While many advocate the sharing of data to advance information security, recent events have made it clear that...
data sharing can sometimes do more harm than good.
What is done with the data collected, who shares it, how it is shared, and exactly what is shared have all been hot topics for debate during the past week.
Shared data = improved security?
A report released Thursday by Damballa Inc. revealed it took a number of antimalware products up to six months to create signatures that accurately identify 100% of the malicious files researchers tested on them.
In its Q4 State of Infection Report, researchers tested "tens of thousands" of malicious files on four antimalware products. Within an hour, the products missed 70% of the malware. After 24 hours, only 66% of the malware was detected. One week later, 72%, and a month later, 93%. After more than six months the products finally reached 100%.
"The longer an infection dwells before discovery and remediation," the report reads, "the odds of data exfiltration increases."
However, the lag time highlights not only greater security risks, but also the effectiveness of information sharing among antimalware vendors.
While the report said it takes time for product signatures to be updated, the gathering of malware data -- and lack of analysis and sharing of that data -- is only adding to malware security risks.
Does the U.S. need another cybersecurity aggregator?
The Obama administration announced Tuesday the launch of a new cybersecurity agency that will facilitate the gathering, analyzing and sharing of data among federal agencies.
Lisa Monaco, assistant to the president for homeland security and counterterrorism, said at a keynote speech on Tuesday that "no single government entity is responsible for producing coordinated cyberthreat assessments, ensuring that information is shared rapidly among existing cyber centers and other [government] elements, and supporting the work of operators and policymakers with timely intelligence about the latest cyberthreats and threat actors."
The Cyber Threat Intelligence Integration Center (CTIIC), Monaco said, will be created to fill this gap.
While the CTIIC sounds beneficial, not everyone is happy about its creation -- or its $35 million price tag.
Melissa Hathaway, former White House cybersecurity coordinator and president of Hathaway Global Strategies LLC, said the Department of Homeland Security, Federal Bureau of Investigation and National Security Agency all have their own cyber operations centers, and that the FBI and NSA have the ability to integrate shared data.
"We should not be creating more organizations and bureaucracy," she said. "We need to be forcing the existing organizations to become more effective -- hold them accountable."
Trend Micro Inc.'s Chief Cybersecurity Officer Tom Kellermann told Reuters, "You don't necessarily need a new center. … I do think it is redundant."
Gregory Nojeim, senior counsel for the Center for Democracy and Technology, said a new agency could create privacy issues.
"It's not clear what guidelines will be in place at this center to protect privacy," Nojeim said, "And it's also not clear that the [CTIIC] is necessary, given the other entities already charged with dealing with the cyberthreat."
Monaco said that government was not doing the work for the private sector, but rather the two must foster strong collaboration.
"We've made it clear that we will work together," she said. "We're not going to bottle up our intelligence. If we have information about a significant threat to a business, we're going to do our utmost to share it."
Monaco cited government's response to the recent Sony Picture Entertainment hack; within 24 hours it released information and the malware signatures to help private organizations bolster their defenses.
Password cache release in the name of 'security'?
Security consultant Mark Burnett has come under fire for releasing a cache of 10 million usernames and passwords this week for the purpose of "academic and research purposes," despite the fact that the data has been publicly released prior.
In a blog post published Monday, Burnett justified his actions and, in what may be a sign of increasing distrust between security researchers and law enforcement, explained why the FBI should not arrest him. He also explained the steps he has taken to prevent the login information from being used fraudulently, such as removing the domain portion from the email addresses.
In an FAQ posted Tuesday, Burnett explained that none of the published passwords were from new leaks, they "all are or were at one time completely available to anyone in an uncracked format."
So why did he release the data?
"The primary purpose is to get good, clean and consistent data out in the world," he said, "so others can find new ways to explore and gain knowledge from it. … It should provide good insight into user password selection."
Clearly though, Burnett is worried about the legal consequences of sharing credentials in a way that may be useful to attackers. In his blog post, he wrote about Barrett Brown, the Anonymous activist who was prosecuted for linking to a data dump.
"The sole intent," Burnett wrote, "is to further research with the goal of making authentication more secure, and therefore, protect from fraud and unauthorized access."
Jeb Bush: When transparency is too much
Former Florida Governor Jeb Bush posted thousands of emails from his time as governor on his website JebEmails.com in advance of his upcoming ebook, which tells "the story of a life of a governor" through the email correspondence he encouraged from residents. Some of the emails, however, contained correspondents' personal information, including names, home and email addresses, phone numbers, medical information and Social Security numbers in plaintext.
While the site published these emails "in the spirit of transparency," the users whose information was exposed didn't know about it.
The Verge found correspondence on the termination of a Florida lottery employee. Another email that was sent on behalf of a healthcare representative to the governor included the name, state, phone number, Social Security number and healthcare identification number of a mother and her child.
The email signature from the governor, however, reads: "Florida has a very broad public records law. Most written communications to or from state officials regarding state business are public records available to the public and media upon request. Your email communications may therefore be subject to public disclosure."
Bush commented on this during a press conference Tuesday. "We just released what the government gave us," Bush said.
Social Security numbers are exempt from public disclosure under the law. Private attorney Richard A. Harrison told The Verge that the blame should be placed on the state's legal records custodian.
In other news
- Aite Group LLC, in a report released Thursday, forecasts that 59% of U.S. point-of-sale terminals will be chip-capable by the end of 2015, and 90% by the end of 2017. Based on interviews with merchants, EMVelocity: Outlook for POS Reterminalization and Mobile Payments, found that 61% of those aware of the upcoming transition have begun or completed the implementation. An October liability deadline set by major credit card brands means merchants may soon be liable for fraudulent point-of-sale transactions if they can't process customers' EMV-enabled payment cards. Aite Group Senior Analyst Thad Peterson said, "It's good news that the pace of implementation has picked up, but when the liability shift occurs, nearly half of all merchants will now be vulnerable to counterfeit card fraud, and the liability will be on them. Every organization in the payments space needs to increase its efforts to educate and inform the merchant community about the importance of moving to EMV chip and the value of implementing NFC."
- Three Saarland University students found nearly 40,000 instances of openly available MongoDB databases on the Internet according to a report published last month. Jens Heyens, Kai Greshake and Eric Petryka claimed they could achieve read and write access to the open source NoSQL databases because MongoDB defaults are tailored for running on the same physical machine or virtual machine instances, and because documentation for setting up MongoDB servers with Internet access does not provide adequate information for activating access control, authentication and transfer mechanisms, and systems are therefore more likely to be wrongly implemented. The students reported they were able to access a number of large databases, one of which was a French telecommunications provider with nearly 8 million customer entries. (Editor's note: MongoDB contacted SearchSecurity and provided this link to its security best practices.)
- A blog post from OpenDNS Security Labs researchers Andrew Hay, Kevin Bottomley, Jeremiah O'Connor and Josh Pyorre published Wednesday revealed the increasing sophistication of phishing scams. While the scam starts with a tradition phishing email, a link in the email leads users to legitimate-looking but malicious PayPal and Apple ID domains. The blog post said admittedly these scams are nothing new, but "they are beginning to look more legitimate with every iteration." The researchers also noted that companies such as Wix.com are making it easier for attackers to create malicious websites that look legitimate, and pretty soon "the difficulty of identifying the validity of these websites visually will be untenable." OpenDNS reported the domains to the affected companies, which are working on taking down the fraudulent sites.