Crime Ring Revelation Reveals Cybersecurity Conflict of Interest

[InfoSec News <alerts () infosecnews org>]

http://www.scientificamerican.com/article/crime-ring-revelation-reveals-cybersecurity-conflict-of-interest/

By Erik Schechter
Scientific American
Sep 15, 2014

A small cybersecurity firm claimed this summer to have uncovered a scam by 
Russian Internet thieves to amass a mountain of stolen information from 
420,000 Web and FTP sites. The hacker network, dubbed “CyberVor,” 
possessed 1.2 billion unique credentials—a user name and matching 
password—belonging to 500 million e-mail addresses, asserted Hold 
Security, LLC.

Those numbers made Internet security watchers and even some consumers sit 
up and take notice—people use such credentials to access banking, 
investment and social media accounts after all. If true, the CyberVor haul 
would dwarf last December’s data breach of retailer Target, in which 40 
million customer credit cards were compromised. Although a New York Times 
story lent credibility to Hold Security’s claims, some observers question 
whether the cybersecurity vendor’s big reveal was more of a publicity 
stunt than a public service. The firm’s decision to charge potential 
victims a $120 fee for their Breach Notification Service did not help 
matters.

Panic and publicity certainly play a role in cybersecurity efforts, as 
companies that make antivirus and other protective software try to provide 
computer users with a sense of the unseen threats facing their devices and 
data on a daily basis. But questions arise when these companies yoke 
together the part of their businesses that finds and analyzes security 
threats with the part that sells software and services to mitigate those 
threats.

Even large, established firms such as Symantec Corp. have been accused of 
exaggerating the gravity of security threats to boost sales. A decade ago 
U.S. regulators cracked down on financial services firms for the 
questionable practice of having their equity research and investment 
banking divisions work together to endorse and then sell certain 
investments. No such oversight exists for cybersecurity companies. 
Although not surprising, given the relatively nascent nature of cyber 
threats, this conflict of interest means these companies walk a thin line 
between defending computers and other Internet-connected devices and 
profiting from people’s fear that their personal data is vulnerable at any 
time to online attackers.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/