During the last days lots of stuff was going on. Facebook was hacked but nobody seems to take this serious, at least that is my impression here in Germany. Although the media are aware of the issue, they completely ignore it. Not even the data privacy websites picked that topic up. This leaves the impression […]
During the last days lots of stuff was going on. Facebook was hacked but nobody seems to take this serious, at least that is my impression here in Germany. Although the media are aware of the issue, they completely ignore it. Not even the data privacy websites picked that topic up. This leaves the impression that either nobody takes this serious or that they simply have no interest to report on it.
Sadly many websites, TV stations and newspapers (print media) only talk about IT security stuff when you are able to see something. Like some Arabic flash intro with weired sound, typical for recently defaced websites.
The problem about IT security issues is that “normal” people/consumers don’t understand the details of an incident. When they read about a SQL injection or flaws within validating user input, they have a very strange way of thinking about it. Like: “Why would someone enter malicious commands into a web address??”. Of course this means that there is no security awareness at all, and this leads unavoidably to a point where people only get informed about incidents when they are able to understand it.
This is actually very sad and only increases the security problem. Most people will continue to reveal their personal lives on Facebook, even without knowing that they this data can be accessed by unauthorized strangers.
Facebook closed the vulnerabilities, but well, if insecure apps from third parties can lead to disasters, how safe is our data?
One example for reasonable behavior when it comes down to IT security is the vendor of the ShopSystem. I discovered a SQL injection vulnerability within this shop software recently and notified the company behind this software product. They replied within hours, fixed the leak and gave me some feedback. They really showed a cool reaction, staying calm and even thanking me for reporting the vulnerability.
I saw something similar when I found several flaws within the websites zapni.tv and other sites being provided by the same guy. I contacted him through ICQ and within minutes he solved almost all issues, being very responsible when it comes down to protecting the personal data of his community members.
You might find many examples like the ones I described here, but still so many website owners and software vendors try to camouflage vulnerabilities, hoping no potential visitor or customer will ever know about it. This might be one of the most dangerous reactions they could show.