Crime Ring Revelation Reveals Cybersecurity Conflict of Interest
Hold Security’s nebulous report on the “CyberVor” online hacker gang exposed the cybersecurity world’s troubling practice of uncovering online threats and then selling proposed solutions.
By Erik Schechter
Sep 15, 2014
A small cybersecurity firm claimed this summer to have uncovered a scam by Russian Internet thieves to amass a mountain of stolen information from 420,000 Web and FTP sites. The hacker network, dubbed “CyberVor,” possessed 1.2 billion unique credentials—a user name and matching password—belonging to 500 million e-mail addresses, asserted Hold Security, LLC.
Those numbers made Internet security watchers and even some consumers sit up and take notice—people use such credentials to access banking, investment and social media accounts after all. If true, the CyberVor haul would dwarf last December’s data breach of retailer Target, in which 40 million customer credit cards were compromised. Although a New York Times story lent credibility to Hold Security’s claims, some observers question whether the cybersecurity vendor’s big reveal was more of a publicity
stunt than a public service. The firm’s decision to charge potential victims a $120 fee for their Breach Notification Service did not help matters.
Panic and publicity certainly play a role in cybersecurity efforts, as companies that make antivirus and other protective software try to provide computer users with a sense of the unseen threats facing their devices and data on a daily basis. But questions arise when these companies yoke together the part of their businesses that finds and analyzes security threats with the part that sells software and services to mitigate those threats.
Even large, established firms such as Symantec Corp. have been accused of exaggerating the gravity of security threats to boost sales. A decade ago U.S. regulators cracked down on financial services firms for the questionable practice of having their equity research and investment banking divisions work together to endorse and then sell certain investments. No such oversight exists for cybersecurity companies. Although not surprising, given the relatively nascent nature of cyber threats, this conflict of interest means these companies walk a thin line between defending computers and other Internet-connected devices and profiting from people’s fear that their personal data is vulnerable at any
time to online attackers.