It seems that is the time once again to talk about the relationship between software vendors and the security posture of different business verticals. Why are we beating this particular dead horse? Well with the Covid-19 Pandemic, the rush to shift to remote work force and an increase in attacker activity aimed at the remote workforce and healthcare you would think that there would be an increase level of effort to fix vulnerabilities in remote access and healthcare services software. If you thought that, you would be wrong. Instead during this time, we are seeing more software vendors pushing FDA as law and healthcare organizations even refusing opportunities to patch critical software. This on top of an extremely slow response to threat to the remote workplace.
It seems that the recent $81 million dollar attack against the Bangladesh Central Bank might have also been about the Seth Rogan Movie “the interview”... ok, not really, but the attack that happened at Sony in 2014 seems to have many things in common with the recent attack that resulted in the theft of $81 million. During the Sony attack the initial blame was centered on the release of the Interview, but that was never confirmed and seemed to be way off base.
There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds. Of course when you add in all of the other items that retailers throw in (are you are rewards member?) your checkout time can be lengthened quite a bit.
The push into the cloud has been a concerning one as has to the glut of devices, games, services and other that rely on the cloud to exist. One of our main areas of concern is with the storage of user information. We know that most companies are going to spend the least amount of time and money to secure the information they collect. The bean counters seem to feel that the risk of losing your data is small enough to justify leaving things as they are and if there is a breach, well that is what insurance is for.
You know that awkward moment when your security company actually fails and ends up exposing your data? Well that is happening for a, less than loved, Mac application called MacKeeper. It seems that they forgot all about data management and security. Now, that being said MacKeeper and the developer, Kromtech Alliance, are not know as a wonderful application in the Mac world. For the most part they are known as something to be avoided, but that does not mean that people have not bought and installed their software.
Back in 2007 or so I was asked to write a white paper on the subject of why Intel was able to pass AMD as quickly as they did. This is back in the AM2+ days when Intel was dropping Conroe on the world. Many people were surprised that Intel made this shift so quickly when you consider how badly AMD had beaten the P4. It was incorrectly assumed that AMD had reach a peak that Intel could not touch. Because of this they did not push their advantage. Instead they opted to move in a very different direction and purchase ATi for way more money than they should have. This one move started the long decline of AMD as we knew it. It was a massive strategic error and it all came down to one thing. A failure of management and stockholders’ to imagine that Intel could so easily blow past AMD’s performance lead. This type of failure can have catastrophic consequences in the business world and in security.
When you hear people talking about anonymity on the internet it most people will think privacy. When companies hear anonymity on the internet they think piracy, crime, hacking and lost revenue. This is probably the biggest disconnect in the internet age, companies want to monetize your personal information. This is big money and (as we have said more than once) is a commodity that they have been trying to legalize for more than a decade.
242 Million. This is the number of people that have been affected by the corporate culture of short cuts and fiduciary excuses on security. We have talked at length about the lack of proper security planning in the last 12 months, upgrades and even programing that exist in the corporate world and even with pretty strict regulations on how businesses are required to conduct their operations we are still hearing about breach after breach.
Almost two weeks ago we wrote an editorial about how security issues are more about the corporate culture than just weak passwords. In it we described a problem that exists in far too many companies where executives and/or vendors are the ones that are setting the security policies instead of the IT or IT security teams. This situation can be exceptionally frustrating when you are trying to keep the “bad guys” out, but not everyone really believes that this is how things work. Now, after New York Times article describing how the Home Depot ignored their own security staff, people might be forced to finally get the bigger picture.
Since the beginning of 2014 the IT world has been rocked by more than a few major breaches. The number of credit cards and user information now up for sale is staggering. So how have these attacks managed to get in and make off with so much data so quickly? Of course there are the usual suspects in these cases, weak passwords and users downloading malware on their systems that allow a potential attacker into their system.