http://www.scientificamerican.com/article/crime-ring-revelation-reveals-cybersecurity-conflict-of-interest/
By Erik Schechter
Scientific American
Sep 15, 2014
A small cybersecurity firm claimed this summer to have uncovered a scam by
Russian Internet thieves to amass a mountain of stolen information from
420,000 Web and FTP sites. The hacker network, dubbed “CyberVor,”
possessed 1.2 billion unique credentials—a user name and matching
password—belonging to 500 million e-mail addresses, asserted Hold
Security, LLC.
Those numbers made Internet security watchers and even some consumers sit
up and take notice—people use such credentials to access banking,
investment and social media accounts after all. If true, the CyberVor haul
would dwarf last December’s data breach of retailer Target, in which 40
million customer credit cards were compromised. Although a New York Times
story lent credibility to Hold Security’s claims, some observers question
whether the cybersecurity vendor’s big reveal was more of a publicity
stunt than a public service. The firm’s decision to charge potential
victims a $120 fee for their Breach Notification Service did not help
matters.
Panic and publicity certainly play a role in cybersecurity efforts, as
companies that make antivirus and other protective software try to provide
computer users with a sense of the unseen threats facing their devices and
data on a daily basis. But questions arise when these companies yoke
together the part of their businesses that finds and analyzes security
threats with the part that sells software and services to mitigate those
threats.
Even large, established firms such as Symantec Corp. have been accused of
exaggerating the gravity of security threats to boost sales. A decade ago
U.S. regulators cracked down on financial services firms for the
questionable practice of having their equity research and investment
banking divisions work together to endorse and then sell certain
investments. No such oversight exists for cybersecurity companies.
Although not surprising, given the relatively nascent nature of cyber
threats, this conflict of interest means these companies walk a thin line
between defending computers and other Internet-connected devices and
profiting from people’s fear that their personal data is vulnerable at any
time to online attackers.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
