Tag Archives: Internet Security

A website set up to shame the guilty: the list of companies that don’t protect customers’ data

data company

There is an ever increasing amount of personal data circulating on the Internet, yet the security in place to safeguard this data is not evolving at the same rate. Many applications and Web services jeopardize user information by not employing any encryption system to protect it.

Given this situation, IT engineer Tony Webster has set up a website to draw attention to those who are reckless in their approach to safeguarding data. At HTTP Shaming you can find the names of the ‘guilty’ websites and how they are violating users’ privacy. If they abuse the trust of their users, it’s only fair that the users should know.

One of the names that appears on the website is Mashable. According to Webster, this news website enables users to connect using their social networks accounts and interact through them. The problem however is that all this activity is happening on an HTTP address, instead of the secure HTTPS internet protocol, which encrypts the information transmitted with the SSL (‘Secure Sockets Layer’) system.

SSL system
An SSL certificate, which guarantees the security of Internet communications, works by assigning keys to files exchanged between a client computer and the server of the company providing the service, so that only the company can access the file content.

If however you use the service offered by Mashable while connected to an open WiFi network, as with many public sites, your email address, alias and passwords could be stolen by cyber-criminals (those you use for Mashable as well as the social networks you use to access the page).

mashable
The TripIt travel planning site, where you can manage bookings, check timetables and flight schedules, and share all of this with other users, is another similar case.

In both the Tripit versions for smartphones and for websites, users are first asked to enter an email address and password. Webster highlighted this site as it does not encrypt the information displayed to others through the calendar feature. As is the case with Mashable, a criminal could discover your full name, phone number, email address and the last four digits of your credit card.

Those responsible for the website have reported this summer that the problem is now fixed and that security measures are now applied to all communications.

Such poor security practices also occur on other e-commerce sites where companies and customers exchange more sensitive information. Research by the IT security consultants High-Tech Bridge showed that 73% of the top 100 online stores don’t use the HTTPS protocol for data they consider less sensitive, and only two of them apply it in all cases.

The same applies to apps running on mobile devices. In a recent study by HP, a group of IT experts analyzed the security measures in place on 2,107 apps and found that 75% of them do not encrypt stored data. Some 18% didn’t even encrypt data exchanged across the Internet.

Webster’s list of shame now has 19 names, many of these put forward by others who wanted to take part in the project. These names include Creative Cloud, VLC and Adobe Flash Player. Even the Tumblr microblogging site, where the HTTP Shaming page is hosted, doesn’t have a secure protocol. In the worst cases, the IT engineer has directly contacted companies to let them know the error of their ways.

tumblr
Webster fails to understand why some companies are subjecting customers to unnecessary risks, as there is no reason not to use HTTPS, which is available to anyone offering services on the Internet.

The post A website set up to shame the guilty: the list of companies that don’t protect customers’ data appeared first on MediaCenter Panda Security.

Teaching cyber-security from school age

As the Internet increasingly becomes part of our everyday lives and we use new technologies in all areas of our life, there’s an ever greater need for professionals capable of guaranteeing our security in these areas.

However, in a field as new and complex as cyber-security there is still a lack of people prepared to work in it. As we saw recently, in the United States there is already a plan under way to tackle the situation: training army veterans to become cyber-warriors and consequently, helping them to adjust to civilian life again.

Yet this is only one of the solutions put forward, and there are others that take a longer view. To ensure the future of the profession, the only viable plan for the long term involves educating children in this area and stimulating their interest in computing in general and specifically in IT security.

Along such lines, countries like the USA and the UK have projects that will hopefully provide the cyber-warriors of the future.

cyber competition

The UK’s Cyber-Centurion challenge

In the UK in fact, an initiative called Cyber Centurion has been launched to get thousands of youngsters competing in teams in a cyber-security challenge.

The key to the initiative is that young people will be in direct contact with situations that a real cyber-security expert could encounter. In fact, the challenge, which is to be held in two rounds, involves downloading a virtual computer full of vulnerabilities that could present opportunities for a cyber-criminal. What the teams (comprising 4 to 6 youngsters and one adult) have to do is identify these vulnerabilities and patch them as soon as possible.

As this is the first edition of the challenge, there will first be a practice round in October before the two competition rounds. The top six teams will then battle it out in April 2015 in the Grand Final. The winners will be awarded a scholarship at Northrop Grumman, one of the largest defense contractors in the United States and maker of the B-2 stealth bomber who is funding this initiative with a view to uncovering future talents in IT security.

This however isn’t the only cyber-security initiative in the UK. The Cyber Centurion challenge is supported by Cyber Security Challenge UK , a platform funded by the British government that has organized other educational initiatives such as workshops and other challenges in schools, colleges and universities across the UK.

CyberPatriot

In fact, this exciting British initiative is really an adaptation of the US Cyber Patriot program, the National Youth Cyber Education Program. This program is now in its seventh edition and is also funded by Northrop Grumman, which claims to have already dramatically reduced America’s cyber-security talent shortage.

This search for US Cyber Patriots involves three programs:

  1. A competition among high school students similar to the one that will begin in a few months in the UK (where the teams have to identify and fix vulnerabilities in an operating system to prevent cyber-criminals from entering),
  2. A camp organized for the first time this summer and which aims to teach the principles of cyber-security in an entertaining way and
  3. An initiative that will take basic IT security knowledge to primary schools and teach children how to protect themselves on the Internet.

Internet competition

So why in the US and the UK is there so much interest in students learning firsthand what it takes to be a cyber-security professional and not any other job?

Basically, because the future (and the present) will require IT professionals dedicated to cyber-security. Moreover, international threats and attacks can now come across the Internet, so another profession of the (short-term) future will be cyber-warriors, who even now are being recruited by companies like Northrop Grumman. This will no doubt be the army of the future.

The post Teaching cyber-security from school age appeared first on MediaCenter Panda Security.