Hacking

SPOTLIGHT ON SECURITY

Biz Brass Kept in Dark About Breaches

With breaking news about data breaches a common occurrence, you’d think security threats to an organization’s data would be something CEOs and their management teams were kept in the know about. Apparently not.

Some 80 percent of IT pros in the United States and United Kingdom said they did not frequently communicate with executive management about potential cyberattacks to their organizations, in a survey conducted by the Ponemon Institute and released last week by Lancope, a network security company.

“I’m surprised CEOs are not being briefed more frequently about cybersecurity threats,” Lancope Security Research Director Tom Cross told TechNewsWorld.

“The results were worse than we expected,” he added.

One reason cyberthreat info may not be rising to the top of organizations is because those with knowledge of the threats fear the shoot-the-messenger syndrome.

“They’re afraid of bringing bad news to the leadership,” Cross said.

There are other consequences of bringing bad news to the brass.

“It means they would have to answer uncomfortable questions about why these things are occurring in the first place,” Cross noted.

IT Babel

On the other hand, information may not be percolating to the top of organizations because the top isn’t interested in it.

“Some executives aren’t necessarily interested in cyberthreat briefings because they don’t see those things as fundamental to their business,” Cross explained.

Security people can contribute to those executive attitudes by framing threat concerns in terms of malware and vulnerabilities instead of downtime and the hit to the bottom line.

“IT security folks are often speaking a different language than people speak in the boardroom,” Cross said.

Other findings in the study:

  • One month was the average time it took to investigate, restore service and verify the resolution of a security incident.
  • More than half (57 percent) the 674 IT pros who participated in the survey said they expected to experience a security breach in the next year.
  • Nearly half (47 percent) of the respondents said they did not assess the readiness of their incident response teams or did not do so regularly.

Distributed Spam Distractions

Military strategists have long known the value of a good diversion, and now so do hackers.

“Distributed Spam Distraction” is a tactic identified in AppRiver’s latest Global Security Report, authored by security analyst Fred Touchette.

After gaining the account information of a target, an attacker will launch a spam barrage on it.

“The single goal is to distract the target from viewing transaction receipts as its accounts are being raided,” Touchette told TechNewsWorld.

The spam blizzard guarantees that the receipts will be buried in a blizzard of chaff.

“It’s nearly impossible to sift through them to find anything that isn’t part of the spam attack,” Touchette said.

The notorious Blackhole malware kit disappeared from the online crime scene during 2013, notes the AppRiver report.

“Blackhole has gone away,” Touchette observed. “Law enforcement caught up with its author and as soon as he went to jail, all his customers abandoned ship.”

Android Next on FTC Hit List?

If silence is assent, Google could be the next target of the Federal Trade Commission’s war on unauthorized in-app purchases.

Earlier this month, Apple agreed to a US$32.5 million settlement with the agency over kids making in-app purchases without their parents’ permission. Such purchases, though, can be made in apps sold for Android devices in the Google Play store. In fact, some experts have pointed out that it’s even easier for minors to do so with Android apps.

With Apple’s in-app purchase system, after using a password to make a purchase, a 15-minute window opens in which buys can be made without a password. With Android, the Window is even larger.

“On Android, the user can do in-game purchases or buy new apps for 30 minutes without having to log in again,” Bogdan Botezatu, a senior e-threat analyst with Bitdefender, told TechNewsWorld. “After 30 minutes have elapsed, the user is required to log in again to be able to complete transactions.”

However, password-required purchasing can be turned off in Android, added Yankee Group Research Director Carl Howe.

“The reason this hasn’t become an issue in the Google world is that people don’t buy as much in the Google ecosystem because apps are largely ad supported,” he told TechNewsWorld.

Nevertheless, following Apple’s settlement with the FTC, commissioners who were questioned about a similar action against Google would neither confirm nor deny such a probe. Apparently, the regulators haven’t shut the door on that possibility yet.

Breach Diary

  • Jan. 20. U.S. Custom and Border Protection officers arrest two Mexican nationals trying to enter the United States with fraudulent credit cards tied to Target data breach.
  • Jan. 20. Putnam Bank in Connecticut files class action lawsuit against Target to be reimbursed for costs associated with data breach at retailer in which payment card information on 110 million customers was compromised.
  • Jan. 20. Korean Financial Supervisory Service reports that personal information for some 20 million South Koreans was sold to marketing firms by a temporary consultant at the Korea Credit Bureau.
  • Jan. 20. Syrian Electronic Army vandalizes Microsoft Office blogs. Group claims it has access to a number of Microsoft employee accounts, and it’s believed it used those credentials to attack the blogs.
  • Jan. 21. Easton-Bell Sports discloses that an unspecified number of its online customers may be affected by data breach that occurred at its servers from Dec. 1-31, 2013.
  • Jan. 22. Nieman-Marcus reports data breach that occurred July 16-Oct. 30, 2013, affected some 1.1 million customer payment cards. Payment card companies have told the retailer that 2,400 unique cards so far have been used to make fraudulent purchases. Company is offering free credit monitoring to any customer who shopped at one its stores between January 2013 and January 2014.
  • Jan. 22. Online Trust Alliance estimates that 740 million records were exposed in data breaches in 2013, making the year the worst in recorded data breach history. It notes that 89 percent of the breaches could have been prevented had basic security controls and best practices been enforced.
  • Jan. 22. Microsoft discloses it will allow its foreign customers to store their personal data on servers outside the United States as a means to assuage overseas concerns over reports of data snooping by U.S. government agencies.
  • Jan. 22. Steven Hickson, a computer science graduate student at Georgia Tech, cracks “find the ghost,” a security layer recently added to Snapchat to protect its users from data theft.
  • Jan. 23. Dashlane publishes first quarterly roundup on e-commerce personal data security. Company found that 55 percent of top 100 e-commerce sites accept “123456” or “password” as appropriate passwords, and 61 percent do not provide advice on how to create a strong password.

Upcoming Security Events

  • Jan. 27-29. CyberTech 2014. The Israel Trade Fairs & Convention Center, Tel Aviv. Registration: Until Jan. 1, $350; Jan. 2-26, $450; on-site, $550.
  • Jan. 28. Online Trust Alliance Data Privacy Town Hall. 8-11:30 a.m. ET. Baruch College, 151 E. 25th St., William & Anita Newman Conference Center, New York city. $35.
  • Jan. 30. Online Trust Alliance Data Privacy Town Hall. 8-11:30 a.m. PT. Marriott Union Square, 480 Sutter St., Union Square Ballroom, San Francisco. $35.
  • Jan. 30. C/C++ APPSEC IN 2014. 1 p.m. ET. Black Hat webcast. Free with registration.
  • Feb. 4. Online Trust Alliance Data Privacy Town Hall. 8:30-11:30 a.m. PT. Grand Hyatt Seattle, 721 Pine St., Eliza Anderson Amphitheater, Seattle. $35.
  • Feb. 6. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Feb. 9-13. Kaspersky Security Analyst Summit. Hard Rock Hotel and Casino Punta Cana, Domincan Republic.
  • Feb. 10-15. CyberCon 2014. Sponsored by SANS. Online courses range from $4,195-$5,095.
  • Feb. 17-20. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
  • Feb. 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Feb. 27. TrustyCon. 9:30 a.m-5 p.m. PT. AMC Metreon, 135 4th St #3000, Theater 15, San Francisco. Sponsored by iSEC Partners, Electronic Frontier Foundation (EFF) and DEF CON. $50 plus $3.74 fee.
  • March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
  • March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
  • April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
  • April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
  • April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
  • April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels