Here are a few articles I found interesting this week:
“Camjacking" attacks activate your webcam and record your every move. Female images are in demand.”
“Camjacking” and “Sextortion.” Those are not some of the more “run of the mill” attacks where scary words like Session Hijacking may sound much worse than they actually are. Don’t get me wrong- stealing the session that is logged into your bank’s website is a Bad Thing™ and can result in financial ruin. But compared to having your personal privacy violated in a manner that leaves you exposed- in pretty much the most basic sense of the word exposed- the damage that Camjacking can do to your personal sense of well-being is much greater.
Surreptitiously taking webcam shots of people and waiting for them to get into a compromising situation is pretty creepy, so depending on your tolerance for voyeurism a sticky note over the camera is a pretty good investment! I’ve got mine...
“Emergence of machine to machine (M2M) devices makes life easier for thieves and hackers -- and more dangerous for victims”
M2M communication allows for all kinds of interesting and useful systems, including smart electric meters that contact the utility company, intelligently manage electricity usage, and allow the customer to monitor their usage and track metrics. At a basic level, some of these meters may use SIM cards to communicate over the cellular network. Freeloaders that want to get their mobile data fix for free might attack the device to steal the card. Other points of attack may include disrupting the device in some way- aimed either towards the utility company or the customer. It could even be done by meddling with the device’s ability to control appliances or integrate with the customer’s mobile device. Imagine the same technologies in vehicles…
As the world becomes “smarter” and more connected, new and improved capabilities will be awe inspiring and point us to “the future”. However, such devices and systems that are not designed, implemented, and deployed with security in mind will surely do as the author of the article suggests and make life for attackers easier and more dangerous for victims.
“State Attorney General calls for adoption of encryption in 'leading edge' data breach report.”
"If encryption had been used, over 1.4 million Californians would not have had their information put at risk in 2012."
Data breaches are becoming no less frequent or spectacular as we move forward with security concepts and regulatory compliance requirements. Many businesses don’t understand the issue, recognize their role, and especially don’t feel the pain that victims feel after having their identity stolen (as I recently found out). Putting these requirements into law and spelling out what the requirements are and the repercussions are might be the kick-in-the-pants that corporations need to get their security act together.
As silly as it sounds, security mandates in the law books may be our best effort to combat either the ignorance surrounding the issues or the cost-benefit analysis that dictate the current trends…
"IT needs to put the right access controls in place for the mobile backend.”
As we are developing our mobile curriculum, we are focusing on the mobile client and the controls and mechanism available on the device to protect user and corporate data. We often mention controls that should be implemented server side, but due to the heterogeneous nature of such systems that include a mobile client, the server side could be comprised of any number of technologies. Plus, it would blow the scope of the course out of the water.
This article serves as a nice reminder that client side is the presentation layer, and unfortunately it is still a common mistake to leave services and APIs open without thinking about how disastrous direct access to the backend can be.
“BYOD has led to an increase of mobile devices, cloud storage repositories, different kinds of data types, and, of course, data theft by disgruntled employees. "The number of cases we have involving mobile devices has probably doubled in the last three years," Luehr says. While there's a lot of hand-wringing over BYOD and mobile security—some would say it's "over-hyped"—Stroz Friedberg deals with real cases concerning data breaches. ”
This is a great article to emphasize earlier points made in this post, and past posts as well. Here we have data “from the trenches”, so to speak, on the increase in breaches or incidents surrounding BYOD. On one hand, you have lackadaisical employees using weak passwords- or worse, reusing those weak passwords- for personal and corporate resources. Suddenly, a personal email account breach can turn into a corporate loss. On the other hand, you have employees that are leaving an organization for a competitor and despite policies that shut down access to services and repossess a laptop, a personal device may still contain copies of email, IM, SMS, and data that contains proprietary or sensitive information on their person as they walk out the door.
These are real incidents being described, so it’s not a case of a security geek crying wolf for a theoretical threat in order to justify keeping his budget despite a lack of concrete metrics showing how security really is necessary.