Wednesday, January 7, 2015

IT risks, here we go again

“La Maqueta” ("The Demo", in English) was recorded by Estopa in 1999. As its title indicates this was the first LP of the Spanish musical group formed by two brothers that will eventually define the urban rumba style. Among the 38 songs in the album, which gone viral thanks to P2P and word-of-mouth, you will find "Vuelvo a las  Andadas" (“Here I go again”).

Here we go again.  Yesterday it was disclosed what might have been the first high-profile cyberattack in 2015. One of the largest bitcoin exchanges called Bitstamp closed its service on Monday due to an assault on its wallet system which have resulted in 19,000 bitcoins losses, about $ 5.1 million.

Here we go again with almost absurd carelessness situations provoked by internet services. The website to create personalized cards known as Moonpig had a failure on its system for 17 months which allow an attacker to obtain any data from its 3.6 million customers. These 17 months led the developer who discovered the issue to make the exploit public. It is based solely on changing client ID when making a request via API since it does not perform any checks in the process.

Here we go again with what always works, social engineering. This time social engineering was performed by a phishing campaign targeting some American college students who received a fake notice by email informing them that their account was about to end. You can imagine the rest of it.

Social engineering does not get old at all indeed. Actually it is used in many cases. For example, to break  WPA or WPA2 WIFI security it could be used brute force. But social engineering could also have a role in this, forcing the users of a network to connect to a fake one, which will redirect them to a password confirmation site to keep them connected. So the victim will be responsible of giving up his password.

This year won’t be different in terms of privacy. All kind of abuses will happen again. Cookies are highly useful to improve online user experience. But if they are used in a bad way, they could facilitate tracking users. They should be easily removable, but they can become a big problem for security and privacy of data when they are delivered by joined strategies for locally storing cookies in different directories, "self-replicating" and even using protocols like HSTS.

All of this makes Trackography a very relevant initiative. This website analyzes which companies gather your navigation data and how they use it when you visit a media website in a country. In fact, about 80% of them share data with third parties without explicitly specifying the use that they will give them. Moreover only 30% clearly explains for how long they save the data.

At the beginning of this year, nothing seems to have changed. Here we go again, as Muñoz brothers (Estopa) would say. Hopefully this will change over the coming months.


Post a Comment