Monthly News Roundup - August 2015 (TL;DR)

2015-09-01_Ars-Technica

NEWS

In the past 31 days, we saw some salacious information security headlines. That’s because Ashley Madison, the dating site for married people, suffered a major data breach. In addition, reports emerged with foreboding news about malvertising and man-in-the-cloud hacks. All that, plus much more, in our August monthly roundup:

Companies Are Liable for Poor Information Security: A federal appeals court ruled that the U.S. Federal Trade Commission (FTC) can take legal action against firms employing bad data security systems. The issue came to a head in the FTC’s case against international hotel firm Wyndham Worldwide. From 2008-09, Wyndham endured three data breaches affecting 619,000 customers and causing $10.6 million in fraud. According to the FTC’s complaint, Wyndham had stored credit card numbers in plain text, permitted easily guessable passwords, and failed to restrict outside vendors from customers’ financial information. Safeguarding customer data with rock solid data security protocols isn’t just good for building trust, it’s criminal not to.

Unsatisfied Ashley Madison Hackers Reveal Customer Data: Adultery dating site, Ashley Madison got hacked in a big way last month. According to reports, the hackers were demanding that the site shut itself down. When they didn’t get the desired result, the data thieves dumped Ashley Madison’s customer information as a BitTorrent. Email addresses, credit card numbers and transactions, and member profiles were among the personally identifying information included in the 10GB file deposited by the hackers. So much for that secret affair.

Man-In-The-Cloud Hack Poses New Threat: Researchers from Imperva revealed a new man-in-the-cloud attack, at the annual Black Hat data security conference. The hack attacks cloud file synch services (like Google Drive, DropBox, etc.) through a user’s machine. While the effects could be devastating, the attack does require a person to unwittingly install a new synch token. While those types of scams seem far fetched, this year we’ve reported on multiple social engineering tricks that helped criminals to break into devices and networks, and steal money.

Shadow IT Uncovered In New Cisco Report: All CIOs know that their users are probably using a few additional, unauthorized cloud services on their work devices. But they’re wrong. According to a new Cisco report, so-called shadow IT is 15-20 times higher than CIOs assume. Shadow IT creates a large potential data loss threat. In addition, it increases IT costs and maintenance. Securing and controlling employees’ connection to web based apps and the Internet can help reduce the threat significantly.

University of Virginia Hack Has International Implications: The University of Virginia shut down its entire network for two days after discovering it had been breached. Further disclosures by the University revealed that the hack targeted two school employees whose work pertains to China. In related news, the Defense Department issued a warning this summer that hackers “affiliated with a well known foreign intelligence agency” were targeting academic institutions as well as government contractors. Wethinks there’s a Chinese connection here…

June Was Worst Malvertising Month Ever: According to an interview with security analyst Patrick Belcher of Invincea, malvertising posed a huge threat to users in the first half of 2015. The malvertising Belcher and his team addressed used legitimate online advertising networks to distribute ransomware, banking Trojans, and bot code for click fraud campaigns. However, Belcher predicted that hacked Microsoft Office documents could overtake malvertising as a popular way to spread malicious code.