It’s been a busy week among software companies and OEM’s, as both Microsoft and Adobe have released a flurry of patches. Microsoft’s current “Patch Tuesday” bundle features fixes for almost one hundred flaws in Windows and other Microsoft software. Adobe’s updates continue to patch their Flash and Shockwave technologies, both of which are unfortunate poster children for insecure software.
In early March, the State of New York’s Department of Financial Services (DFS) adopted a new set of rules in support of the state’s Financial Services Law. Normally, this is not something that would be particularly news-worthy, as the DFS is chartered to implement rules of governance and management for financial services companies all the time; over the past few years, the DFS has issues rules regarding financial dispute resolution, debt collection, and even the use of Bitcoin and other virtual currencies. What makes the March resolution – titled “23 NYCRR 500” – so interesting is that, for the first time, it defines specific cybersecurity governance requirements for all financial services companies operating in the state. As you might expect, as New York City is one of the top three financial centers of the world, this ruling has a substantial impact.
The old adage goes, “there are only two certain things in life: death and taxes”. Increasingly, however, it looks like identity theft needs to get added to that list. Earlier this week, security blogger Brian Krebs reported that TALX, a division of Equifax (one of the “Big Three” credit bureaus), experienced a significant data breach of personally identifiable information (PII). As is often the case in mass data theft scenarios, TALX was unable to identify the exact number of records or the scope of PII compromised.
The technology world was rocked late last week with the arrival of the “WannaCry” malware payload. “WannaCry” is ransomware: it encrypts files with strong encryption, and then notifies the victim that they can “recover” their files for a payment using Bitcoin (which is an extremely difficult-to-track blockchain-based payment system). While the New York Times has reported that victims in nearly 100 countries have been affected so far by this fast-moving malware, the most significant impact so far has been identified within the U.K.’s National Health Services (NHS), which was forced to reallocate patients to unaffected facilities due to the “WannaCry” outbreak.
Recently, social media giant Facebook announced that they are providing, free of charge, code to allow app developers to implement delegated account recovery. This is effectively a more elegant replacement for the traditional “security questions” approach to resetting a password, which historically has required the user to setup a series of questions that (ostensibly) only they know the answer to. However, a Microsoft survey from several years ago already identified that over 10% of those supposedly “secret” questions could be answered within five guesses by nearly anyone, and that participants forgot 20% of their security question responses within six months.
Recently, management consulting firm Deloitte identified that cybersecurity insurance, while currently only a small fraction of the overall market of insurance underwriting, is poised to dramatically increase over the next few years, potentially even tripling by 2020. This is backed up by insurance giant Allianz, which has predicted that cybersecurity insurance will increase from its current $1.5-$3 billion in annual premiums to over $20 billion just a few years after that, in 2025.
For those of you who have been reading the EiQ Networks blog on a regular basis, you know that one of the most fundamental and unyielding tenets of the security world that we frequently point out is this: functionality and performance always – and we mean always – trump security. For developers of new software products, hardware technologies and the emerging world of IoT, the ability to get to market as quickly as possible is the most important thing a company can do, because it gets them a market position that turns into revenue. Because security isn’t generally perceived by companies that make commercial software and hardware as something on which people make buying decisions, it’s usually relegated to a last-minute “bolt-on”, or simply addressed after vulnerabilities are discovered by users and security analysts after the product is released. Even after disclosure of vulnerabilities, many companies either ignore these findings or back-burner patches and fixes until the next major release of their product. One of the “dirty little secrets” of the industry is that certain, specific vendors (we won’t name names here… but they know who they are) have had gaping holes in their products for months and sometimes even years. Sadly, this behavior among many companies is not likely to change.
Most of us think about information security in terms of what hackers, malware, and other bad actors can do to compromise our systems and data. And while that’s certainly a critical concern, we sometimes forget about another aspect of information security: protecting our privacy. The privacy debate is one that has raged for many years. Today it is often equated with government intrusion, and while this is certainly a legitimate macro-level concern, there are other sinister threats that can be realized when we lose our digital privacy; identity theft, cyberstalking and online bullying, and physical assault due to location disclosure from digital assets (think geolocation inside of devices and geotagging metadata within digital media) are all real-world risks if we don’t protect ourselves. And while privacy and security are not the same thing, good security definitely improves privacy.
Last Friday night, a cacophony of 156 public warning system sirens sounded in Dallas, Texas. The sirens weren’t responding to a danger, such as tornados or other similar threats. Instead, these sirens were hacked, sounding off maximum volume well into the early hours of Saturday morning. This may see
m like a prank similar to something out of a modern-day “Animal House,” or a badly-scripted Hollywood treatment of hacking culture. But the reality is that attacks on physical infrastructure represent a potential threat that pales the scope and effect of traditional hacks.
Just a few weeks ago, security researcher and journalist Brian Krebs reported on the arrest of two men who were suspected of running “vDOS,” one of the most pervasive distributed denial-of-service (DDoS) paid service networks in the world. DDoS as a subscription service is nothing new; vDOS was in existence for well over four years, and along with other services such as “PoodleStresser” were part of the nascent but rapidly-growing distributed denial of service-as-a-service market (“DDoSaaS” – how’s that for an acronym?)