Shellshock Live Mobile

[Heike Fallago]

2014was the year of mega breaches, hard-to-patch vulnerabilities, and thriving cybercriminal underground economies. It encapsulated threats of grand proportions, the consequences of which set companies back billions in losses and consumers an unknown figure in lost or stolen personally identifiable information (PII).

The Sony Pictures breach is not only a case study for business but also one for IT professionals. It revealed the importance of detecting intruders inside networks. The malware used in the breach, WIPALL, is not highly sophisticated and the attack could have been detected by a healthy knowledge of the network and its probable anomalies. This reminds IT professionals of the crucial role that a layered, customized defense plays inside very large networks.

PoS breaches are close to becoming a mainstream threat, with reports of security incidents coming in at least once a month. PoS attacks flourish because of an ongoing demand for stolen credit card data in cybercriminal underground markets. New variants of PoS malware like Alina emerged as direct evolutions of older PoS RAM scraper families like Backoff. These new variants were used in attacks against the retail, shipment, travel, and transportation industries.

For companies targeted by PoS-related threats, the consequences can be significant. Even before the Sony Pictures breach and thus excluding its losses, the Ponemon Institute has revealed that the cost of a data breach was already on the rise in mid-2014. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than nine percent (9%) from $136 in 2013 to $145 in 2014.

Note that a number of diverse and hard-to-patch vulnerabilities also emerged in 2014. Newsworthy flaws like Heartbleed, Shellshock, and Poodle put users of open source software and platforms that were previously regarded as safe at risk of widespread attacks.

Beyond issues of the growing number of Android vulnerabilities, iOS platform users also had their own problems to deal with. The iOS Goto Fail vulnerability exposed iOS version 7 users to cybercriminals trying to eavesdrop on mobile device sessions in shared networks.

We also saw how other mobile system weaknesses put mobile banking transactions at risk. Attacks like Operation Emmental shattered the belief that two-factor authentication via SMS is enough to protect from fraud. This specific operation targeted users in Austria, Sweden, Switzerland, other European countries, and eventually Japan.

In 2014, we saw the evolution of prices in global markets for stolen personal data. We observed how the prices range across markets as well. For instance, online account credentials in Brazil can go for as low as $50 while China offers up to $1,627.

Each underground market also offers its own specialization and standout services that are unique to them. The Brazilian underground is the most popular source of tools for bank fraud, phishing pages, and other fraud-related products and services. It even offers training services to wannabe cybercriminals. The Russian underground is known for pay-per-install services that drive traffic to malicious sites. Meanwhile, the Chinese underground Sells DDoS attack services, compromised hosts/botnets, and other products and services as well as mobile attack tools (SMS spamming software, SMS servers, and others).

We are witnesses to the dire consequences of failing to secure our digital information. It costs everyone money, time, and various other inconveniences. Familiarize yourself with the threats we live with today and know that awareness is the first step to protection.

2014 displayed worst-case scenarios because of failures in securing digitized information. Some global systems have been found to rely on a precarious foundation made of flawed software, unsafe digital habits, and lacking anti-cybercrime initiatives.

Consumers remain unperturbed. Despite exposure to news of retail breaches, consumer attitude towards security has barely changed. In an RSA survey designed to check the consumer attitude towards online shopping and mobile security, almost half (45%) revealed no change in their behavior when using credit and debit cards despite knowledge of retail breaches. Roughly 7 in 10 respondents admit to using the same password for more than one device or website.

Meanwhile, the enterprises, government agencies, and other organizations that handle large amounts of data are broad targets for attackers. Given that the cost of data breach is on the rise, companies should take the opportunity to vastly improve on their digital security.

In addition, repercussions of these breaches directly influence how lawmakers and customers react to businesses. Because of breaches, customers of banks and other financial institutions are said to be less loyal than before. Now that two-factor authentication is at risk, demand is increasing for banks to take additional security measures.

3a8082e126