Dropbox Email Spamming: Posted by Aditya Agarwal in the Dropbox blog, a post titled “Security update & new features,” addresses user complaints about spam they were receiving at email addresses they only used for Dropbox. The investigation unveiled that, “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.” They went on to say that they had contacted the effected users and helped them secure their accounts. From the Naked Security Blog, Paul Ducklin points out that this is proves the “One site, one password” rule. The cause of the spamming was because the users had used the same password for multiple sites, which the hackers then used to sign into Dropbox accounts. Unfortunately one of these users was a Dropbox employee who had been working on a project containing multiple user emails. Dropbox says they are working on multiple mechanisms to improve security, including two-factor authentication, automated suspicious activity identification, and an active logins page.
Cataloging and Tracking Malicious Software: “Tagging and Tracking Espionage Botnets” by Brian Krebs. Krebs interviewed Joe Stewart who spend over a year cataloging and tracking malicious software that was developed and deployed specifically for spying on governments. He’s tracked more than 200 unique families of customer malware and uncovered over 1,100 web site names register by cyberspies for hosting the networks used to control the malware and/or “spear phishing” schemes. Once the intentional technical misdirection is sorted out, the infrastructure location of the groups usually points back to Beijing or Shanghai. No surprise, since Steward says “There have to be hundreds of people involved, just to maintain this amount of infrastructure and this much activity.” For the full interview, visit Brian Krebs’ blog here. Watch our webinar with Richard Clarke, author and former White house advisor to the Bush and Clinton administrations as he discusses the changing cyber threat environment and the evolving cyber legislation landscape.
Black Hat Wrap-Up: “Black Hat 2012: Security visibility and the hidden message” by Jennifer Minella. With Black Hat finishing up last week, Minella took a look at the trends and messaging amongst the presentations and concluded the big concept this year was security visibility. “You can’t secure what you don’t know, and You can’t secure assets from threats and actors you don’t understand,” were repeated over and over, reminding attendees that “intelligence is key.”
BYOD Initiatives causing headaches: “Data Mobility, Security Top Cloud Computing Concerns” by Nathan Eddy. According to a survey conducted by Mezeo Software, the biggest concern amongst IT decision makers is dealing with public clouds and the associated loss of corporate data. According to Eddy, this is a reflection of the known threats and risk of data leakage in the public cloud. It was this leakage that was the most prevalent, with over 80 percent of the participants rating their worry as an eight or higher on a scale of one to 10. The rise of BYOD initiatives was cited as the cause of increased leakage, but only 42 percent of respondents said they were actively preventing data from being stored on public clouds. Veracode has a free ebook available that you can use to educate your employees about proper device usage and the risks at hand, take a look at the Top 10 Mobile Security Tips.
First there was BYOD, now there’s BYOA: “Bring your own apps: The new consumer threat to the CIO” by Nick Heath. Now that employees have their own devices in the workplace they are starting to use their own applications and open source software. Protecting the valuable corporate data that is sharing a device with and being used by these apps is a considerable challenge for CIOs. Blocking the installation of these applications or barring access to software-as-a-service offerings isn’t very viable, due to workarounds, and the risk of blocking the utilizing and genuinely useful tool. Instead, educate staff about what information can be safely stored on public networks, and the implications of installing personal software on work devices. If employees favor a particular app or service, examine why it is so useful to them, and see if you can source an alternative offering that does not pose the same security or management problems. Veracode makes it easy to quickly determine the security posture of your third party applications. You can also view our Third Party Application Analysis - Best Practices and Lessons Learned webinar to learn how we developed our third party scanning program.