More apparent insecurity in the Android platform: apparently the Android operating system from version 3.0 though the present use the same password for unlocking the device that it uses for encrypting the data on the phone. This opens up data on the phone to a relatively simple brute force attack, as few people use complex passwords to unlock their phones.
In light of this revelation, it is clear that Android continues to be a questionable choice in platforms for businesses / enterprise use.
A researcher at the University of Luxembourg has discovered that a weakness in the A-GPS location process used by smartphone can permit malicious wi-fi sites to re-route the phone’s A-GPS location queries to the malicious site even after the smartphone has disconnected from the malicious site, permitting hackers to track the phone from that point on.
Furthermore, on smartphones where A-GPS signals are processed on the phone’s main CPU, hackers can use this exploit to crash the phoe and possibly make use of other bugs to compromise the phone.
This exploit was demonstrated on a umber of different Android phones by several manufacturers.
Another costly reminder of the liability that can stem from data breaches: Atlanta-based Global Payments suffered a breach in which 1.5 million account records were exposed i a hack attack.
Global Payments now reports that just the cost to fix the data breach has reached $85 Million, so far, resulting in a 91% drop in quarterly net income when compared to last year. This does not account for the damage to Global Payments’ reputation. Both Visa and Mastercard dropped Global Paymeents from their compliance lists after the revaluation of the data loss.
According to the Atlanta Jounral Constitution, last month, Global also warned that hackers also might have accessed the personal information of an unknown number of merchants who’d applied with Global for payment processing services.
Interviewedby the AJC, Adam Levin, an identity theft expert and chairman of Credit.com, said the Global breach is another wakeup call that governments and companies may not be doing enough and that consumers must protect themselves. His conclusion: “Companies have got to be more proactive,” he said. “Even the ones that are really good [at security] are finding that the bad guys still find a way to beat them.”
In October of 2011, the Securities and Exchange Commission issued a non-mandatory guidance statement on cybersecurity and the reporting of security requirements. Despite this guidance, which was intended to clarify existing reporting requirements for publicly traded companies under Sarbanes-Oxley and other federal privacy laws and regulations, many companies are either not reporting cybersecurity breaches or are skirting the reporting requirements by making very general disclosures which appear designed to minimize or disguise the nature and severity such breaches.
In response to this dearth of meaningful reporting, the Chairman of the Senate Commerce, Scientce and Transportation Committee, Sen. Jay Rockefeller, is seeking to add provisions to cybersecutiy laws that would strengthen and clarify breach-reporting obligations. Among the results of these changes would be a requirement that the SEC clarify when companies must disclose cyber breached and requiring companies to spell out the steps they are taking to protect their computer systems from intrusions.
In the wake of such spectacular hacks as the breach of LinkedIn’s site and the repeated intrusions into Wyndam Hotel’s systems (for which the FTC is actively pursuing punitive enforcement against the company), it has become increasingly clear that cyber-crime is a real risk to businesses. In response to the damage that such intrusions does to both investors and end-customers, the government is clearly placing increased pressure on companies to step up and combat this economic threat through implementation of better preventative measures and by disclosing the existence of breaches after the fact, to ensure that system issues within companies’ security are not simply swept under the proverbial rug. Increasingly businesses must make protection of critical infrastructure and its data storage, handling, and destruction key elements in their business planning and implementation, rather than the afterthought if often seems to be.
This points out some interesting, but not surprising trends in how the different generations view privacy and security on the internet. In a world of increasing cyberattacks and major financial and privacy hacks, this can spell seriously bad news for people who don’t take privacy and security issues seriously!
It appears that LinkedIn has swung into proactive mode in addressing their recent password hack SNAFU. While it is gratifying to see them taking action, this and the other password hacks this week at various other cloud services providers does point out the dangers of putting much of our life into the Cloud. The lesson here are: (1) use strong passwords, (2) change passwords regularly, and (3) nothing in the Cloud is 100% safe.