Weekly Security Roundup #35: More Attacks, More Threats and a Way to Fight Them
This week, we took to the field to ask knowledgeable startup founders how they implement cyber security tactics in their everyday activities.
We found a strong concern for information security tactics and an increased awareness of the challenges that this discipline brings. We believe it’s essential to start out with a healthy outlook on how to protect company data and the customers’ confidential information, so their advice can really help other founders make the right decisions from day one.
And because we know that the Weekly Security Roundup is usually filled with worrisome news and information about cyber threats and all types of attacks, we worked on a positive resource as well.
Just yesterday we announced our Cyber Security for Beginners course, meant to help Internet users everywhere to enhance their cyber security skills.
If you choose to join us for this course, you’ll learn how to protect yourself from most of the threats that we write about in the weekly summary. You’ll also become skilled in protecting your family from cyber threats and securing your confidential information on your applications and devices.
I’ll also be there every step of the way to help you put everything into practice and really get the most out of this course. We promise it’s packed with helpful, actionable advice and will help you get a different, stronger view on cyber security. Join us!
And now for the news of the week!
Security articles of the week
1. LastPass got hacked, but that’s no reason to stop using it
Four days ago, LastPass announced on their blog and by sending emails to all their users that:
Our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
Being a devoted user, I rushed to my laptop to change my master password on the spot and I watched as the news traveled in the media at the speed of light.
It’s somewhat normal to feel like you’ve lost a little of your faith in a service when it gets hacked, but as we always say: nothing is 100% secure. The way a company manages a situation like this shows exactly how well prepared for a cyber attack they are. And LastPass did a good job, like industry specialists noticed.
Graham Cluley once again put the dot on the i, emphasizing that we shouldn’t let incidents such as these ruin our trust in password managers. We strongly recommend using them and we encourage you to read our password management guide if you haven’t done it already. It could save you a lot of trouble.
2. Flash Player vulnerability leaves you susceptible to cryptoware
Trend Micro researchers announced, 2 days ago, that:
It took less than a week for a functional exploit for a recently patched Adobe Flash Player vulnerability to be added to the Magnitude exploit kit.
Exploits in Flash Player are nothing new, but this one is especially dangerous, as it can deliver CryptoWall 3.0, the ransomware that will make you wish you used a patching tool regularly.
Flash Player made it in out top 8 Vulnerable Software Apps Exposing Your Computer to Cyber Attacks and the outlook doesn’t look too bright.
We urge you to keep your software up to date at all times and use an automatic and silent patching tool for your safety and convenience. Ignoring update prompts is not the way to go here!
3. AT&T and WhatsApp – the companies that perform the worst when it comes to protecting user data from government requests
The Electronic Frontier Foundation has just released it yearly report on data collection practices, analyzing tech companies worldwide and providing much needed information for users’ privacy concerns.
While Adobe, Apple, CREDO, Dropbox, Sonic, Wickr, Wikimedia, WordPress.com, and Yahoo did the best job at keeping user data safe from the government’s prying eyes, AT&T and WhatsApp showed that they clearly lag behind industry best-practices.
The good news is that:
Overwhelming, the Majority of Tech Companies Oppose Government-Mandated Backdoors.
The whole report is worth reading through, because it really helps us grasp how companies are using the information we provide them. Making an informed decision about your cyber security is crucial, and privacy is a big part of it.
4. Website vulnerabilities are still a major security issues
A great article on CSO Online remind us that website vulnerabilities are still a big challenge when it comes to companies’ cyber security.
One example states that:
WordPress is a growing problem as sites that represent small to midsize enterprises increasingly incorporate it along with its countless plug-ins that require constant updating.
That is confirmed by the constant security warnings issued by Sucuri Security, whose main focus is WordPress security. Just last week they announced an Object Injection Vulnerability in WooCommerce which could enable the attacker to “download any file on the vulnerable server”.
The article on CSO Online goes to observe that:
Even when a coder produces an otherwise secure website, they are largely developing based on the vulnerabilities they are aware of, not the ones that no one has yet confirmed. There are always new vulnerabilities that appear for the first time in the wild.
Adhering to industry standards is a must in this case, and we’d also recommend the 10 Tips to Improve Your Website Security guide that can help you understand where you may be lagging in terms of protecting your assets.
5. Developers should never ignore security problems brought on by open source components
A recent article on TechWorld emphasizes an idea that we’ve just covered: the fact that developers tend to ignore security problems, creating vulnerable websites.
Last year, large software and financial services companies downloaded 240,757 components on average from one of the largest public repositories of open-source Java components. Over 15,000 of those components, or 7.5 percent, had known vulnerabilities, according to Sonatype, the company that manages the repository.
As we know, Java is one of the most frequently exploited software in the world, and that’s not something to be taken lightly.
As computing power grows, the code behind the software we use becomes increasingly complex, in terms of structure, content and dependencies. That’s why automation can fix this problem and an increased awareness about cyber security issues can lead to healthy, sustainable growth in companies worldwide. Incorporating these solutions from the start can have a huge positive impact on organizations everywhere.
6. Silicon Valley is the number 1 US target for cyber criminals
This may not come as a surprise, but it’s interesting to see what the major targets in the US are. Cyber criminals focus their attacks on tech hubs, such as Silicon Valley, but also on large metropolitan areas, such as Seattle, Chicago or LA.
The US is also the main targeted region by DDoS attacks, and there are many more interesting statistics on the subject in this short slide-deck.
7. Avoid phishing when buying Euro 2016 tickets
Our friends from Check & Secure warn football fans in Europe (and beyond) to exercise their vigilance when buying tickets for next year’s Euro cup.
Fake websites are always used to lure enthusiastic fans and strip them of their cash. Knowing how to recognize a phishing attempt is essential in online purchases, no matter what you’re buying or where you’re buying it from. These 17 Online Shopping Security Tips to Protect Your Money can come in very handy in situations like these.
8. What comes after the password? IoT could have the answer
LastPass’s security breach made us weary and it also made us think about what the next step in authentication is. Passwords just don’t seem to be enough nowadays.
Paul F. Roberts from CSO Online writes:
IoT, with its tiny screens & headless devices, will drive an authentication revolution. It’s a short leap from the kind of two-factor authentication used on the Apple Watch to proximity-based authentication that does away with any user interaction. Passwords are just the canary in the coalmine.
This is an article worth reading because we have to be prepared for the massive change and innovation that IoT will bring into our lives, as well as for the security challenges that will emerge with it.
9. Malvertizing spreading across the Netherlands
A strong malvertizing campaign targeting the Netherlands was announced this past week, prompting users to be careful what they click on.
But given that there are exploit kits which can deploy without ever the user clicking on an infected banner, being careful is not nearly enough.
Once again – and I’m taking my chances of sounding like a broken record – I urge you to keep your software updated, use a good antivirus product and an anti-malware product to go with it, so you can have the best chances of keeping your data safe and not becoming infected.
Even though cyber security and the financial sector have a long standing relationship, there’s always room for improvement, as they say.
Why? Because modern banking Trojans are becoming more sophisticated and more difficult to detect, which makes the banks’ job even more challenging when it comes to data protection.
A report released by Symantec examines 9 of the most common and advanced financial Trojans and emphasizes the need for stronger security implementations when it comes to authentication.
It never ends. All this complexity can become tiresome and challenging to manage, but it technology also gives us opportunities to develop things that we could never achieve otherwise.
In spite of all the threats and attacks that we become aware of, we must keep a positive, constructive mindset that helps us innovate and building stronger protection for the products and services we use.
It’s really not all doom and gloom. Cyber security can be fascinating, intriguing and rewarding as well. In fact, that’s how we feel about it every single day!