State of Security: Credit Data Hack, App Vulnerabilities, Infosec Job Market, China Hacking Plea
Celebrity Credit Report Breach May be Tied to AnnualCreditReport.com Hack…
News of a large data dump that disclosed the personal financial information of numerous celebrities and government officials may be tied to reports that the credit files of at least four Hollywood stars were illegally accessed, as was confirmed by credit monitoring company Equifax.
Naked Security’s Graham Cluley, among many others, reported early Tuesday that an unidentified group of hackers had published the social security numbers, banking information, and credit reports of more than a handful of big name celebrities and public officials on a website called “The Secret Files.” The victims of the disclosure included Mel Gibson, Hulk Hogan, Kim Kardashian, and singer Beyonce – the same four names that Equifax representatives later Tuesday said had been exposed by way of unauthorized access.
“Equifax can confirm that fraudulent and unauthorized access to four [celebrity] consumer credit reports has occurred,” a report in the tabloid TMZ states. A similar report in Reuters indicates that Equifax has launched an investigation into the breach, and that the company believes the exposure was potentially due to a bypass of authentication measures on the “Annual Credit Report” website, which is populated with consumer data from multiple credit monitoring companies.
Other victims of the breach appear to include Vice President Joe Biden, First Lady Michelle Obama, former Secretary of State Hillary Clinton, and FBI Director Robert Mueller. Thus far, Equifax has not confirmed whether these and other victims listed on the “The Secret Files” website were also part of the unauthorized access at the “Annual Credit Report” website, but the likelihood is quite high that these incidents are connected.
“The nature of the content – names, social security numbers, previous addresses, dates of birth, etc – suggest that a credit agency might have been compromised in some fashion. Whether an agency was actually hacked, compromised in some other fashion, or whether an insider within the organization leaked the data, is impossible to say at this point,” Cluley wrote. “It looks as though the hackers have been adding more stolen personal information to the site over time, which might suggest that there could still be more to come.”
Cluley also advises the curious among us to exercise caution when considering visiting websites like “The Secret Files” that list such information, as they may be designed to infect users’ computers with malware. Good advice to take note of.
Majority of Applications Vulnerable to Exploit…
Security provider Cenzic reports that a whopping 99% of the web and mobile applications in development that they tested contain one or more serious vulnerabilities that are ripe for exploitation by hackers.
The Application Vulnerability Trends Report 2013 reveals that “the type, frequency and severity of vulnerabilities found and predicts which vulnerabilities will pose the greatest risk in web and mobile applications in production throughout 2013,” including:
- - Cross Site Scripting vulnerabilities rose from 17 percent in 2011 to 26 percent in 2012, making it the most common threat over the past year
- - Information Leakage, Session Management, and Authentication and Authorization all remained prominent vulnerabilities in 2012
- - Information Leakage – 16 percent
- - Session Management – 16 percent
- - Authentication and Authorization – 13 percent
- - The number of vulnerabilities in those applications tested remained high, with a median number of 13 vulnerabilities
Of particular concern is the increased risk of exposure organizations are increasingly facing as they move to integrate mobile device technology into their daily business operations. “The exposure that organizations face from the trove of existing application vulnerabilities and from evolving threats has been laid bare this year, however most organizations have not comprehensively acted to defend themselves from these application level threats. This trend continues to get worse; as the rush to create a multitude of connected mobile apps has led corporations to essentially rip out walls and replace them with unlocked doors, leaving them even less aware of how to secure at scale,” said Cenzic’s CTO Scott Parcel.
(ISC)² Global Information Security Workforce Study Shows Infosec Pros In Demand…
The recently released GISWS report (.pdf) conducted by (ISC)² with partners Booz Allen Hamilton and Frost & Sullivan indicates that there is still a significant shortage of highly trained security professionals, and that the demand for such expertise is going to continue to grow – good news for the security industry, but obviously a headache for both the government and the private sector who find themselves in competition for the same individuals.
The report is based on data collected in a Q4 2012 survey of more than 12,000 information security professionals from around the world, with four-out-of-five respondents indicating they experienced no change in employment over the previous twelve month period. “Growth in this profession is a testament to the need for their expertise and also a signal that global economic activity is advancing,” the report states.
The study notes that information security professionals need to be continually enhancing their skills, as hackers are always in the process of developing new and more innovative attack methodologies, and that the rapid adoption of BYOD, cloud computing options, and social media platforms by organizations is providing a greater number of attack vectors. The report also highlighted the need for secure software development, as application security concerns ranked highest among respondents, followed by malware and mobile device security issues.
“Without a corresponding response by security professionals and the technology vendors that support them, this ‘soft’ underbelly of business and governmental entities has and will continue to be be exposed with serious consequences — data breaches, disrupted operations, lost business, brand damage, and regulatory fines,” the report advised.
Key findings in the survey include:
- - Information security is a stable and growing profession: The number of professionals is projected to continuously grow more than 11 percent annually over the next five years
- - Workforce shortages persist: Fifty-six percent of respondents believe there is a workforce shortage, compared to two percent that believe there is a surplus
- - While attack remediation is anticipated to be rapid, security incident preparedness is exhibiting signs of strain: 28% believe their organizations can remediate from a targeted attack within one day. Yet the percentage of survey respondents who believe their preparedness has worsened doubled when compared to the 2011 survey
- - Information security professionals trump products in securing infrastructure effectiveness: In a ranking of importance in securing infrastructure, software and hardware solutions rank behind the effectiveness of information security professionals
Officials Ask China to Please Stop Hacking American Companies…
Well, it never hurts to ask, right? After years of reports form innumerable sources that the Chinese government turns a blind eye to – if not actually encouraging in some respect – the relentless barrage of cyber attacks against American companies, Tom Donilon, President Obama’s National Security Advisor, has kindly asked Chinese officials to at the very least acknowledge that the operations threaten international trade agreements, and to consider working with the U.S. to “establish acceptable norms of behavior in cyberspace,” according to a report in InfoWorld and other publications.
“Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot afford to tolerate such activity from any country,” Donilon was quoted as saying in a speech to the Asia Society in New York.
The plea comes just a few weeks after a report by security firm Mandiant that detailed Chinese operations targeting the intellectual property and other sensitive data. The difference with this latest report is that the authors did not merely conclude that these activities were traced to China in general, but went on to claim that they were in fact being conducted by a branch of the Chinese military called PLA Unit 61398. This assertion was by far the most damning of the reports issued over the last few years, most of which have only “implied” that the Chinese government “may” be actively engaged in cyber espionage activities.
“First, we need a recognition of the urgency and scope of this problem and the risk it poses — to international trade, to the reputation of Chinese industry, and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace,” Donilon said.
Image courtesy of ShutterStock
Categories: Cyber Security