The phishing attack launched against Gmail accounts this week represents the opening of a new front in the cybersecurity war that strikes at the heart of the API economy.

Unlike other phishing attacks that require end user to log into a fake web site to give up their password, the phishing attack launched this week relied on a fake version a Google Docs was created by cybercriminals. The cybercriminals then asked end users for permission to read, write and access an end user’s emails stored on Gmail. Once that was given the attackers made use of tokens provided by the OAuth authentication protocol to access the user’s accounts without the end user ever having to give up their passwords.

Google shut down the attack quickly, but it’s estimated that about one million users where potentially affected. There are some basic Google security measures end users should routinely make use of to better secure their accounts, including making use of verification and security checkup services that Google provides.

[Read more…]

There’s a direct link between the amount of legacy applications and IT infrastructure any organization has installed and an organization’s overall security posture. The longer applications and IT infrastructure have been deployed the more likely it is that cybercriminals are exploiting some vulnerability. It’s even probable that vulnerability is a known exploit. The patch for that vulnerability, however, has been overlooked by an IT organization that is either overworked or simply uninformed.

[Read more…]

There’s generally not much love being lost between credit card companies and providers of retail services that rely heavily on credit card transactions. The credit card companies recently began embedding chips in their cards that forced every retailer to upgrade their point-of-sale (PoS) systems at great expense. The theory is that credit cards embedded with chips will result in better security because the data on the card is encrypted. However, regardless of whether a credit card has a chip every card still has a magnetic stripe on the back of the card. This was intended to make it simpler for retailers make the required PoS system upgrades over an extended time. After all, not everyone could be issued a new card overnight. It also turned out the PoS upgrade process has been deeply flawed.

[Read more…]

Ascribing a real cost to a cybersecurity breach is a major challenge because the impact goes well beyond any tangible cost. In addition to the value of the data stolen and the time and money spend on defending the environment, damage to a corporate brand can be substantial.

A new report from Oxford Economics that was commissioned by the cybersecurity form CGI does, however, estimate that billions of dollars in shareholder value has been erased directly because of cybersecurity attacks. Apparently, once an organization reveals it has been a victim of a cybersecurity attack investors tend to lose confidence. Before too long the company finds itself essentially being victimized again as the value of its shares fall.

Despite a material impact involving billions of dollars, organizations are still conflicted over who is responsible for IT security inside their organizations. A recent report published by BAE Systems found that a third of C-level executives believe responsibility for data breaches lies squarely on the IT organization. But 50 percent of the IT professionals participating in that same survey said responsibility for those breaches resides with senior managers.

[Read more…]

With all the news and drama emanating from Washington these days, it’s easy to miss the fact that a major leader of the cyber security community in the healthcare sector tells Congress just how bad cyber security really is across that entire industry.

Testifying before the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce this week, Terence M. Rice, Vice President and Chief Information Security Officer (CISO) at Merck & Co., Inc., called on Congress to implement a series of systematic actions to help mitigate a crisis affecting the entire healthcare industry. Those actions include:

[Read more…]

IT security is always listed as the number one barrier to adoption when it comes to cloud computing. But despite those concerns adoption of cloud security services continues to grow at unprecedented rates. In fact, while there have been some major breaches virtually none of them have involved a provider of a cloud service being used to deliver application services.

That doesn’t mean IT security professionals don’t have legitimate concerns. But it can be argued that in the absence of any compelling example many of those concerns remain theoretical. This week Crowd Research partners published a survey of 1,900 cyber security professionals that participate in a Security Community hosted on LinkedIn that goes a long way towards detailing what the potential issues with cloud security really are.

Top concerns include protection against data loss (57%), threats to data privacy (49%), and breaches of confidentiality (47%). Organizations are also realizing that legacy security tools are not designed for the cloud (78%) and that lack of visibility into cloud infrastructure is the single biggest security management headache they have (37%).

[Read more…]

The biggest beneficiary of any changes to rules and regulation pertaining to how Internet service providers (ISPs) can resell the data they collect about the browsing habits of their customers may very well turn on out to be providers of virtual private network (VPN) services.

The U.S. Congress recently voted along party lines to revoke rules created by the Federal Communications Commission (FCC) that if implemented would have required ISPs to get explicit permission before selling customer data to brokers that in turn sell that information to companies that want to better target their advertising.

That bill also goes a step further in that it prevents the FCC from making any similar regulations. Instead, all rulings relating privacy will now be in the hands of the Federal Trade Commission (FTC). That agency has been tasked with setting up privacy policies dating back to the 1970s. The similar bill to the one the Senate passed is now winding its way through the U.S. House of Representatives. If passed then a committee would meet to resolve any inconsistencies between the two versions, which would then be sent to the president for his signature. Assuming there is no veto, the law could be in place before the end of this year.

[Read more…]