Security Breaches

Application security may still have a ways to go, but Open Source is showing promise…

Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.

“The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That’s encouraging,” Oberg says. And it was the quickest to remediate any flaws: “It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,” he says.

via State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test – DarkReading.

I love that “without our knowledge” quote.  Wouldn’t it be nice if companies took the security of your personal data seriously?  If you are a company who wants to try this, take a look at our fraudForensics service…do yourself and your customers a huge favor.

Staff at mobile phone company T-Mobile passed on millions of records from thousands of customers to third party brokers, the firm has confirmed.

Details emerged after the firm alerted the information commissioner, who said his office was preparing a prosecution.

Christopher Graham said brokers had sold the data to other phone firms, who then cold-called the customers as their contracts were due to expire.

A T-Mobile spokesman said the data had been sold “without our knowledge”.

via BBC NEWS | UK | T-Mobile staff sold personal data.

With 10’s of millions of iPhone, rife with personal data and always connected to the Internet, it will be (is) an irresistible target for malware, spyware, identity thieves and more (you get the idea):

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

via First iPhone worm discovered – ikee changes wallpaper to Rick Astley photo | Graham Cluley’s blog.

As more and more consumers use smart phones and the thousands of apps in the various market places, I am very concerned about an increase in identity theft, spyware, malware, etc.  I understand Apple’s code review process is rigorous but as with any highly competitive market, everything happens fast.  Will Apple, Google and others do enough to protect their users or will speed to market win (and consumers lose)?

A maker of some of the most popular games for the iPhone has been surreptitiously collecting users’ cell numbers without their permission, according to a federal lawsuit filed Wednesday.

The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. The Redwood City, California, company, which claims its games have been downloaded more than 20 million times, has no need to collect the numbers.

via Backdoor in top iPhone games stole user data, suit claims • The Register.

Happens all the time…most people just don’t know, including the company that has all your confidential data.

PayChoice Inc., a New Jersey company that provides online payroll services and works with 125,000 organizations, has been hacked–big time. Hackers broke into the company’s system last month, and stole the login credentials of customers, including their real names, usernames and passwords.

via Big online payroll service hacked – FierceCIO.

The warnings to banks and other corporations about the threat posed from insiders have been heralded for years.  A recent study found that:

70 percent of financial institutions saying they have experienced a case of data theft by one of their employees in the past 12 months

This is obviously a huge deal.  The article points out that the thefts occur most often with full-time employees who often had every intention of repaying the stolen assets.

The study also found that

nearly half of the banks in the Actimize survey say they are losing 1 to 4 percent of their total revenues to insider fraud

and the biggest challenges to meeting the threat are:

1. cost/expense (67 percent),
   
2. data availability/access (55.77 percent),
   
3. availability of tools (46 percent),
   
4. general resources/priorities (46 percent).

The good news for the banks and corporation is that we provide a very cost effective, innovative service which directly addresses this threat.  Find out more by contacting us…it will make a difference at your bank or company.

via Bankers Gone Bad: Financial Crisis Making The Threat Worse – DarkReading.

We come across many individual computers infected with keyloggers, spyware and the like.  It is often a game changer in a divorce case and certainly has broader implications as noted below.  If you are a corporate IT manager, anti-virus/spyware protection software is not enough.  A unified strategy is needed to protect your company’s confidential data.

He allegedly sent the spyware to the woman’s Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital’s pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

via Misdirected spyware infects Ohio hospital – hospital, keylogger, medical records, privacy – CIO.

Interesting… Should we be concerned with Cloud Hacking?

Winkler: The Real Problems With Cloud Computing.

Details of the SMS exploit for the iPhone will be released today at the Black Hat conference.  Apparently, Apple was notified 1 month ago but no word yet.  Android was also vulnerable but had been patched but apparently Windows Mobile is still vulnerable.

There will be a paradigm shift in the near future as people realize their mobile devices are full blown computers with enormous personal information about you and your company available.  It’s also perpetually network…that’s the point.  Phone, SMS, Internet, WiFi…it’s online and powerful.  When you combine all the personal data with literally billions of devices on the market, it’s a target that will be diligently exploited at every corner.  Details below:

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.

via Your iPhone: Soon to be iPwned? | TechBlog | Chron.com – Houston Chronicle.

Why Twitter Hack is NOT a Cloud Security Wake-up Call.