As online shopping rises, so do cybersecurity threats associated with it. Security blog Krebsonsecurity.com warned consumers Wednesday of an email scam that has picked up on the Internet since Thanksgiving, asking consumers to confirm an e-commerce order or package shipment. According to blogger Brian Krebs, malware purveyors and spammers are “blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.” The methods the spammers use are “reliably successful,” especially during the holidays when victims are caught off-guard, he said. Shoppers who “know better” than to click links and attachments are often “intensely focused on making sure their online orders arrive before Dec. 25,” he said. Krebs posted sample spam emails purported to be from Costco, Home Depot, Target and Walmart, urging recipients to click on links to track purchases. Krebs urged consumers who get such emails to open a Web browser and check their accounts with the online merchant instead. A spokesman for Target, one of the first high-profile retailers hit by a massive security data breach last year, said Target urges its customers to “be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.” Target provides a link on its website on how to avoid such scams, he said.
Legal and regulatory scrutiny of corporate leaders’ management of cybersecurity may increase in 2015 if more “major” data breach incidents occur, Experian said Monday in a report. Data breaches in the coming year are likely to increasingly result in the theft of usernames, passwords and other information stored in the cloud, because cloud services’ increasing popularity make them an “attractive target” for hackers, Experian said. Data breaches at physical retail locations may also increase in the coming year as hackers attempt to make final profits from point-of-sale attacks before the more secure chip-and-PIN technology is adopted in the U.S. in October, the firm said. Data breaches at healthcare facilities are also likely to increase due to the increasing use of electronic medical records and wearable technology, Experian said. Third-party breaches also will increase due to the increased use of the Internet of Things, the firm said. Despite the increased threat from outside actors, employees’ mistakes will remain the main threat to corporations’ cybersecurity, Experian said. Only 54 percent of companies say they provide security awareness training to employees, far lower than what’s needed to make a “significant dent” in breaches during the coming year, the firm said.
The FCC said it’s seeking comment on a petition from Marriott, the American Hospitality & Lodging Association and Ryman Hospitality Properties seeking FCC guidance on what they should do to protect the security and quality of their Wi-Fi networks. Marriott agreed last month to pay $600,000 to resolve an FCC investigation into whether the hotel company intentionally interfered with and disabled Wi-Fi networks at a Tennessee convention center (see 1410060039). The comment deadline is Dec. 19, the FCC said.
National Institute of Standards and Technology officials said they're encouraged by sector-specific work that critical infrastructure industries are doing to adapt NIST’s Cybersecurity Framework. Adam Sedgewick, NIST senior information technology policy advisor, cited the communications sector’s work to adapt the NIST framework via FCC Communications Security, Reliability and Interoperability Council Working Group 4 as an example of a market driver in moving framework use forward. Industry groups’ adaptation of the framework was a major topic at NIST’s framework workshop in late October (see 1410300050), something that NIST officials found “very informative” as they decide how to proceed on any future work on the framework, said Matthew Scholl, NIST acting chief-Computer Security Division.
Ninety-four percent of U.S. consumers heard about major data breaches during the past year, but only 45 percent of surveyed consumers have changed an online password, ISACA said Wednesday, based on a survey. About 28 percent of consumers said they were shopping less frequently at one or more retailers that had experienced major data breaches over the past year, while 15 percent of consumers said they made fewer online purchases using mobile devices, ISACA said. “An interesting conclusion from this study is the gap between people’s concerns about protecting their data privacy and security versus the actions they take,” said ISACA International President Robert Stroud in a news release. “Businesses need to address this gap by aggressively educating customers and employees about how they can help reduce the risk or minimize the impact of data breaches or hacks.” ISACA surveyed 1,646 ISACA members, along with an additional 4,224 consumers in Australia, India, U.K. and U.S.
U.S. Postal Service employee and customer information was breached in a cyberattack, said a USPS news release Monday. The FBI and other federal agencies are continuing their investigation into the breach, it said. USPS employees may have had their names, dates of birth, addresses and Social Security numbers compromised, it said. Customers that paid for items on the USPS website weren’t affected, it said. The hackers may have obtained the names, phone numbers and email addresses of customers who contacted USPS’s call center from Jan. 1 to Aug. 16, it said. USPS said those customers don’t need to “take any action as a result of this incident.”
Fifty-three million email addresses were accessed when hackers breached Home Depot’s payment systems, the company said in a news release Thursday. Passwords to those email addresses weren’t breached, it said. Home Depot had disclosed that 56 million payment cards were breached during an attack between April and September (see 1409190084). “Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network,” it said. “These stolen credentials alone did not provide direct access to the company's point-of-sale devices,” said Home Depot. “The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.”
The federal government is unlikely to seek major changes to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework Version 1.0 “in the near future,” said Ari Schwartz, White House National Security Council senior director-cybersecurity, during a NIST workshop Wednesday. NIST is holding the workshop to collect stakeholders' input on their use of the framework since its release in February so the agency can make tweaks. “We feel that the framework is an excellent product” that currently requires only minor updates, Schwartz said. Information and communications technology sector stakeholders have said in comments to NIST that it’s still too early to fully evaluate the framework because the sector is still working to adapt the framework for sector-wide use (see 1410140173). AT&T Assistant Vice President-Global Public Policy Chris Boyer cautioned NIST during the workshop “not to rush too quickly” to make major changes to the framework. The Version 1.0 framework still needs time to “ferment,” particularly given ongoing work within the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) Working Group 4 to adapt the framework for the communications sector, Boyer said. AT&T was an early adopter of the NIST framework and is an active participant in CSRIC Working Group 4’s efforts, Boyer said. The telco is “optimistic” that the FCC’s overall efforts on cybersecurity “are turning in the right direction,” he said. CSRIC Working Group 4 remains on track to release a final report and recommendations on communications sector use of the NIST framework in March (see 1409240046).
Online security breaches in 2014 increased by 48 percent from 2013, said a study released by PricewaterhouseCoopers. It was based on responses from 9,700 industry executives in 154 countries, it said, 35 percent from North America. Respondents said they had 42.8 million security breaches in 2014, or 117,339 attacks per day, it said. The study included “only the total incidents detected and reported,” it said. “The number of respondents reporting losses of $20 million or more almost doubled over 2013.” A separate survey, also released Monday from Kaspersky Lab, said 94 percent of companies had cybersecurity issues in 2014, a 3 percentage point increase from last year. Kaspersky partnered with B2B International on the survey, which covered 3,900 respondents from companies of all sizes in 27 countries, it said. The survey was done from April 2013 to May 2014, it said. The average cost of one data security incident was estimated to be $720,000, it said. Thirty-eight percent of companies said that “protection of confidential data against leakages” is their top priority, it said. Twelve percent of companies were the victims of targeted data security attacks, up from 9 percent last year, it said.
The average bandwidth of distributed denial-of-service (DDoS) attacks increased 389 percent between Q3 2013 and Q3 2014, Akamai Technologies said Thursday in a report (http://bit.ly/1FKpy9i). Akamai said its service defended against 17 DDoS attacks in Q3 that had traffic of more than 100 Gbps, including one at 321 Gbps. “We witnessed none of that size in the same quarter a year ago and only six” in Q2, said John Summers, Akamai vice president-Security Business Unit, in a news release. “These mega-attacks each used multiple DDoS vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed.” More than half of all attacks measured in Q3 used multiple attack vectors, an 11 percent increase from Q2 and a 9 percent increase from the same period last year, Akamai said. Multi-vector attacks are increasing due to “the increased availability of attack toolkits with easy-to-use interfaces as well as a growing DDoS-for-hire criminal industry,” Akamai said (http:// bit.ly/1xenfVC).