If the 2014 holiday shopping season is any indication, cyberattackers have shifted their tactics, placing quality of attacks over quantity as they zero in on high-reward targets by compromising retailers’ database vulnerabilities.
In a study released Jan. 5, IBM Managed Security Services researchers revealed that the number of cyberattacks on retailers dropped by a third during late November and December as compared to the same period in 2013, and half as many breaches occurred during the busy Black Friday and Cyber Monday shopping period.
For the two-week period from Nov. 24 to Dec. 5, IBM identified 3,043 daily cyberattacks, nearly one-third less than the 4,200 attacks over the same period in 2013.
IBM’s analysis of data compiled by the Privacy Rights Clearinghouse shows a similar trend for 2014 as a whole, with retail breach incidents last year down 50% from just two years ago.
Nevertheless, malicious hackers managed to steal more than 61 million records last year. The findings demonstrate “cybercriminals’ increasing sophistication and efficiency,” IBM researchers said.
Security Readers’ Choice Awards 2014
IBM noted that the 50% drop in the number of retail breaches during the holiday season resulted from attackers scaling back on attacks around Black Friday, the traditional opening of the Christmas shopping frenzy on the day after Thanksgiving, and Cyber Monday, usually the business online shopping day of the year.
By contrast, the 2013 holiday shopping season saw massive security breaches at retailers like Target, resulting in a record number of consumer records being compromised.
Interestingly, when IBM analyzed the total number of retail records compromised in incidents involving fewer than 10 million records, it found that the number of records compromised in 2014 rose 43% over 2013, and that percentage doesn’t include what may prove to be a massive data breach at Chick-Fil-A Inc. first reported Dec. 31.
“While we have seen fewer breaches reported in the last two years,” said IBM in the report, “these breaches were more significant and wide-reaching in terms of victims affected.”
Database vulnerabilities lead to retail data breaches
While point-of-sale (POS) malware attacks continue to increase, IBM found that the “vast majority” of incidents targeted retailers’ databases via command injection or SQL injection methods. For example, the researchers found that nearly 6,000 attacks against retailers involved command injection.
“The complexity of SQL deployments and the lack of data validation performed by security administrators made retail databases a primary target,” IBM Security concluded.
POS malware remains a threat, but cyberattackers are upping the ante as they probe for more weaknesses in retailers’ networks. Along with the Shellshock vulnerability that targets retailers’ servers, the security researchers found that POS malware like Alina, BlackPOS, Citadel, Dexter and vSkimmer remain in play.
“Shellshock is not going away anytime soon, much like SQL Slammer,” IBM warned. “Patching is of paramount importance for this specific attack vector.”
How should enterprises respond as the database threat grows? IBM security specialists stressed that “shellcode characters should never be allowed to enter an organization’s network via HTTP.” They added that deployment of security appliances focusing on these attack vectors, like firewall deployments, should become standard practice.
IBM said the data it analyzed consisted of records compromised and breaches disclosed by retailers, in addition to data compiled by the Privacy Rights Clearinghouse. Other data used in the retailer security study was compiled internally by IBM’s Managed Security Services team.
John Kuhn, an IBM senior threat researcher, said in an interview that data on attacks and threats was gleaned from its customer base. The data was “boiled down” by analytical engines to detect potential attacks and threats; analysts then weeded out any false positives.
As the threat to customer databases grows, Kuhn said vulnerable retailers need to initiate thorough audits of their systems. Those audits should include penetration tools and testers.
Kuhn said he expects to trend of fewer but more sophisticated attacks to continue, the result being a steady increase in the number of stolen customer records.
However, some industry watchers counseled a wait-and-see approach.
“Black Friday [and] Cyber Monday were just five weeks ago,” noted Rick Holland, principal analyst for security and risk management with Forrester Research Inc., based in Cambridge, Mass. “Given how long it takes organizations to detect intrusions, it could be premature to say that attacks were down. Let’s revisit the numbers in 12 months.”
Others agreed that more holiday breaches may eventually surface, but the IBM findings still reveal a new level of sophistication that is yielding more stolen records.
Looking at IBM’s data, “If you assume a margin of error of 10%, that’s still a significant drop” in the number of attacks, said Christina Richmond, security services analyst with IDC in Framingham, Mass.
The point, Richmond added, is that even though IBM found that the most recent holiday shopping season may “not be as much of a free-for-all” as the year prior, retailers still need to remain vigilant against many potential attackers and attack methods.
AMAZON ERROR ALLOWED ALEXA USER TO EAVESDROP ON ANOTHER HOME
A user of Amazon’s Alexa voice assistant in Germany got access to more than a thousand recordings from another user because of “a human error” by the company.
The customer had asked to listen back to recordings of his own activities made by Alexa but he was also able to access 1,700 audio files from a stranger when Amazon sent him a link, German trade publication c’t reported.
“This unfortunate case was the result of a human error and an isolated single case,” an Amazon spokesman said.
The first customer had initially got no reply when he told Amazon about the access to the other recordings, the report said. The files were then deleted from the link provided by Amazon but he had already downloaded them on to his computer, added the report from c’t, part of German tech publisher Heise.
CRYPTOCURRENCY INDUSTRY FACES INSURANCE HURDLE TO MAINSTREAM AMBITIONS
Cryptocurrency exchanges and traders in Asia are struggling to insure themselves against the risk of hacks and theft, a factor they claim is deterring large fund managers from investing in a nascent market yet to be embraced by regulators.
Getting the buy-in from insurers would mark an important step in crypto industry efforts to show that it has solved the problem of storing digital assets safely following the reputational damage of a series of thefts, and allow it to attract investment from mainstream asset managers.
“Most institutionally minded crypto firms want to buy proper insurance, and in many cases, getting adequate insurance coverage is a regulatory or legal requirement,” said Henri Arslanian, PwC fintech and crypto leader for Asia.
“However, getting such coverage is almost impossible despite their best efforts.”
Many asset managers are interested in digital assets. A Greenwich Associates survey, published in September, said 72% of institutional investors who responded to the research firm believe crypto has a place in the future.
Last month, Mohamed El-Erian, Allianz’s chief economic adviser said that cryptocurrencies would gain wider acceptance as institutions began to invest in the space.
Most have held off investing so far however, citing regulatory uncertainty and a lack of faith in existing market infrastructure for storing and trading digital assets following a series of hacks, as well the plunge in prices.
The total market capitalisation of crypto currencies is currently estimated at approximately US$120bil (RM502bil) compared to over US$800bil (RM3.3tril) at its peak in January.
“Institutional investors who are interested in investing in crypto will have various requirements, including reliable custody and risk management arrangements,” said Hoi Tak Leung, a senior lawyer in Ashurst’s digital economy practice.
“Insufficient insurance coverage, particularly in a volatile industry such as crypto, will be a significant impediment to greater ‘institutionalisation’ of crypto investments.”
Regulatory uncertainty is another problem for large asset managers. While crypto currencies raise a number of concerns for regulators, including money laundering risks, few have set out clear frameworks for how cryptocurrencies should be traded, and by whom.
Insurance might allay some of the regulators’ concerns around cyber security. Hong Kong’s Securities and Futures Commission recently said it was exploring regulating crypto exchanges, and signalled that the vast majority of the virtual assets held by a regulated exchange would need insurance cover.
Keeping crypto assets secure involves storing a 64 character alphanumeric private key. If the key is lost, the assets are effectively lost too.
Assets can be stored online, in so-called hot wallets, which are convenient to trade though vulnerable to being hacked, or in ‘cold’ offline storage solutions, safe from hacks, but often inconvenient to access frequently.
Over US$800mil worth of crypto currencies were stolen in the first half of this year according to data from Autonomous NEXT, a financial research firm.
Some institutions have started working to solve this problem, and may provide fierce competition to the incumbent players.
This year, Fidelity, and a group including Japanese investment bank Nomura have launched platforms that will offer custody services for digital assets.
Despite the industry’s complaints, insurers say that they do offer cover. Risk advisor Aon, received some two dozen inquiries this year from exchanges and crypto vaults seeking insurance, according to Thomas Cain, regional director, commercial risk solutions, at Aon’s Asian financial services and professions group.
“It is not difficult to insure companies that hold large amounts of crypto assets, but given the newness of the asset class and the publicity some of the crypto breaches have received, applicants need to make an effort to distinguish themselves,” Cain said.
The industry also says it is getting closer to solving the custody problem.
“This year there have been a number of developments, and some providers have developed custody solutions suitable for institutional clients’ needs,” said Tony Gravanis, managing director investments at blockchain investment firm Kenetic Capital.
“Players at the top end of the market have also been able to get insurance,” he said.
But this is not the case for all.
One cryptocurrency broker, declining to be named because of the subject’s sensitivity, said insurers struggled to understand the new technology and its implications, and that even those who were prepared to provide insurance would only offer limited cover. “We’ve not yet found an insurer who will offer coverage of a meaningful enough size to make it worthwhile,” he said. – Reuters
CTECH’S THURSDAY ROUNDUP OF ISRAELI TECH NEWS
Scrapped London Skyscraper set to dominate Tel Aviv skyline. A tower ditched mid-construction in London due to the economic downturn of 2008 is now being resurrected in Tel Aviv in the midst of the city’s unprecedented tech boom. Watch the video
Acquisition by Medtronic complete, Mazor delists. Medtronic paid $1.3 billion in cash for the Israeli surgical robotics company. Including Medtronic’s existing stake, the deal is valued at $1.7 billion. Read more
Israelis receive 8.5 spam calls a month, according to Truecaller. The country ranked last among the top 20 countries affected by spam calls in 2018, according to a new report released by the company. Read more
Innoviz expands globally, sets up a commercial manufacturing line in China.The Israel-based LiDAR maker has doubled its employee count in the past year and intends to recruit additional personnel for research and development, business and sales. Read more
Particle analyzer company PML sold following liquidation. The company developed electro-optical systems for monitoring and measuring fluid particle sizes and concentration.