Secure Site? What Secure Site?
Researchers at security firm WhiteHat have some good news and some bad news. First the (sort of) good: for the third consecutive year, the number of serious vulnerabilities per website has gone down. But hold your applause, please. The average website was still a model of insecurity in 2012, with 56 holes.
To be sure, that's an improvement on the average of 79 per site in 2011 and an astonishing 230 per site in 2010. (By “serious vulnerability” WhiteHat means holes through which “an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.”)
And now the bad news: Of the tens of thousands of sites the researchers looked at, 86 percent had least one serious vulnerability and a stunning 82 percent had a vulnerability that went unresolved for at least a full month. The most common vulnerabilities included: information leakage (55 percent of sites), cross-site scripting (53 percent), content spoofing (33 percent), and URL redirector abuse (13 percent).
U.S. Gov’t Pushes for Law Mandating Backdoors
In the post-9/11 world, the U.S. government has moved aggressively to monitor any data traffic on which it sees fit to eavesdrop. Accustomed to this state of affairs, investigative agencies such as the FBI have chaffed against the few limits on their wiretapping programs. One such limit comes from companies such as Google,Facebook, and Skype, that have balked at demands that they introduce modifications to their services with the sole purpose of allowing the government to snoop on their customers in real time. The companies have argued that some communications are just not amenable to eavesdropping, but according to a Washington Post article, a government task force is working on legislation that if passed would make developing and installing the modifications a legal requirement. Such a law would institute stiff penalties for noncompliant companies. WaPo notes that the government took this ‘There oughta be a law!’ stance in 2010, after Google began encrypting Gmail and Android text messages end to end. Google’s decision to step up its security game caught the government flat footed; the FBI found it difficult to intercept e-mail messages even with a court order.
Besides concerns about raising customers’ ire for violating their privacy (which the government is seeking to remedy by giving companies immunity from lawsuits filed because they shared data with authorities), the online service providers have good reason to fear such a measure, says the Post article.
“Critics like Matt Blaze, professor of computer science at the University of Pennsylvania, have argued that the intercept capabilities introduce vulnerabilities (pdf) that make it possible for foreign intelligence agencies and others to hijack the surveillance systems on communication networks and do their own spying.”
Of the proposal, Greg Nojeim, a senior counsel at the Center for Democracy and Technology, which focuses on issues of privacy and security, told WaPo that, “They might as well call it the Cyber Insecurity and Anti-Employment Act.”
Online Image Booster Takes a Hit
Reputation.com, a company that built its own reputation on helping its customers improve their online personas, suffered a blow to its image after it reported earlier this week that its network was hacked. In an e-mail sent to thousands of customers in more than 100 countries, the company said its security team discovered the attack as it was happening, but not before the cyberthieves made off with data including names, e-mail and postal addresses, telephone numbers, and dates of birth. The company acknowledged that a small number of account passwords had been taken in the cyberheist, but noted that it had reset all of its customers’ passwords as a precaution. And as is regularly the case, the company offered assurances that credit card information remained safe because it was stored on another system.
For its part, Reputation.com said in the e-mail that “transparency and openness are part of our culture. That’s why, although the extent of the breach and the limited kind of information accessed during this attack did not legally obligate us to provide notice to our users [the firm is required to do so only for residents of North Dakota], we nevertheless felt it was important to let you know that this event occurred.” How nice. That, and an offer of a year of free credit monitoring to affected customers, oughta burnish the company’s reputation.
And in other cybercrime news…
- Michael Meneses, a network systems manager who quit his job in a huff because he was passed over for promotion, was arraigned on Thursday on charges that he took revenge on his former employer by hacking the company’s network and introducing a keylogger program that captured login credentials. With that access, says the FBI in the criminal complaint, Meneses used “a former colleague's e-mail account to discourage new applicants from taking Meneses' position, [and sent] commands to alter the business calendar by one month, disrupting the company's production and finance operations."
- After being informed by security researchers that a European company had created a spyware-laden spoof of the Firefox browser, Mozilla sent a letter to the creators of FinSpy on Tuesday telling them to knock it off with the knockoff.
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.