9 Things That Don't Worry You Today (But Should)
There are security concerns that go far beyond the usual suspects. Here are some that should be on your list of scary things.
July 29, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt67d8030af01191fc/64f0d40aa01b5a7d075176bc/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
There are lots of things to keep a security professional up at night, from virulent malware to zero-day vulnerabilities to users wildly clicking on every attachment that hits their in-boxes. Unfortunately, the well-known hazards aren't nearly all that security folks should be worried about.
Constantly expanding capabilities in computing have given rise to a constantly growing list of threat sources. From misapplied technologies that normally serve worthwhile purposes to poor behavior on the part of users (there's that word, again), security issues abound in places both expected and unexpected.
This time, we're looking at the "unexpected" side of the ledger. Beginning with a way in which one of the basic tools of transferring and storing files (the .ZIP compression method) and including technologies that should protect you but probably won't (passwords and OpenPGP) there are plenty of things to think about when it comes to your enterprise security.
For better or for worse — possibly both — this list is not filled with technologies, products, and activities that can simply be carved out of every enterprise activity. It is, for example, highly unlikely that you'll simply be able to leave passwords in history's dustbin anytime soon. But that doesn't mean that you shouldn't be aware of the various ways in which passwords can fail your organization and make it more vulnerable than you believe it to be.
Security research is ongoing and these items came from a variety of researchers, papers, podcasts, and websites across the Internet. And this list is in no way exhaustive — there are plenty of potentially scary things out there, just waiting to bite security professionals (and their companies) who get a bit too complacent.
So, what are the scary things on your list? We'd like to see the items that you worry about that we didn't mention. Comments are open and waiting for you to add to the body of scary knowledge at Dark Reading.
Since 1989, computer users have been taking advantage of Phil Katz's work in compression to reduce file sizes by as much as 1,032 to 1. The ZIP format is a common and critical component of file transfer in the enterprise, but the qualities that make it valuable can be used against an unwary recipient.
The 1,032 to 1 compression ratio is possible with DEFLATE, the compression algorithm used in most ZIPpers since the early 1990s. But by using other compression algorithms or techniques, much greater compression can be achieved. In a recent example, researcher David Fifield demonstrated a compression ratio of more than 28 million to 1, resulting in a 46MB ZIP file that decompresses to approximately 4.5PB of data.
Fifield has created code producing an even larger ZIP bomb, a 2.9GB file that unzips to 2*64 +11727895877 bytes, a data size expressed in zettabytes (two orders of magnitude beyond petabytes).
These very large ZIP bombs have, so far, been confined to research activities, but it's not hard to imagine a threat actor using the technique to perform a denial-of-service attack against the storage and computation resources of a company.
For login processes to work, the first step is that they exist. For a surprising number of mobile device users, that's not something that can be assumed. Recent studies have shown that financial companies are at risk from mobile devices with no lock screen enabled, but the issue isn't limited to financial services firms.
As BYOD programs have approached ubiquity in enterprise environments, companies have struggled to juggle adequate enterprise security with acceptable employee privacy. The question of whether a login screen is active on mobile devices is one of the more obvious manifestations of that struggle.
It seems obvious that all mobile phone users should have a login screen for their own security, if nothing else. Still, there will be some employees who resist and for them, the enforcement provided by a mobile device management system can spur better security for company and employee alike.
Since 1991, Pretty Good Privacy (PGP) has been Phil Zimmerman's gift to secure communications. The public-key encryption scheme has been generally considered secure, and OpenPGP, a free version of the technique, has been used by millions around the world. Now, though, an attack based on proper use of the tools has raised questions about the continuing usefulness of the standard.
In February, an Internet activist named Robert J. Hansen wrote a paper offering security tips to dissidents in Venezuela. He signed the document with an OpenPGP signature and that's where the attack came in. If a reader checks the PGP signature to verify the paper's authenticity, they will end up with a "poisoned certificate" that could have an impact on their entire PGP infrastructure.
The attack seems to be based on a set of tools called "trollwot" that has been around since 2010. The tool set, a response to anger over the EU's right to be forgotten, provides the ability to launch a number of attacks on a PGP key infrastructure. While the attack related to Venezuela is a very public example of what can happen, the entire infrastructure is vulnerable. Perhaps it's time to make sure that your encryption technology is based on less-vulnerable frameworks.
Do you know where that QR code is going? Really? Between URL shorteners, malicious URL obfuscators, and automatic media openers, it can be a very short step from scanning a QR code to launching malware on a smartphone attached to the enterprise network.
Nick Guarino, a researcher with CoFense, writes that QR codes have been used in phishing emails as a way to keep recipients from seeing the URL of a malicious link. Once scanned, the phishing site opens and, having been launched through a respectable-looking QR code, victims are more likely to provide information requested and give up sensitive information.
Although QR codes can be convenient, and may even be part of marketing campaigns, security teams should encourage users to treat them as suspicious when they come in unexpected forms, such as email or messenger messages.
There are lots of things to keep a security professional up at night, from virulent malware to zero-day vulnerabilities to users wildly clicking on every attachment that hits their in-boxes. Unfortunately, the well-known hazards aren't nearly all that security folks should be worried about.
Constantly expanding capabilities in computing have given rise to a constantly growing list of threat sources. From misapplied technologies that normally serve worthwhile purposes to poor behavior on the part of users (there's that word, again), security issues abound in places both expected and unexpected.
This time, we're looking at the "unexpected" side of the ledger. Beginning with a way in which one of the basic tools of transferring and storing files (the .ZIP compression method) and including technologies that should protect you but probably won't (passwords and OpenPGP) there are plenty of things to think about when it comes to your enterprise security.
For better or for worse — possibly both — this list is not filled with technologies, products, and activities that can simply be carved out of every enterprise activity. It is, for example, highly unlikely that you'll simply be able to leave passwords in history's dustbin anytime soon. But that doesn't mean that you shouldn't be aware of the various ways in which passwords can fail your organization and make it more vulnerable than you believe it to be.
Security research is ongoing and these items came from a variety of researchers, papers, podcasts, and websites across the Internet. And this list is in no way exhaustive — there are plenty of potentially scary things out there, just waiting to bite security professionals (and their companies) who get a bit too complacent.
So, what are the scary things on your list? We'd like to see the items that you worry about that we didn't mention. Comments are open and waiting for you to add to the body of scary knowledge at Dark Reading.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024