How Americans Leave their Personal Info Open to Thieves

A new poll by CreditCards.com found that 92 percent of Americans have taken at least one big data security risk in the past year.

The most common error: reusing the same password online, which can increase odds of becoming a victim of identity theft. The poll found that more than eight in 10 U.S. adults (82 percent) recycle passwords, and most make this poor practice a habit. In fact, most internet users who do this use the same password at least half (61 percent) or all (22 percent) of the time, the poll said.

The poll noted that despite this and other sloppy data security behavior, Americans are very worried about ID theft. Almost half (46 percent) say realizing their identity had been stolen would be worse than discovering that burglars broke into their home (27 percent). The rest said both would be equally bad.

The survey lists four additional bad data security behaviors…

Complete article on securitymagazine.com

Phishing Tactic Hides Tracks with Custom Fonts


The phishing campaign is using a new technique to hide the source code of its landing page – and stealing credentials from customers of a major U.S.-based bank.

An insidious phishing method evades detection using a never-before-seen technique that leverages custom fonts to cover its tracks.

Researchers at Proofpoint recently discovered an active credential harvesting phishing scheme. Once a victim has clicked on the initial phishing email, the resulting landing page looks like a login page for a major U.S. bank – but in reality the page is bent on stealing banking customers’ credentials, Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. The phishing kit uses custom web fonts to obfuscate the source code for the landing page – making it seem harmless.

Complete article on threatpost.com

How Traditional Training Is Weakening Businesses’ Cybersecurity

Just a decade ago, cybersecurity was a relative myth to the public – something taken care of by any old antivirus and certainly nothing to worry about. But as the internet age gathered momentum, rolling like a freight train on an endless slope, things changed. Cyber attackers were not perceived as hoodie-wearing teens with abundant spare time anymore, but seen for what they are: organized, often well-funded groups – and a genuine menace to society.

The evolving threat landscape has changed the way cybersecurity is viewed by businesses, too. No longer should it be handled by a select few while other employees move irresponsibly through the digital world; instead, it is something of which every employee must be aware. But traditional training models, whereby swathes of employees travel to one-day events periodically, are expensive – and not very practical either.

Complete article on forbes.com

Hunt for Red Bugtober: US military’s weapon systems riddled with security holes

Computer security vulnerabilities are widespread in US military hardware, and the Pentagon is only beginning to understand how to fix them.

This is according to a October report on cybersecurity practices in Uncle Sam’s armed forces, drawn up by the Government Accountability Office (GAO).

Leading with the subtle title “DOD Just Beginning to Grapple with Scale of Vulnerabilities,” the dossier outlines how known exploitable flaws in components like micro-controllers, industrial control system boards, and management software, are being left un-patched with little in the way of plans to address them. That’s bad news as more and more stuff is hooked up to computer networks and the internet, from where holes can be potentially exploited.

Complete article on theregister.co.uk

The Biggest Email Security Challenge Facing Organizations Today

Email is the single most effective and commonplace way of reaching someone in the business world today. Even as other methods of digital communication have come and gone over its 40-year history, email remains the backbone of business communications with 3.7 billion users worldwide collectively sending 269 billion messages every day.

But email’s ubiquity and popularity comes at a price: vulnerability. With the growing prevalence and success of targeted social engineering attacks, email continues to be a shockingly easy entry point for cybercriminals. In fact, the FBI’s 2017 Internet Crime Report indicates that business email compromise and phishing drive 48 percent of ALL internet crime-driven financial loss – more than all other business-related internet crime combined. Depending on their form, these targeted attacks are called by a number of names – spear phishing, business email compromise, impersonation, credential theft, etc. – and have a disproportionately large impact on an organization as they gain access to confidential information, intellectual property and in many circumstances, east-west migration attacks that go from email into core backend systems that contain customer data or even financial access.

Complete article on securitymagazine.com

Google Outlines Incident Response Process for Cloud Customers

In its ongoing campaign to build trust through transparency, Google this week released a white paper describing the company’s process for responding to incidents impacting the confidentiality, integrity or availability of customer data.

The paper shows that Google has implemented a four-phased approach for responding to data incidents, which it describes as a breach of Google security that results in the disclosure, alteration or destruction of customer data in its care.

Complete article on eweek.com

How To Protect Yourself Against a SIM Swap Attack

A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all have roots in an old problem that has lately found new urgency: SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life.

At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.

Complete article on wired.com

Cybersecurity pros are limiting their personal use of Facebook, survey says

About 65% of surveyed current and former attendees at the annual Black Hat USA security conference say they’re limiting their use of Facebook or not using it at all after the recent controversies over the company’s security practices, Black Hat reports.

The organization has surveyed its attendees on security matters annually since 2015, and the majority of those surveyed reported working in a computer security profession. This year’s survey generally found attendees pessimistic about the outlook for privacy and security.

Complete article on fastcompany.com

Report: 99.7% of web apps have at least one vulnerability

Nearly every web application has at least one vulnerability, according to the 2017 Trustwave Global Security Report, released Tuesday. Of the apps scanned by Trustwave for the report, 99.7% included at least one vulnerability, with the mean number of vulnerabilities in web apps being 11.

In addition to looking at application security, the Trustwave report also includes information on data breaches as well. The median number of days it took to detect an intrusion dropped to 49 in 2016 from 80.5 days in 2015. However, internally-detected breaches were typically found in about 16 days, a much shorter time period.

 

Complete article on techrepublic.com