Blog
I like this
I don't like this

This Week in Security

Feb 02, 2013
Martin Kuppinger

Chinese hackers, US newspapers

This week, several US newspapers, including The New York Times and Wall Street Journal, have reported that they have experienced cyber-attacks related to their coverage of China. In the case of The Times, corporate passwords for every employee had been stolen. Chinese officials called allegations that the Chinese Government commissioned these attacks “unprofessional and baseless”. However, it is not likely that Chinese hackers caused these incidents without at least tacit government approval. In fact, this appears to be sort of a sideshow to the bigger, unofficial and hidden cyber-war (a 21st century sort of a “cold war”) running in the background.

Distrust as a business model?

In a recent survey, the Ponemon Institute asked U.S. adults about the five companies they trust the most to protect the privacy of their personal information. It comes as no surprise that most of the companies forming the “Internet Association” do not rank within the Top 20 of this list. Some like Apple have been in the Top 20 for years. On the other hand, Microsoft is now amongst these top-ranked companies. Overall, the Internet and Social Network providers have low ratings. It will be interesting to observe whether “distrust” as a business model really works over a longer period. The study clearly shows that users are aware of privacy risks. The greater this awareness, the bigger the business risk for the ones who are ignoring these concerns.

UPnP networking flaw puts millions of PCs at risk

A recently discovered security flaw in the UPnP (Universal Plug-n-Play) networking protocol potentially puts millions of PCs at risk. UPnP is a protocol that allows network devices like printers, PCs, or routers to discover each other. By design, this discovery should be limited to the local network. However, the flaw allows attackers to identify devices on the internet and run some well-known attacks against them. The reason for the mass of vulnerable systems is that software libraries used to implement UPnP contain some flaws. Most likely, many of the systems at risk never will be patched because these devices are not sold anymore. Thus, there is a significant risk. Unfortunately, there is no simple solution to this issue. The best approach is ensuring that all incoming UPnP requests are blocked at the router and that this device itself does not use UPnP.

Where will all these people come from?

According to recent news, the Pentagon has decided to increase staffing for its cybersecurity force from 900 to 4,500 people. The most important question this news evokes: Where will all these people come from? I have no clue. We are in a situation where we lack experienced IT security professionals. Hiring 3,600 more of this rare species will be a tough job for the Pentagon. It also will wipe the market for cybersecurity professionals. For other companies and organizations that means they will increasingly rely on Managed Security Service Providers which at least can benefit to some degree from “economies of scale”. The most important challenge with respect to cybersecurity for every economy in the upcoming years will be to force education of IT security professionals. Not only IT but IT security has to become part of education, starting in school. And IT security as a field of study should become one of the most attractive ones, to create the supply governmental and private organizations need urgently.

WhatsApp again

According to Canadian and Dutch data protection authorities, WhatsApp violates international privacy laws. Users do not have a choice to use the application without granting access to their entire address book. For company policies that simply means that usage of WhatsApp is unacceptable as long as any company-related address information is held on the device. Maybe WhatsApp should really start thinking about security and privacy.

Apple iOS 6.1 – still an unacceptable approach for security patches

Apple this week released iOS 6.1. The update addresses a number of security issues. Amongst these are around 20 that allow infiltrating systems via the Internet and executing code on the target systems. Most of the bugs are related to the webkit which forms the foundation for the iOS Browser Safari. Some of them have been known for quite a while, even while there are no known attacks based on them. Nevertheless, an approach that delivers security patches that are delayed and not just in time, as Microsoft, Oracle and even Adobe do, is simply inadequate. It is long past time that Apple move towards better approaches to security patching. By the way: The update once again deleted the specific APN settings of my UMTS card. Updates that are not able to keep all configurations are just unprofessional.

Online banking: 25% of Germans don’t use it due to security concerns

A survey in Germany, ordered by the initiative D21 (Digital 21), showed that 26% of the participants do not use online banking due to security concerns. That comes as no surprise, when looking at some of the recent incidents. It also sheds an interesting light on the investments of banks to secure online business. A common complaint of banks is that securing online banking is too expensive. That is the reason for not investing in the most advanced technologies or for charging customers for every SMS send out-of-band with a TAN (transaction number). However, besides the money banks spend for successful attacks, the cost of 25% of the customers still relying on classical banking methods with the manual handling involved and thus high costs should not be underestimated. Banks should also consider that this might be just an initial trend and the tendency may be to go back to traditional methods. That then would increase costs for banks. Investing more in really secure online banking might be the cheaper way.

IBM and RSA build security analytics on Big Data technology

A recent announcement from IBM, and information from RSA show that Big Data technology gains momentum as a foundation for security analytics. This goes well beyond traditional SIEM (Security Information and Event Management) and opens new opportunities for advanced analytics of data from various sources. More on that in upcoming blog posts, KuppingerCole reports, and at EIC 2013.