With the major financial card breaches at global retailers, as well as a number of SSL/TLS vulnerabilities, it’s possible you may have missed a few other under-reported security issues that provided valuable lessons to the general technology community in 2014.
The following topics shed light on how information security is still evolving, from both research and risk mitigation perspectives.
Data for Ransom: Bitcoin Accepted
Bitcoin is known to be used for black market transactions on the online platform Silk Road that keeps getting raided by the federal government, but it’s also being demanded as payment in the latest data breach ransom scams.
That is, people have convinced “hacked” organizations that they’ve stolen passwords, intellectual property or financial card numbers - but more often than not, these data dumps turn up either fake, previously released or they’re never provided to the organization after payment.
As a pinnacle year for data breach coverage, the media has made it easy for scammers to read about breaches in the news and claim ownership, as well as execute phishing campaigns and other scams. While data has always been sold online, the increasing visibility of data breaches and the adoption of Bitcoin have indoctrinated a brand new era of crime.
Saving Security Research
The information security research field isn’t free from its own fair amount of political discourse - the legal threats, defamation, prosecution and stress add up, and keep great researchers from completing more than a few projects a year.
A few federal acts have deemed some researcher activity to be construed as felony, including the U.S. Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA). The confusing scope of these acts may limit or censor research, particularly when it comes to publishing or discussing their work for the fear of legal retribution.
In 2014, security researchers Jeremiah Grossman, Jay Radcliffe, and HD Moore spoke up and reached out to those in power in attempts to change the security researcher’s plight - all in an effort to advance the safety and security of industries while educating technology innovators on better security design.
Another effort was carried out by law professor and former FTC policy advisor, Dr. Andrea Matwyshyn who organized a White House Petition to reform CFAA/DMCA, laying out complex steps that are necessary for real change in information security.
While we live in a promising time of change in which companies are realizing the positive impact of information security research, it’s also crucial we value and encourage efforts of researchers that are trying to keep us safer and more secure.
Executive Order for More Secure Retail Transactions
President Obama signed an executive order dubbed BuySecure in efforts to expedite the adoption of EMV-payment cards, a standard already in use worldwide, starting in Europe in 1992.
Data breaches in the U.S are most commonly attributed to stolen data from magnetic-stripe cards. EMV-enabled payment cards process transactions with greater security and integrity, reducing fraud and allowing for more control of offline transaction approvals.
Chip-and-PIN is one secure model, and while not mandated by law, the chip-and-signature design does significantly improve the security of a consumer’s payment card data. Overhauling and upgrading old payment terminals to this new system nationwide will be no small task, but a necessary one to ensure more secure transactions in the future.
Although about 22 years belated, the federal push behind adopting EMV technology is a welcomed initiative by the security industry, and a much-needed improvement that will see its return in the economy as consumers resume confidence in their purchasing power, driving both jobs and business growth.
About the AuthorRead more: Identifying the visibility gaps in your security
Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo Security, Pham covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.
This article is brought to you by Enex TestLab, content directors for CSO Australia.