Week in review: Great Bitcoin Robbery highlights shopping-season security risks
- — 03 December, 2013 09:13
In what sounds like a modern version of The Great Train Robbery, a Danish Bitcoin service was robbed of over $1 million worth of the virtual currency. This could become more common as 'crimeware' kits being sold on underground forums now include modules to facilitate the theft of Bitcoin and Litecoin virtual currencies.
That's hardly a great start to the Christmas shopping season, which kicked off with Black Friday sales and led the FBI to repeat oft-uttered warnings about avoiding online shopping scams even as Cyber Monday raised the spectre of all-new security concerns.
World Wide Web inventor Tim Berners-Lee believes governments may be threatening democracy with their snooping, while the Electronic Frontiers Foundation is thinking along similar lines with its push for the FBI to release the document it used to justify its surveillance.
Meanwhile, a Dutch newspaper seemed to confirm it's already happened with reports the NSA has been spreading malware to boost its reach and power. They're not the only ones spreading malware, of course: Symantec reported that 'Blackshades' malware is still being sold despite its code being leaked three years ago. And, yet, there are new threats too, with the 'Neverquest' Trojan posing a new threat to online banking users and a new worm targeting Linux PCs and embedded devices.
Targeting and capturing victims' information remains relatively easy because small business owners aren't taking security seriously, according to a recent report from Ponemon Institute. Neither are larger companies, according to a UK government survey. Yet with even the nearly-extinct Windows XP getting new zero-day attacks,
Even the Victorian government remains worryingly unprepared to detect and respond to security breaches, with an Auditor-General's report finding 58 major problems with the state's information-security defences.
Companies should also work to improve their discipline around cloud-computing contracts, to ensure that they are covered in the event of unexpected contingencies; many are being caught out far too late when things go pear-shaped, a security expert told the recent CSO Perspectives Roadshow.
The head of IT security at Melbourne University agrees, highlighting the importance of assessing security on a regular basis when moving to the cloud. Others believe the best approach is to appoint a cloud-purchasing 'czar' to serve as intermediary between cloud-hungry business organisations and cloud-tentative IT organisations.
The cloud does offer promise as an umbrella for managing other types of security infrastructure, however, the CEO of Sophos has argued as the company moves to have all of its offerings in the cloud in the very near future. But it's not the only thing moving to the cloud: Gartner believes the very idea of mobility and cloud will soon become enmeshed .
Scammers are capitalising on the growing popularity of LinkedIn, while the US state of Vermont came into the spotlight after it confessed the data on its healthcare exchange Web site – launched only recently as part of the country's 'Obamacare' accessible healthcare program – had been compromised. This event refocused attention on the vulnerability of healthcare sites and their ability to use big data to fight attacks, while Racing Post officials were also smarting after a "sustained and aggressive" cyber attack.
Of course, big data poses its own challenges to security. Little wonder organisations like NBN Co are pursuing formal compliance programs such as the Protective Security Policy Framework (PSPF), which principal security officer Malcolm Shore told the CSO Perspectives Roadshow has come a long way from when it started.
Google was hit with privacy complaints in 14 European Union countries and fingered for violating the Dutch data protection law, even as a United Nations panel passed a draft resolution about privacy threats in the digital age. And, despite concerns about privacy in the US, the European Commission said it would not suspend its safe-harbour data privacy agreement with the US, but would keep an eye on it . Nor will the EU track terrorists' financial data, due to concerns about data security – ironic as the European Parliament's own Wi-Fi network was cut due to a security attack by a white-hat researcher.
Self-destructing message carrier Wickr will launch a secure video calling service next year, while Twitter is also boosting its confidentiality by implementing perfect forward secrecy to reduce traffic snooping.
Yet even such measures will do little to avoid breaches such as the one by the UK's Royal Borough of Windsor and Maidenhead, which posted 'restricted' employee contractual data online. Even banks are at risk, says the Bank of England, after a series of cyber attacks revealed their vulnerabilities.