Following the news that over 5,900 e-commerce sites have fallen victim to malware that skims victims’ credit card details online, Paul Farrington, manager of EMEA solution architects at information security specialist Veracode commented below.
Paul explores:
- How hackers are targeting small firms who do not have access to the necessary resources to determine whether the site is secure, nor are staying on top of the need to patch their software
- Who to blame? Is it the fault of open source-community, retailers, hosting providers or even government?
- What can we do? Calling on the government to do more in the area to instigate consequences for firms that are cavalier with customer’s data and ensuring that we aren’t desensitised by these data losses, as they are real and they are unacceptable
Paul Farrington, Manager of EMEA Solution Architects at Information Security Specialist Veracode:
“Nearly 6,000 compromised retail sites. Well, compared to the 500 million user details breached at Yahoo, perhaps that’s a small number? There is a danger that as the numbers are accurately reported, that we all become desensitised to these statistics. Many of the retailers affected are small, and simply do not have access to the necessary resources to determine whether the site is secure. An anti-virus scan is not going to cut-it.
“Hackers are leveraging the fact small firms are simply not staying on top of the need to patch their software. In this latest case, Magneto’s e-commerce shopping cart, is today the centre of attention. However, both the commercial and community (free) versions of this extremely popular purchasing software have patches that are available to address the vulnerability. So whilst the publishers of the software appear responsive to providing secure patches, these are simply not being applied or are just ineffective.
“What do we do about this situation? We can blame the open source-community, retailers, hosting providers or even government. The truth is, the more we look for a single silver bullet, the further we move away from an answer. Veracode’s own research has found for example, that 25% of all Java applications are susceptible to Apache Commons Collections (v3.2.1). The vulnerability is highly exploitable, yet finds its way into not only Web Applications, but also the Application Servers. This does not mean that Open Source software is bad, but just because it’s free does not mean that it’s secure.
“There is a danger that consumer confidence will reach a point of no-return when it comes to transacting and providing private information on the Internet. Governments needs to legislate and encourage companies to test software for vulnerabilities. Hosting providers should be asked to do more to detect and protect sites by promoting best practice patching practices. Financial incentives should be made available to firms that can demonstrate they are taking security seriously. And, Yes, there should be consequences for firms that are cavalier with customer’s data – government could do much more in this area. We all can do more. It’s starts by not allowing ourselves to be desensitised by these data losses, they are real and they are unacceptable. We need to demand more from the people who claim to serve our interests.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.