Kids these days. Investigations have suggested the malware that brought US retail giant Target to its e-commerce knees, stealing personal data of around 110 million customers, was written by a 17-year-old programmer from St Petersburg, Russia. A second coder was also linked to the hack, while a 23-year-old Russian went on TV to say he wrote the original program that was modified and used for the Target attack – and he did it as a side job.
Other repercussions from the hack continued to pile up as two Mexicans arrested after trying to use credit cards linked to the breach to enter the US. Security experts were warning that small businesses need to be aware of Target-like attacks, while three security companies were found to have removed information related to the Target attack from the Web. And Nieman Marcus, which was also hit by hackers, said its security precautions had been defeated by 'complex' malware.
Little wonder one security firm was warning banks to learn more about their customers than cyber-criminals can – although in some cases, African banks themselves are being implicated in recent spates of cybercrime. Yet there are other things to look out for: the latest Cisco Systems security figures suggested a huge proportion of Web-based attacks is still based on Java, with the continuing use of the highly-compromised Java Runtime Environment 6 presenting a clear and present danger for corporate information-systems users.
If you thought that was a worry, there's more: hacker groups are embracing more effective attacks in their targeted attacks, with 50 core groups dominating global cybercrime. Little wonder some security figures are pushing for CSOs to outgrow their lock-and-block mentality to security, which is quickly being superseded by determined hackers.
Even as Verizon revealed the US government made 320,000 requests for customer information in 2013, the EU's justice commissioner was urging governments to use punitive fines to keep Google's privacy practices in line – even as a German government agency issued a warning that a list of some 16 million email addresses and passwords had been compromised and fallen into the hands of botnet operators. Also on the international front, China's 'Great Firewall' was blamed for an eight-hour blackout of the Internet that spread across the globe; China blamed hackers.
CSOs might want to do some user education after another list of the most common passwords was released, with the ever-popular 'password' losing out to '123456'. Of course, they have other pressing issues too: a large number of US companies will still be running Windows XP after Microsoft discontinues official support in April, a recent survey warns. And, with social-media threats still as problematic as ever, it may also be worth considering four social-media privacy features users won't find in their settings. Whatever the threat, transgressors may need to be punished to reduce the prevalence of security breaches.
Speaking of education: if you're not completely sure about how advanced persistent threats (APTs) work, take the time to read this multi-part explanation of the APT lifecycle – which spans exploitation and installation, reconnaissance, exfiltration, and weaponisation and delivery.
Trust remains an important element of any security policy, which is why observers see great promise in a new conference, aptly named TrustyCon, which is capitalising upon growing mistrust of the NSA. Enter the US Privacy and Civil Liberties board, a federal watchdog that is advocating for the cessation of the NSA's surveillance program, which it says is illegal.
Google is also wearing a bit more mistrust than usual after indications suggest a malicious technique can be used to listen in on you using Chrome's built-in microphone capabilities; Google dismissed the issue. The company was also hit with a formal complaint to the US government from users upset about Google's linkage of its Google+ and Gmail services. Yet conventional issues are also expanding, with caution over new Android malware that intercepts and disconnects phone calls from specific numbers.