When a company writes a white paper they send out a press release to get as many news sites as possible to mention the report in their own stories. This strategy worked all too well on Tuesday when security firm SMobile Systems published a scary sounding report about Android apps. The story was picked up by many news outlets with sensational headlines like:
* Many applications on Android Market are unsafe and lead to mobile scams
* 20 Percent of Android Apps Can Threaten Privacy, Says Vendor
* 1 in 5 Android apps pose potential privacy threat: report
Even CNET (Note: ZDNet and CNET are both part of CBS interactive) got in on the action with an article by Elinor Mills originally called “Report: A fifth of Android apps expose private data“. ZDNet compounded the error in its Tech Update Today newsletter which was emailed to subscribers with the subject line “Android privacy holes“.
It turns out the only holes were in the report and in its coverage by the media.
SMobile Systems neglected to mention industry ties that rendered its report less credible. For example, their President and Vice President of Operations are former AT&T employees. AT&T is listed as a strategic partner of SMobile Systems on the company web site. (AT&T of course is the sole US carrier for Apple’s iPhone, a competitor to Android). And SMobile itself sells security software to address perceived threats that its reports “expose”.
Read more…
Please join us at InfosecIsland.com – a vendor-neutral community designed especially for IT and network professionals and all those who manage security, risk mitigation, and compliance issues – and we will be releasing our suite of free network security tools in Q2!
Infosec Island is committed to serving the risk mitigation needs of SMBs and mid-market enterprises across numerous industries, government agencies, legal, financial, healthcare, educational, nonprofit organizations, and the information security community at large.
Be sure to complete your profile and upload a picture, company logo or avatar so you are eligible to win one of over $10k in prizes in our Q1 membership drive, and feel free to contact me through the Island in-mail, Linked In or directly at anthonymfreed@gmail.com.com for more details.
* Grand Prize – a FREE core server license, including maintenance, of the Grid Data Security’s Enhanced Authentication Solution from SyferLock™. This prize has a value of up to $10,000.
* Second Prize – The member winning second prize will receive two myKryptofon security software products from I.D. Rank Security.
* Third Prize – Two third prize winners will receive an EncryptStick™ software application download from Onix International Inc.
Read more…
Companies that follow best practices in data security have a risk assessment program. As outlined by the United States General Accounting Office (GAO), risk assessments “provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Since risks and threats change over time, it is important that organizations periodically reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they have selected.” When a company decides to store specific data, they inherently accept the risk by doing so—whether the company wants to or not.
If the data that a company stores happens to be credit card data (or more general, payment card data including the account number), then there are regulations, guidelines and even significant risks associated with this type of data. Companies that store such data, or have a third party storing it on their behalf, fall under the scope of the Payment Card Industry Data Security Standard (PCI DSS). This standard specifically states that “the Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements. If a PAN is not stored, processed, or transmitted, the PCI DSS does not apply.”
Read more…
Last week, Intel (INTC: 20.52, -0.18, -0.86%) revealed in an SEC filing that its networks had been the cyber victim of “sophisticated attacks,” turning the chip maker into the latest casualty of computer hacking. The disclosure, in a 10-K filing, was briefly worded and Intel declined to elaborate further. The timing of the attack — between January and February — coincided with the highly-publicized security breach reported by Google (GOOG: 545.32, +4.26, +0.78%).
Alarm over hacking is of course growing, as are the security and financial implications. All 2,100 businesses and agencies surveyed by software security firm Symantec in January said they had suffered a security breach, and 75% said they’d been victims of a cyber attack in the past year. Slightly more than a third of the organizations rated the breaches as either “somewhat” or “highly effective.” After retailer TJX (TJX: 41.16, +0.08, +0.19%) revealed in January 2007 that it had lost the credit- and debit-card information of more than 40 million consumers to hackers, it was hit by a wave of lawsuits, which cost it $40-plus million to settle.
Typically, companies report security breaches only when required to by law, unless they calculate it is worth their while. Contrast Intel’s tight-lipped revelation with Google’s very public airing of its charges against China. In that case, Google made headlines accusing the Chinese of trying to censor search results. Positioning itself as blazing a trail, the search giant touted freedom of speech, human rights implications and broad security issues. It threatened to withdraw from the Chinese market, even though the company had complied with Beijing’s censorship measures since it entered the Chinese market in 2006. At least for now, Google.cn is still up and running.
Read more…
