STE WILLIAMS

The President’s 2018 budget blueprint includes a focus on cybersecurity with $1.5 billion for Homeland Security and $50 billion for Defense.

The Trump administration has proposed allotting an extra $61 million in its 2018 budget to the FBI and the Justice Department to strengthen their fight against terrorists and cybercriminals, Cyberscoop reports.

The budget blueprint appears to support beefing up government cybersecurity. White House homeland security adviser Thomas Bossert said: “Federal networks at this point can no longer sustain themselves. We cannot tolerate indefensible technology, antiquated … hardware and software.”

The blueprint proposes $1.5 billion spending for the US Department of Homeland Security for improving defense against hackers, with a call for better understanding between sectors on information- and threat-intelligence sharing, and cyber defense. The Department of Defense may see a $50 billion budget to boost US military capabilities.

Read full story on Cyberscoop.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/trump-budget-adds-$61-million-for-fbi-cybercrime-fighting-efforts/d/d-id/1328430?_mc=RSS_DR_EDT

Malware uses a remote access Trojan to sniff out potential victims first, Trend Micro says.

Security vendor Trend Micro Friday has warned of a new type of point-of-sale (PoS) malware that is being used to attack PoS systems belonging to businesses in the US and Canada.

The malware, which Trend Micro has dubbed MajikPOS, was first spotted infecting PoS systems the last week of January and has been used to steal data on at least 23,400 credit cards, Trend Micro said in an alert.

Trend Micro researchers describe MajikPOS as malware that is similar in purpose to other recent POS data stealing tools, such as FastPOS and ModPOS, but different from them in the manner in which it deploys.

“The attackers are mapping out victims with relatively generic tools ahead of time,” says Jon Clay, Trend Micro’s global threat communications manager.

Many MajikPOS infections have involved the use of a remote access Trojan (RAT) that appears to have been installed on the systems sometime between August and November last year. The RATs are designed to determine if the systems on which they been installed are worthy of further exploitation.

If the endpoint appears promising, the operators of MajikPOS then use a combination of methods including VNC, Remote Desktop Connection, and command-line FTP to install the PoS malware. The goal is to find systems that are vulnerable without compromising the main weapon in their arsenal, Clay says.

Once potential victims are identified, the attackers use a pair of executables to run the attack — an implant and a scraper for getting the card numbers. The approach ensures that if the initial stage of an attack fails, the core malware itself is not compromised, Clay says.

The method of attack indicates that the operators of MajikPOS have taken active precautions to mitigate the possibility of their malware being screened for and detected. This suggests that the operators of MajikPOS are also the authors the malware, Clay says.

Another interesting aspect of MajikPOS is that it is coded in .NET, which is a somewhat rare choice of a programming framework for malware authors.

Once installed on a system, MajikPOS inventories it thoroughly for payment card numbers, including looking for them in memory, and then exfiltrates the data to its command-and-control server.

Trend Micro’s examination of one of the dumps showed it to contain over 23,000 stolen debit and credit card track data. Prices for individual cards ranged from $9 to $39 depending on card type. Bulk pricing ranged from $250 for a set of 10 cards to $700 for 100. Cards in the dump included those issued by American Express, Visa, MasterCard, and Diners Club.

Meanwhile, in separate but related news, security blog KrebsOnSecurity disclosed what appears to be a significant breach of PoS data at Select Restaurants, a company that owns several well-known, high-end restaurants around the country.

The breach, according to Krebs, is apparently tied to a previously disclosed intrusion at 24-7 Hospitality Technology, a PoS company that provides credit and debit card processing services to thousands of restaurants and eateries around the country. The malware used in the breach though appears to be different from the one that Trend Micro warned about.

Related Content:

• Point-of-Sale Malware Declined 93% Since 2014
• Researchers Show How To Steal Payment Card Data From PIN Pads
• How One Cybercrime Gang Is Ratcheting Up PoS Attacks

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/new-magikpos-malware-targets-point-of-sale-systems-in-us-and-canada-/d/d-id/1328434?_mc=RSS_DR_EDT

Malware uses a remote access Trojan to sniff out potential victims first, Trend Micro says.

Security vendor Trend Micro Friday has warned of a new type of point-of-sale (PoS) malware that is being used to attack PoS systems belonging to businesses in the US and Canada.

The malware, which Trend Micro has dubbed MajikPOS, was first spotted infecting PoS systems the last week of January and has been used to steal data on at least 23,400 credit cards, Trend Micro said in an alert.

Trend Micro researchers describe MajikPOS as malware that is similar in purpose to other recent POS data stealing tools, such as FastPOS and ModPOS, but different from them in the manner in which it deploys.

“The attackers are mapping out victims with relatively generic tools ahead of time,” says Jon Clay, Trend Micro’s global threat communications manager.

Many MajikPOS infections have involved the use of a remote access Trojan (RAT) that appears to have been installed on the systems sometime between August and November last year. The RATs are designed to determine if the systems on which they been installed are worthy of further exploitation.

If the endpoint appears promising, the operators of MajikPOS then use a combination of methods including VNC, Remote Desktop Connection, and command-line FTP to install the PoS malware. The goal is to find systems that are vulnerable without compromising the main weapon in their arsenal, Clay says.

Once potential victims are identified, the attackers use a pair of executables to run the attack — an implant and a scraper for getting the card numbers. The approach ensures that if the initial stage of an attack fails, the core malware itself is not compromised, Clay says.

The method of attack indicates that the operators of MajikPOS have taken active precautions to mitigate the possibility of their malware being screened for and detected. This suggests that the operators of MajikPOS are also the authors the malware, Clay says.

Another interesting aspect of MajikPOS is that it is coded in .NET, which is a somewhat rare choice of a programming framework for malware authors.

Once installed on a system, MajikPOS inventories it thoroughly for payment card numbers, including looking for them in memory, and then exfiltrates the data to its command-and-control server.

Trend Micro’s examination of one of the dumps showed it to contain over 23,000 stolen debit and credit card track data. Prices for individual cards ranged from $9 to $39 depending on card type. Bulk pricing ranged from $250 for a set of 10 cards to $700 for 100. Cards in the dump included those issued by American Express, Visa, MasterCard, and Diners Club.

Meanwhile, in separate but related news, security blog KrebsOnSecurity disclosed what appears to be a significant breach of PoS data at Select Restaurants, a company that owns several well-known, high-end restaurants around the country.

The breach, according to Krebs, is apparently tied to a previously disclosed intrusion at 24-7 Hospitality Technology, a PoS company that provides credit and debit card processing services to thousands of restaurants and eateries around the country. The malware used in the breach though appears to be different from the one that Trend Micro warned about.

Related Content:

• Point-of-Sale Malware Declined 93% Since 2014
• Researchers Show How To Steal Payment Card Data From PIN Pads
• How One Cybercrime Gang Is Ratcheting Up PoS Attacks

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/new-magikpos-malware-targets-point-of-sale-systems-in-us-and-canada-/d/d-id/1328434?_mc=RSS_DR_EDT

Malware uses a remote access Trojan to sniff out potential victims first, Trend Micro says.

Security vendor Trend Micro Friday has warned of a new type of point-of-sale (PoS) malware that is being used to attack PoS systems belonging to businesses in the US and Canada.

The malware, which Trend Micro has dubbed MajikPOS, was first spotted infecting PoS systems the last week of January and has been used to steal data on at least 23,400 credit cards, Trend Micro said in an alert.

Trend Micro researchers describe MajikPOS as malware that is similar in purpose to other recent POS data stealing tools, such as FastPOS and ModPOS, but different from them in the manner in which it deploys.

“The attackers are mapping out victims with relatively generic tools ahead of time,” says Jon Clay, Trend Micro’s global threat communications manager.

Many MajikPOS infections have involved the use of a remote access Trojan (RAT) that appears to have been installed on the systems sometime between August and November last year. The RATs are designed to determine if the systems on which they been installed are worthy of further exploitation.

If the endpoint appears promising, the operators of MajikPOS then use a combination of methods including VNC, Remote Desktop Connection, and command-line FTP to install the PoS malware. The goal is to find systems that are vulnerable without compromising the main weapon in their arsenal, Clay says.

Once potential victims are identified, the attackers use a pair of executables to run the attack — an implant and a scraper for getting the card numbers. The approach ensures that if the initial stage of an attack fails, the core malware itself is not compromised, Clay says.

The method of attack indicates that the operators of MajikPOS have taken active precautions to mitigate the possibility of their malware being screened for and detected. This suggests that the operators of MajikPOS are also the authors the malware, Clay says.

Another interesting aspect of MajikPOS is that it is coded in .NET, which is a somewhat rare choice of a programming framework for malware authors.

Once installed on a system, MajikPOS inventories it thoroughly for payment card numbers, including looking for them in memory, and then exfiltrates the data to its command-and-control server.

Trend Micro’s examination of one of the dumps showed it to contain over 23,000 stolen debit and credit card track data. Prices for individual cards ranged from $9 to $39 depending on card type. Bulk pricing ranged from $250 for a set of 10 cards to $700 for 100. Cards in the dump included those issued by American Express, Visa, MasterCard, and Diners Club.

Meanwhile, in separate but related news, security blog KrebsOnSecurity disclosed what appears to be a significant breach of PoS data at Select Restaurants, a company that owns several well-known, high-end restaurants around the country.

The breach, according to Krebs, is apparently tied to a previously disclosed intrusion at 24-7 Hospitality Technology, a PoS company that provides credit and debit card processing services to thousands of restaurants and eateries around the country. The malware used in the breach though appears to be different from the one that Trend Micro warned about.

Related Content:

• Point-of-Sale Malware Declined 93% Since 2014
• Researchers Show How To Steal Payment Card Data From PIN Pads
• How One Cybercrime Gang Is Ratcheting Up PoS Attacks

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/new-magikpos-malware-targets-point-of-sale-systems-in-us-and-canada-/d/d-id/1328434?_mc=RSS_DR_EDT

There’s been no shortage of studies over the years about the fairness gap between men and women in security, not to mention every other industry.

Now comes one from the Center for Cyber Safety and Education and the Executive Women’s Forum showing that women make up only 11% of the cyber security workforce.

These studies are well intentioned. But according to several women in the industry who spoke with Naked Security, it’s time to move beyond the studies and focus on actually changing the culture. One of them is Magen Wu, a security consultant with Rapid 7.

She said the latest survey is a great example of awareness on an issue that has been long debated in the industry. But the data reads a lot like a phishing report.

It’s good to have the numbers on who opened the email versus who clicked the link or filled out the form. But unless we do something with that information, it serves little purpose other than to generate awareness that we have a problem.

The latest study

For this latest study, the Center for Cyber Safety and Education and the Executive Women’s Forum surveyed more than 19,000 participants from around the world. It painted the following picture:

• Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce

• Globally men are four times more likely to hold C- and executive-level positions, and nine times more likely to hold managerial positions than women.

• 51% of women report various forms of discrimination in the cybersecurity workforce

• Women who feel valued in the workplace have also benefited from leadership development programs in greater numbers than women who feel undervalued.

• In 2016 women in cybersecurity earned less than men at every level.

Indeed, those statistics resonate for some of the women we interviewed. One San Francisco-based infosec professional, who asked that her name not be used because of potential repercussions at work, explained how she was encouraged to apply for a position within her company only to be told later that those who encouraged her didn’t really think she’d fit in. She pressed them for examples of why she wouldn’t work out and got no answer. She believes the real issue was gender.

A call to action

Those interviewed said it’s time to move beyond studies and surveys that merely illustrate an already understood problem and start focusing on some action items that’ll lead to meaningful progress.

Wu would like to see reports and articles that are more a call to action on what can be done at the individual, corporate, and community level to positively impact the numbers:

For example, do the women who are in the industry today get into it because of a mentor? If so, we should try and be more proactive about reaching out to people about mentorships or establishing mentorship programs at conferences and work. We are asking some of the right questions, but it may be time to shift focus from why there are so few women to why do the women who are here stay.

As the industry grows, so does female representation

Some say surveys like this are flawed for a variety of reasons. The questions don’t dig deep enough into the respondent’s skills or match up with the actual roles they have in their companies. It also doesn’t paint a full picture of areas where progress has been made.

Allison Miller has seen the good and bad in the industry over her career, which includes technical and leadership roles in several industries and now product strategy for Google Security. With a seat on the (ISC)2 board of directors and on selection committees for popular security industry events, she has an even broader view. She said:

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qmF_0J5Zfy0/

Naked Security is reporting this week from Cloud Expo, Europe’s biggest digital transformation show

In a bijou booth at London’s CloudExpo, BlackBerry, the much-diminished former behemoth of the mobile sector, was quietly plying its trade. BlackBerry describes itself as “a mobile-native security software and services company” and was there to promote its professional cybersecurity services, which it acquired following the February 2016 acquisition of Encription Ltd, a specialist in penetration testing.

So now, should you wish, you can get BlackBerry round to mess with your systems, while paying for the privilege. They’ll get up to no good, then write you a report telling you all the stuff you’re doing wrong. This, then, is the odd world of the ethical (or “white hat”) hacker, a somewhat shady-sounding occupation that uses penetration-testing techniques to assess IT security and identify vulnerabilities.

Sure, it serves a useful purpose, but it’s a bit weird still, isn’t it? It’s basically analogous to paying an “ethical burglar” to break into your house, or a “white hat mugger” to have a go at stealing your phone. You never hear about those, though, which is something of a shame. There must be thousands of charmless chancers out there desperate to get certified by the council and go out thieving for the greater good. Or, better still, much like that old Kate Bush song, set up in the faithfulness-testing racket, put on a white hat and run around propositioning spouses.

It doesn’t happen though, does it? Or maybe it does, somewhere. Perhaps in the higher echelons of society that we don’t ordinarily get to hear about there are ethical burglars paid for by the likes of the Candy brothers to test the security of plutocrats’ pads. But, on the whole, in the round, the concept of attaching “ethical” to a criminal activity seems only to apply to cybersecurity. As I say, it’s odd.

You can even get a degree in it: in 2016, Scotland’s Abertay University established what it described as the world’s first undergraduate degree in Ethical Hacking, a surely useful and practical course of study that aims to provide students with experience “investigating, analysing, testing, hacking and, ultimately, protecting real-life systems through the development of countermeasures.” Its primary aim, the university states, is “for someone to arrive on this programme as a student and leave as an ethical hacker”.

For the less committed there is the option also of a number of a few more modest qualifications, including the Certified Ethical Hacker (CEH) certification from the EC-Council. And much like the banal suggestion that one should “set a thief to catch a thief”, a canard that clearly implies the police’s refusal to recruit exclusively from the criminal community is entirely misguided, the EC-Council states that, “To beat a hacker, you need to think like a hacker.” Well, no, not really.

It pays quite well though. PayScale states that the median salary of an ethical hacker is around $72,000, rising at the top end to well over $100,000. So why not? And calling yourself an ethical hacker means you get to signal not only virtue, but a certain edginess also. It doesn’t get better than that.

Follow @NakedSecurity
Follow @Paul_Ridgewell

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rzs99FzUQWM/

Audacious cybercriminals have created an Star Trek-themed strain of ransomware.

Hat-tip to Bleeping Computer, which broke the story on the “Kirk” malware, discovered yesterday by Avast malware researcher Jakub Kroustek.

The software disguises itself as the notorious Low Orbit Ion Cannon (LOIC) denial of service tool, a utility beloved by Anonymous hacktivists back in the day before everyone realised it revealed IP addresses of users.

Kirk is reckoned to be the first ransomware to utilise Monero rather than BitCoin as the ransom payment of choice. The malware decryptor “Spock” will be supplied to the victim once the payment is made, but at this time the ransomware does not look like it can be decrypted, anti-malware firm Webroot reports.

Right now there are no known victims of the ransomware and there’s no sample of the decryptor, so information regarding it is limited. The decryptor is said to be promised once the ransom is paid, but obviously there are no guarantees and it cannot be decrypted at present without it.

For the first two days, crooks are demanding 50 Monero or roughly $1,072 (£867). The fee doubles every few days if victims fail to cave. If no payment is made by the 31st day, the decryption key gets permanently deleted, according to the ransom note (of which Bleeping Computer obtained several screenshots). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/17/star_trek_ransomware/

The National Audit Office has confirmed that F-35 fighter jets should be flying from new British aircraft carrier HMS Queen Elizabeth by the year 2020, if all goes to plan.

The Delivering Carrier Strike report from the NAO said: “The current target of accepting the carrier from the Aircraft Carrier Alliance by the end of 2017 is achievable.”

The Ministry of Defence has reportedly “accelerated” its purchase of F-35Bs to ensure that the Queen Elizabeth is operational by December 2020. This would bring the timescale for the carrier forward by a year from the usual predictions of reaching initial operating capability by 2021.

The MoD is thought to be budgeting around £100m each for its first batch of F-35s, hoping that the Royal Navy and Royal Air Force will be able to call on a shared pool of 48 aircraft by 2020.

Yet the NAO also warned that “new support arrangements to provide spares and maintain the equipment are less developed,” adding that these support arrangements have yet to be funded and could therefore restrict the carrier’s operational capability. Costs of supporting and operating the carrier strike capability as a whole are “less certain” according to government beancounters.

A shortage of personnel to operate the carriers and their jets was also highlighted by the NAO, with the armed forces as a whole being four per cent below its manning target of around 145,000 soldiers, sailors and airmen. “This is creating a risk of overburdening a small number of personnel in the build-up to first operational use from 2021,” noted the NAO.

Informed sources have told The Register that the MoD is keen to speed up the deployment of Queen Elizabeth and her sister ship HMS Prince of Wales once delivered, in order to be seen to be delivering value for money to the taxpayer as soon as possible. This suggests ministers are growing conscious of the vast sums of money being spent on, among other things, concrete in Portsmouth.

HMS QE’s departure from Rosyth, where she is still technically the property of her builders, the Aircraft Carrier Alliance, has been delayed by around three months. She is now due to sail sometime this summer. Cynics have suggested that she might slip her moorings at 2359 on Friday 22 September, which would be the latest date that she could sail without technically breaking the ministerial commitment to a summer departure.*

The NAO’s full report can be read in a variety of formats via their website. ®

Summernote

The Met Office has two different measures for determining the start and end of summer. Most folk use the astronomical seasons, while meteorologists tend to use the meteorological seasons. More reading at the link.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/17/national_audit_office_report_aircraft_carrier_project/

A British firm has won a contract with the EU to supply border control surveillance helicopter drones.

Martek Marine boasts that the £58m EU Maritime Safety Agency contract will see its products being used for “border control activities, search rescue operations and monitoring of pollution, as well as the detection of illegal fishing and drug and people trafficking”.

As well as the “compact” drones themselves, Martek will be supplying the pilots, the mission control systems and ground crew.

Its drones are usually deployed from a nearby ship and then beam back live video and unspecified “sensor” data, according to a company statement.

Martek itself does not actually appear to be a drone firm, instead offering various maritime-focused technological ideas such as telemedicine and systems monitoring.

“The chosen specification of drones under the EMSA contract are of compact design, making them extremely manoeuvrable in addition to having the ability to start and land vertically from both shore and vessels,” says its statement. On its website is a picture of an unspecified helicopter drone which El Reg believes is a High Eye HEF 30-series drone, as built by a Netherlands firm.

High Eye’s product page for the HEF 30 series includes details of a tracking antenna with a claimed 50km range, a variety of infra-red sensors and cameras that can be fitted to gimbal mounts, and an off-the-shelf LIDAR system for 3D mapping.

It’s likely that these drones will be used on quasi-civilian ships registered to EU states, particularly in border control operations in the Mediterranean. As the troubled political project makes faltering steps towards building its own armed forces, in the face of an equivocal US commitment to NATO, it makes sense for the wannabe superstate to start acquiring surveillance capabilities that aren’t reliant on member states agreeing to lend them only with limiting conditions attached to their use. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/17/brit_firm_wins_eu_maritime_drone_contract/

Interview The very software that is supposed to protect your security is an under-appreciated threat to privacy because of the massive amount of data many products secretly gather on customers, according to F-Secure’s Jarno Niemelä.

Niemelä also told told The Register that despite the dismissive claim in the recent WikiLeaks’ release of CIA documents, namely that “F-Secure has generally been a lower tier product that causes us minimal difficulty,” the company is confident it can handle intelligence agencies’ espionage efforts.

Speaking to us at this year’s IAPP’s Europe Data Protection Intensive 2017 in London, Niemelä, who’s the lead researcher at F-Secure labs, said his company had not been significantly offended by the mention: “Obviously we have only the leaked notes to go on with, but as far as we can see basically what they’re talking about is the gateway product — so basically mail filters.”

Niemelä added “they are products, so anybody can buy them, and anybody with enough time can figure out some kind of mistake there. That’s a fact of life, it’s software, bugs happen, and then any attacker with enough resources will be able to find a way of bypassing that.”

Such products can handle the lower-level and more common threats that might hit the unwary, but “the more important defence systems are in the end-point itself, so there’s the end-point protection systems, EPPs, which can identify that Word has started misbehaving,” which is “much more difficult to bypass,” said Niemelä, “and then we have this premium service, Rapid Detection Service, which basically then is a sensor which sends information to our back-end.”

The big difference with a security service rather than a product, is that the attacker can’t see why they’ve been caught. “The thing is, when you have a feedback loop, as an attacker, it’s invaluable, especially if the feedback loop is immediate, you can try until you succeed.”

While products can theoretically be bypassed “because when an attacker has theoretically infinite time and infinite budget sooner or later they’ll find a mistake, when we’re talking about premium services then they’re much more difficult to bypass because the attacker doesn’t know when he was caught — and he doesn’t know why he was caught,” said Niemelä.

Asked if F-Secure was able to handle the CIA as an attacker, Niemelä was unequivocal: “Yes, we are.”

“You need a full stack from us,” he added. “We are not making a claim that just running a mail filter will keep you safe, but if you get our end-point protection, it is going to keep you safe until you really get targeted, and after that we have our Rapid Detection Service which then is designed against intelligence services.”

Spookier than spooks

While acknowledging the concerns many have expressed about global persistent surveillance, Niemelä said that security solutions can also be a threat to privacy by themselves. “Think about it, you have to analyse enormous amounts of data when you are doing detection rather than just trying to block something with a static antivirus scanner or a local behaviour monitoring system. So when you start doing a service instead of a product, you need to analyse data.

“The question then is how well the security provider is taking security into account in the implementation of that system — and the same thing by the way applied to antivirus solutions, how much information does your anti-virus solution upstream and how transparent is the vendor about what they do with the data?”

The first alert regarding whether security companies pay proper attention to customers’ privacy is whether they provide whitepapers on how they handle telemetry data, said Niemelä, stating that F-Secure did so. “I’m not that much of a white knight that I wouldn’t have my own agenda – we know we have taken very good care of this, and it’s something that many other vendors don’t, they upstream everything.”

“It is not putting enough value on privacy,” he added, and relying on the ‘Oh, we’re doing security, we don’t have to tell customers what we’re doing’ approach. “Us being Finns, we are very meticulous… sometimes we say we are too Finnish whenever that gets in our way, but basically the kind of respect for individuals’ privacy is very strong in our culture. Even as a multicultural company that is something we have retained in our company.”

Companies’ blindness to the risk that they themselves might post to users reminded El Reg of a tweet by Matthew Green, the cryptographer and security technologist at the Johns Hopkins Security Institute.

@csoghoian The privacy and security threat model at Google does not include Google. Ever.

— Matthew Green (@matthew_d_green) September 21, 2016

Niemelä said he hadn’t worked for Google, but understood Google took security “very seriously” and described its internal security department as “top notch.”

“But they didn’t do this until they got seriously hit by Operation Aurora back in the day,” Niemelä added, referencing the attacks in 2009 — involving a number of advanced and persistent threat actors based in China — which led to theft of Google’s intellectual property and limited access to the Gmail accounts of Chinese political dissidents.

“It turned out that they were [mak]ing basic mistakes like transferring data between their data centres without encryption, not having proper monitoring at the end-points, etcetera. What I would say is that Google is very careful with the information nowadays, after a fashion because they are selling the information.”

Careful now

“Security is needed to guarantee privacy,” F-Secure’s lead researcher said, “but at the same time security has to be made so it isn’t a potential privacy compromise. So that means that you do need to collect the kind of information that you need to implement security, and that’s it.”

Encouraging fellows in the security vendor field to behave better, Niemelä said: “You should do active work on identifying and filtering out the kind of information that ‘Okay, I don’t have a need for this, this is clean, this has no place in my databases’. So the whole point is in order to implement security you need to monitor behaviour, you need to collect metadata, you need to collect data, but at the same time you have to be very careful what kind of data you collect – and if it’s something that has no security value, why are you collecting it in the first place?” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/17/security_software_is_a_threat_to_your_privacy_too/