantec reports CryptoDefense ransomware earned $34,000 for its purveyors during its first month of operation.
  • March 31. NSS Labs releases test results on effectiveness of Web browsers in blocking socially engineered malware downloads. Microsoft Internet Explorer had best marks, blocking 99.9 percent of the SEM samples used in the test, followed by Liebao, a Chinese browser, which blocked 85.1 percent.
  • April 1. Reuters reports Trustmark National Bank and Green Bank have withdrawn their lawsuit against Target and Trustwave after Trustwave CEO states Target did not outsource its security to his company.
  • April 2. Stephen Gunn, 36, of Chicago, pleads guilty in federal court to stealing more than $1 million in iPhones and iPads from Verizon Wireless by compromising corporate purchasing accounts and bribing Federal Express drivers.
  • April 2. U.S. Government Accountability Office reports security incidents at federal agencies involving personally identifiable information more than doubled from 2009 to 2013, to 25,566 from 10,481.
  • April 2. Sens. Mark Warner, D-Va., and Mark Kirk, R-Ill., file bill to lower liability for fraudulent charges on a debit card to $50 from $500.
  • April 3. Reason-Rupe poll finds more Americans trust the IRS (35 percent) and NSA (18 percent) with their personal data than Google (10 percent) and Facebook (5 percent). However, when asked which were most likely to violate their privacy, the NSA (36 percent) and Facebook (26 percent) topped the responses, followed by the IRS (18 percent) and Google (12 percent).
  • April 3. Yahoo announces it has begun encrytping all data transmitted between its data centers and all search requests made from the Yahoo home page.
  • April 3. Reuters reports a number of state attorneys general have opened an investigation into a subsidiary of Experian, which may have compromised the Social Security numbers of some 200 million people.
  • April 3. Los Angeles County officials discover an additional 170,200 people whose personal information was compromised in computer theft in February from Sutherland Healthcare Solutions in Torrance, Calif. That brings total persons affected by the incident to 338,700.
  • April 4. U.S. Judicial Panel on Multidistrict Litigation orders 33 lawsuits against Target stemming from data breach last year to be consolidated in the retailer’s home state of Minnesota.

Upcoming Security Events

  • April 7-9. InfoSec Conference & Expo 2014. Disney’s Contemporary Resort, Orlando, Fla. World Pass, $3,795; world Pass with Hands-On Track, $3,995.
  • April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 8. Whistleblowing and Journalism: The Role of Watchdogs in the National Security Era. 6:30-8:15 p.m. PT. Annenberg Auditorium, University of Southern California, Los Angeles.
  • April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195. April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
  • April 8-9. Secureworld Expo. DoubleTree by Hilton Hotel Philadelphia, Valley Forge, Pa. Registration: Conference, $295; with training, $695; exhibits and free sessions, $25.
  • April 8. Impacts of Affordable Care Act on Patient Data. 2 p.m. ET. Ponemon Institute webinar. Free with registration.
  • April 11-12. Women in CyberSecurity Conference. Nashville Airport Marriott, 600 Marriott Drive, Nashville, Tenn. Registration: student, $40; academic faculty, $100; corporate, $250.
  • April 15-16. Secureworld Expo. Cobb Galleria Centre, Atlanta. Registration: Conference, $295; with training, $695; exhibits and free sessions, $25.
  • April 17-18. Suits and Spooks Monterey. Monterey Institute of International Studies. Irvine Auditorium. Registration: members, $323; non-members, $380; government, military and academics, $175.April 26. BSides Chicago 2014. The Abbey Pub, 3420 W. Grace, Chicago. Free.
  • April 27-28. BSides Dubai 2014. Free.
  • April 29. BSides London 2014. Kensington & Chelsea Town Hall, Horton Street, London. Free.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 29-May 1. InfoSecurity Europe. Earl’s Court, London. Admission: Free.
  • April 30. Secureworld Expo. Hood Center, 452 South Anderson Rd., Rock Hill, SC. Registration: one day pass, $165; SecureWorld Plus, $545; VIP, $315; exhibits and open sessions, $25.
  • May 9-10. B-Sides Boston 2014. New England Research & Development Center, Kendall Square, Cambridge, Mass. Fee: $20.
  • May 9-10. B-Sides Algiers 2014. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers. Free.
  • May 10. B-Sides San Antonio 2014. Texas A&M, San Antonio-Brooks City Base. Fee: $10.
  • May 17. B-Sides Nashville 2014. Lipscomb University Camps, Nashville, Tenn. Free.
  • May 17. B-Sides New Orleans 2014. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Fee: $10.
  • May 17. B-Sides Cincinnati 2014. Main Street Theater, Tangeman Hall, University of Cincinnati, Cincinnati. Free registration, pizza and beer.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50. Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI, Amsterdam. Registration: through Oct. 27, 1,095 euros plus VAT; after Oct. 27, 1,295 euros plus VAT.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels