How to Lose User Confidence and Jeopardize Security

Using up-to-date security software is pretty much at the top of recommended defense measures. Anti-virus and anti-phishing software filter out daily attacks from network communications. However, it is important that users can trust this software to intercept malicious software, harmful links, and other threats no matter who they come from. Threats may originate from criminals but also increasingly government organizations. Users also expect that data remains stored confidentially on their devices, especially considering that security software has the capability of viewing and intercepting data. Recently, the Russian antivirus company Kaspersky has made headlines for exactly this reason. US authorities claim that Kaspersky stole top-secret software from a government employee’s PC and delivered it to the Russian intelligence service. This included exploits for previously unknown vulnerabilities.

Why Two-Factor Authentication is Too Important to Ignore

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time. On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach.  Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts. Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that...

When Remote Access Becomes Your Enemy

As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used. This arrangement makes sense: It saves enterprises time and money. Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician. About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected. Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point. Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software. It’s clear that these attacks and vulnerabilities are all part of a trend –...

What We're Reading, Week of 11/5

Government Computer News – NIST spells out baseline security requirements for next-gen mobile devices CSO – Election sabotage: A threat much older than hacked e-voting InformationWeek – Malware Tools Get Smarter To Nab Financial Data SearchSecurity – Remote access Trojan evades detection using mouse...

What We’re Reading, Week of 11/5

Government Computer News – NIST spells out baseline security requirements for next-gen mobile devices CSO – Election sabotage: A threat much older than hacked e-voting InformationWeek – Malware Tools Get Smarter To Nab Financial Data SearchSecurity – Remote access Trojan evades detection using mouse...