Weekly Security Roundup #43: The Very Real Consequences of Cyber Attacks
It’s not just your digital stuff we’re talking about here
This week we were once again reminded how one vulnerability in the software we use can compromise the security of millions of users across the globe. The Internet Explorer security hole is in question, of course, along with the ways in which cyber criminals are actively exploiting it. We dedicated a special blogpost to this security alert and were the first ones to spot the exploit, but we believe this story is far from being over, in spite of the Ashley Madison hack that’s eating up all the attention. It’s been a week of intense discussions around the aforementioned notorious hack that brought up moral dilemmas and serious, real-life consequences on those involved. And there’s a long way to go before this will be over. But the Weekly Security Roundup is not just about Ashley Madison, but a lot more insightful issues that could help us better understand what’s going on with all these data breaches and security challenges that everyone is mentioning.
Security articles of the week
And not without reason. From Android devices, to Intel processors to cars and, well, anything connected to the Internet – white hat hackers have proved that everything can be compromised. A chilling realization, but a necessary one indeed, to help product makers, service providers, legislators and end users to pay more attention to cyber security as a basic necessity.
It’s not about the exposed data, but about the implications of that information that is now readily available on the web. Not only the users’ personal information has been disclosed, but also the source code of the targeted websites and company emails. And the repercussions continue to pop up in all sectors, from business to politics and more.
We want constant access to our information, both personal and professional, but most don’t realize the security implications. Our private and professional digital lives are intertwined more than ever, but that also means that a compromise can harm both. Joshua Goldfarb, FireEye CTO, Americas, shares his thoughts on endpoint security and makes some very compelling arguments.
Flash is one of the most vulnerable pieces of software today and there’s no denying it. In fact, we dedicated a comprehensive article to the subject that supports this claim: Adobe Flash vulnerabilities – a never-ending string of security risks. But the only way that Flash will fall from grace is if major platforms stop using it. And the latest to join the group is Amazon, after Google (with Chrome and Youtube) and Apple:
The company says it will no longer accept Flash ads on Amazon.com and the Amazon Advertising Platform beginning Tuesday, September 1. Amazon is not taking a stand for technology, however. The company says it is doing this because of recent changes from the major browser makers.
That’s because we live in an interconnected environment, where every change impact our digital universe. And the Flash problem is very serious in terms of corporate security: because companies can’t patch it fast enough, cyber criminals have a better chance at exploiting the vulnerabilities and achieving their malicious goals.
Cisco says Flash exploits are being rapidly integrated into widely used exploit kits such as Angler and Nuclear. Authors of the Angler and Nuclear kits included exploits of newly published vulnerabilities within days of them being publicly announced, the report says, and Flash upgrades by users lag.
DDoS attacks are what CISOs’ nightmares are made of. They are virulent malicious in their intent and very difficult to stop and mitigate. The key to an effective DDoS attack is leveraging many different traffic sources, so cyber criminals have started to diversity their portfolio to include home and SMBs routers and hacked WordPress sites. A recent example is the attack on Mumsnet, which took down the site, but also had unexpected, offline consequences.
If you’re one of the users of the beloved Pocket application, it would be wise to change your password.
A server-side vulnerability found in the save-for-later service would have allowed attackers to gain access to all user data and even populate their reading lists with malicious links.
With over 5 million downloads, this app could compromise your security, so keep an eye out for anything suspicious and change your password asap!
Cyber criminals are using increasingly deceiving tactics to trick end users into providing confidential information they can later use to access their bank accounts.
The past three months have seen a huge jump in the number of fraudulent applications for UK current bank accounts as cybercriminals continue to evolve their tactics.
Data breaches and the information sold and bought on the dark web is fueling this problem, which is a serious threat to any online banking user. Because it’s always better to prevent such an unfortunate event, we recommend a useful read: The Top 10 Most Dangerous Malware That Can Empty Your Bank Account, where you’ll also find advice on how to protect your data and money.
In our quest for enhances productivity and crossing things off our to do lists, we very often forget about security.
F-Secure Security Advisor Su Gim Goh recently conducted an experiment in Hong Kong to see how many people connect to Wi-Fi hotspots without verifying that the connections are safe. He put together a Wi-Fi hotspot for less than 200 U.S. dollars, and took it to different cafes and restaurants in Hong Kong. Goh was able to determine that 55% of people automatically connected to his hotspot, which was set up to spoof legitimate connections that people want to use.
We’ve said it before and we’ll say it again and again: connecting to public Wi-ifi hotspots is dangerous and you should stay away from it! Here’s something that you can apply right away: 11 Security Steps To Stay Safe on Public Wi-Fi Networks.
Remember the WordPress sites that are being used to fuel DDoS attacks? The cause may be that they are being compromised by cyber criminals by using the Neutrino exploit kit.
The hackers planted malicious iframes on 4,200 distinct pages of websites running vulnerable versions of WordPress 4.2 and prior. These iframes redirect users to Neutrino exploit kit landing pages. The Neutrino landing page is designed to exploit Flash Player vulnerabilities in order to push the CryptoWall 3.0 ransomware to the computers of Internet Explorer users. It’s worth noting that Neutrino started leveraging the Flash Player exploits leaked as a result of the Hacking Team breach shortly after the existence of the exploits came to light.
One more reason to get additional protection and keep your software up to date by installing updates as soon as they’re available (preferably automatically).
10. How will we secure the Internet of Things? (And are we ready to do it?)
There are a lot of legitimate questions regarding the Internet of Things as tech infrastructure expands and takes over operations that were not previously done through an Internet connection. Will we be able to monitor all the things connected? Will we be able to secure them properly? Who will patch and update all the computers, cars, fridges, electrical appliances and so on? The need to establish security guidelines to help us navigate the increasing complexity of the world we’re building is dire. We should all play our part in making sure we don’t end up with fragile, vulnerable ecosystems on our hands. And the first step is to get educated. Is there something we missed this week? Let us know and we’ll add the news to the security roundup!