Menu

user_mobilelogo

CIO & Sharon Florentine Speak Frankly

CyberSecurity For 2017

2016 Cybersecurity crash landed on so many fronts. From W-2 scams to WordPress vulnerabilities, ransomware, business email compromises, DDos attacks and allegations of a hacked presidential election -- 2016's was quite a year in the history of cybersecurity, and guess what, in 2017 it's not over yet.

While there really isn't any good reason to believe cybersecurity will be any better in 2017, we do understand that if anything, it could be even worse as cybercriminals continue to push social engineering, find new ways to deliver malware, crack vulnerable databases and leverage mobile technology to find ways to get inside corporate defenses and target individuals. That's almost the good news...

Two leading cybersecurity experts, Matt Dircks, CEO of secure access software company Bomgar and Scott Millis, CTO at secure device management and mobile security company Cyber adAPT, were asked what to expect in 2017. For all of you our clients, here are their quotes and main focus items they spoke on:

1. Passwords 'grow up' - The recent DDoS attack that wreaked havoc on a huge portion of the internet on Oct. 21was at least partly enabled by unchanged default passwords on IoT devices, says Dircks, which hackers were able to exploit. Don't think you're immune; how many of your users have simple, common or outdated passwords? In 2017, Dircks says better password management services will gain traction as businesses understand how vulnerable they are.

"I used to do a party trick where I'd go to someone's house and hack their router. There are so many purpose-built, 'dumb' devices out there like the routers used to facilitate the DDoS attack a few months ago, that it's making hackers' jobs easy," Dircks says.

Cybersecurity professionals will struggle to protect critical infrastructure, connected systems and remotely accessed systems and devices while weak password practices remain the norm, but it's not just external threats that are a problem.

Mitigating insider threats can also be accomplished through better password management, he says. The best way to do so is to implement a solution that securely store passwords that remain unknown to users, and then regularly validates and rotates those passwords to ensure safety and security, he says.
MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords

"What we're talking about is credential vaults. In an ideal world, a user would never actually know what their password was -- it would be automatically populated by the vault, and rotated and changed every week. Look -- hackers are intrinsically lazy, and they have time on their side. If you make it harder for them, they'll go elsewhere rather than invest the energy to chip away," Dircks says.
Spend less for more pages with Brother INKvestment

2. Privilege gains power - Hackers want high-level access, which they get through targeting the credentials of privileged users like IT professionals, CEOs and vendors, Dircks says. And while organizations have applied security to the systems, applications and data that are most critical to their business, these preventative measures simply aren't enough anymore. In 2017, he says, savvy organizations will finally get serious about protecting not just systems, but privileged users by identifying them, monitoring their access and closing off access to what they don't need.

"We've had some clients who say, 'Well, I just stick my users or outside vendors on the VPN and they're fine,' but they have no idea what they are actually accessing! With privilege management, think of it like an elevator bank, where depending on your role, you can only get to certain floors. It really limits what you can do, especially if you're malicious. Even if I do have a valid password, if my privilege lets me access floors one and seven, but I try to go to six, then the system will block me and notify someone," Dircks says.

Addressing this issue, too, will involve organizations willing to provide extensive education and training on the potential dangers involved, especially in an increasingly mobile workforce where many individuals would rather sacrifice privacy and personal data for access and believe their security will be taken care off by the third-party services providers and application creators, he says.

"Especially in the last few generations of digital natives, people are more than willing to give up their personal information and data for access to apps, connectivity, information -- this can easily be exploited. And they are willing to trust that these app developers, these providers, will make sure they're safe and secure. That's dangerous. Combine the cybersecurity skills gap, talent shortage, mobile workforce, app-centric environment, more sophisticated hacking and it's a perfect storm. We think it's just going to get worse before it gets better," Dircks says.

3. The security blame game will heat up - "When we talk to our clients, one trend we're seeing that is really horrifying is that they don't even say 'if' an attack occurs anymore, they say 'when.' It's like, at this point they are just throwing up their hands and saying, 'Well, I'm gonna get hit, how bad is it going to be?' and that, to me, is just terrifying," Dircks says.

The IoT and increasing reliance on security solution providers means companies may not be able to easily account for ownership or origin once a breach happens, he says. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected to internal systems that can't yet be patched? A number of IoT devices are often overlooked because they fall outside of IT's traditional purview, but that means exposure to threats.

"With the integration of IoT, automation and the cloud, no one seems entirely sure who's actually responsible for maintaining security of all these various pieces: the IoT device manufacturer? The security services provider? The internal IT department? Individual users? You're only as secure as the least-secure device or relationship," Dircks says.

When a breach occurs, even with layers of security, the question of who "owns" it and who had or has power to do something about it will create intense reactions and finger-pointing, he says.

Companies can head off this blame game by ensuring open communication between IT and business leadership to understand the potential threats, options for security and safety and the challenges and constraints that exist within the organization, Dircks says.

"Part of the problem is that, as a CSO, a CISO or even a CIO -- anyone with security responsibility -- you're either invisible, if you're doing your job right, or you're on the hot seat. If you come up with great policies, procedures and security measures, then you often leave those to IT to operationalize. But if those fail because you didn't understand the business needs, the budgets, the requirements, then you're not really helping," he says.

4. Ransomware will spin out of control - Since January 1, 2016, Symantec's Security Response group has seen an average of more than 4,000 ransomware attacks per day: a 300 percent increase over 2015, according to its 2016 Internet Security Threat Report.

Most organizations rely on low-overhead prevention techniques, such as firewall and antivirus solutions or intrusion prevention to mitigate threats like these, says Cyber adAPT's Scott Millis. However, these tools are insufficient, and breach data shows that detection and incident response must be improved.

And as attackers continue to use social engineering and social networks to target sensitive roles or individuals within an organization to get to data, the need for comprehensive security education becomes even more critical, he says.

"If security policies and technologies don't take these vectors into account, ransomware will continue to seep in. There's also the issue of detection. Some attackers can reside within a company's environments for months, often moving laterally within environments, and silos between network, edge, endpoint and data security systems and processes can restrict an organization's ability to prevent, detect and respond to advanced attacks," Millis says.

Finally, new attack surfaces -- for example, IaaS, SaaS and IoT -- are still so new that organizations haven't yet figure out the best way to secure them, he says.

5. Dwell times will see no significant improvement - Dwell time, or the interval between a successful attack and its discovery by the victim, will see zero significant improvement in 2017, Millis says. In some extreme cases, dwell times can reach as high as two years and can cost a company millions per breach.

"Why so long? In my view, this is annoyingly simple -- there's little or no focus on true attack activity detection. At the advent of the 'malware era', companies, vendors and individuals were rightly concerned about 'keeping out the bad guys', and a whole industry grew quickly to focus on two basic themes: 'Defense-in-depth', which I view as layering prevention tactics in-line to make penetration from the outside more difficult; and 'Malware identification', which manifested itself as an arms race towards 100-percent-reliable identification of malware," Millis says.

While response technologies and remediation capabilities, improved, victims were able to isolate and repair damage very quickly. The problem is these technologies didn't help reduce dwell time; unless response teams stumbled upon something malicious or randomly discovered an anomaly, Millis says.

Nowadays, security pros are using network device log files to search for clues as to whether an attack has been attempted or has succeeded, but storing and sorting through the massive amounts of data needed for this approach is costly and inefficient, Millis says.

"The need for huge data stores and massive analytics engines drove the new security information and event management (SIEM) industry. While SIEM is a great after-the-fact forensics tool for investigators, it still isn't effective in identifying attacks in progress. What we -- and some other companies -- are doing now is developing products that focus on analyzing raw network traffic to identify attack indicators. Finding attackers as soon as possible after they have beaten the edge or device prevention gauntlet, or circumvented it entirely as an innocent or malicious insider, will dramatically shorten dwell time," he says.

6. Mobile will continue to rise as a point of entry - At least one, if not more, major enterprise breaches will be attributed to mobile devices in 2017, Millis predicts. A Ponemon Institute report found that for an enterprise, the economic risk of mobile data breaches can be as high as $26.4 million and 67 percent of organizations surveyed reported having had a data breach as a result of employees using their mobile devices to access the company's sensitive and confidential information.

People and their mobile devices are now moving around way too much, and much too fast, for old-fashioned cybersecurity strategies to be effective, Millis says. Add to that an increasing sense of entitlement by users with regards to the devices they choose to use, and you have a situation ripe for exploitation.

"Many users feel they can protect their privacy while having secure, uninterrupted access to business and personal services. And still many people subscribe to the view it is not they who are accountable for security breaches; if they can work around 'security' to improve their user experiences, they will. CISOs, CIOs and CEOs view this as a complex challenge to the implementation of their enterprise security strategies, and one that won't be solved by having email and calendar data delivered over SSL to a single, approved OS," Millis says.

Mobile payments, too, will become a liability. MasterCard's 'selfie pay' and Intel's True Key are just the tip of the iceberg, he says. Individuals should understand that they need to treat their biometric data just as carefully as they do other financial and personal data; again, that comes down to education and training, he says.

"Wouldn't it be nice if public Wi-Fi access providers were required to put up the internet allegory to the warnings on cigarette packs? Something like, 'Warning: This public access connection is not secure and information you send and receive while connected may possibly be viewed, collected and subsequently used by criminals to steal your assets, identity or private information,'" Millis says.

7. Internet of threats? - IoT vulnerabilities and attacks will rise and will increase the need for standardization for various security measures -- hackers at this year's Def Con found 47 new vulnerabilities affecting 23 devices from 21 manufacturers.

And, of course, in October 2016 the massive DDoS attack on major global websites including Twitter, Netflix, Reddit and the UK government's sites -- was reportedly powered by the Mirai botnet made up of insecure IoT devices.

"A lot of attention is focused on 'smart devices' as proof of IoT's growing influence. The reality is a connected device doesn't make it a smart device. The 'things' that are being connected often 'fire-and-forget' in their simplicity, or are built-in features and tools we may not even know are there -- like the routers used in the Mirai botnet. This leads to a mindset of ignoring these 'dumb' devices without paying attention to the fact that these devices, while inherently 'dumb', are connected to the biggest party-line ever made: the internet," says Bomgar's Matt Dircks.

This isn't just a problem for smaller consumer devices, or even for connected homes and cars. Dircks isn't even particularly focused on the possibility of another DDoS attack. What's more troubling is the potential for an attack on large, widespread infrastructure systems like the power grid, or even avionics or railway systems, he says.

"I'm not worried about things like, if my connected showerhead turns on hot or cold. I think there's a fairly significant chance we'll see a major hack on power grids or on transportation systems like rail in 2017. This is the 'dumb' IoT that's still out there -- the technology from the 1950s and 1960s that's powering these critical infrastructure systems that is almost totally unsecured," he says.

This is a perception problem; the general public doesn't tend to see these systems as being similar to the IoT devices they use with increasing frequency -- even mobile phones can fall into that category, says Millis.

"Like smart-phones before them, IoT devices are assumed to be new, separate, and not subject to the same limits, as older technology, but think about it. It's nonsense: Smartphones are the most plentiful internet device around. IoT is the next hyper-jump in scale. Some organizations are wisely ahead of the curve a little bit this time, trying to head off the same security issues that mobile devices are facing now. So far, activity here has all come down to prevention yet again, but we believe every device and/or connection can be compromised. Shortening dwell time and securing IoT depends on being able to tell when that inevitably happens, as quickly as possible and with the highest level of confidence," Millis says.

If you have any questions regarding your company or home cybersecurity, please contact us today at 972-712-2100. A qualified member of our staff will gladly help answer any questions you may have. iComEx serves Dallas, Frisco, Plano, Allen, McKinney, Sherman, Denison, Pottsboro, and all points North and South of the Texoma border.


 
This story, "2017 security predictions" was originally published by CIO. And was written by Sharon Florentine Senior Writer

Viable Videos For Professionals In Security

RSA 2017 CyberSecurity  Event

RSA, the world’s largest cybersecurity conference, was held February 13, 17 last week in San Francisco with attendees from around the world gathering to hear the latest strategies for fighting cyberattacks. Attendees viewed the latest hardware and software to protect their most valuable corporate assets. Here are some brief descriptions and references to some new security products being announced at the conference.

All good things have to come to an end, and the final day of RSA Conference 2017 on the 17th was no exception. The Emmy Award-winning writer and current Late Night host today brought his brand of humor and intellect to the RSA Conference stage. and the feeling among attendees is that this has been a year to remember.

The RSA Conference 2017 featured 15 keynote presentations, more than 700 speakers across 500+ sessions and more than 550 companies on the expo floors. A record number of more than 43,000 attendees experienced keynotes, peer-to-peer sessions, track sessions, tutorials and seminars. Those who came received, and those who were not able and understand they truly missed an event have a way to get back all that time.

Never fear, our cameras are here: Take advantage now on a lunch break or with key staff and review any or all of the media below and get back in the know!

YouTube –  YouTube Videos From RSA 2017

Flickr –  Flicker Posts From RSA 2017

RSAC TV  – RSA Videos Posted

Looking ahead to this year and beyond, the RSA Conference 2017 Staff enjoyed putting on the show for the industry professionals in the Security world. Remember to continue the journey with us, please see us again at the FSAC Unplugged London taking place on June 8, 2017. RSA Conference 2017 Asia Pacific & Japan will take place on July 26 - 28, 2017 in Singapore, and RSA Conference returns to Abu Dhabi November 7 - 8 2017. For those really planning ahead, RSA Conference 2018 takes place April 16 - 20 2018 again in San Francisco. Save the Dates!

Heard in the Press Room

Info Security: #RSAC: Dame Stella Rimington Reflects on a Career at MI5

IDG Connect: RSA: Eric Schmidt shares deep learning on AI

Help Net Security: Global geopolitical changes driving encryption adoption

RSA Conference conducts information security events around the globe that connect you to industry leaders and highly relevant information. We also deliver, on a regular basis, insights via blogs, webcasts, newsletters and more so you can stay ahead of cyber threats.

Security Policy, Behavior and Analytics for Emerging Architectures is critical to all Industry Professionals. As we begin to embrace containers, microservices and serverless applications, hosted on hyperconverged infrastructure, the potential for a simpler and more effective approach to security is emerging. Access to critical training, products, information and forecasts for future needs, we invite all our clients both individual and professional in their industries to examine these invaluable videos about what took place at RSA this last week. Click here and Get Educated

Multiple Strategies Bring New Website Visitors

Drive Traffic To Your Website In 2017

We agree with you, more new website traffic is necessary to be successful in running any online business. As it turns out, new visitor traffic is your lifeblood because it enables your business model to work and pay your bills every month. How to get it done is complex challenge  for everyone. Our thought is with industry professionals evaluations like Credo's John Doherty setting the standards, you too can benefit from all professionals like us that do contribute to successful websites. Begin the process of implementing multiple strategies designed especially for you and your business. Make sure to bring new visitors, as well as new ways to include existing clients, and retarget those who may have been eager last year but now have budgets to work with. Multiple strategy implementation can be daily, weekly, monthly or even quarterly depending on your budget goals.

Not many companies on SEO and driving new traffic talk about existing clients and old site visitors for re-engaging their interests. If you are doing your job and your existing clients are happy;  consider new products and service options geared toward your existing clients first. New budgets mean a fresh take on seeing results from last year. What worked, what didn't, and setting goals for 2017 and going forward. These existing clients are familiar with you, your current client relationships with them, and may be more able to consider these new strategies you have to offer.

Previous contacts by site visitors in 2016 are only an offering, call, or marketing piece away from one more opportunity at selling them new incentives for revenue. iComEx will help you formulate a way to contact these potential clients in a way which may surprise you just by a simple call to us. iComEx is a professional Web Site Development and Search Engine Optimization company in the Dallas / Fort Worth metropolitan area of North Texas, ready to assist you in achieving your organic search engine goals of which new site traffic is the end goal.

Consider iComEx SEO services including:


Here are some of our basic recommendations on driving traffic to your new or existing website in 2017: We would welcome an opportunity to help you with any or all of these new strategies on your own website.

  1. Create New Content On A Regular Basis -  This ends the question of should i do seo; it's imperative really to be visible. By increasing the number of pages that can be indexed from organic traffic is with your targeted keywords, robots come out more and you stay relavent. High visibility equals site visitors who need your products and services.
  2. Be Sure To Continue To Optimize Older Content - Targeted keywords can be tracked in analytics and shown on specific pages. You find out what is working and what isn't and where you are on what page in Google. Google still leads in 85% of SEO so if you optimize for Google the other search engines will find you. Frequent new content means faster robot indexing and is always in your favor.
  3. Be Sure To Launch New Products & Services Often - Meet need with needs by your clients. In the sales conversion funnel, new services mean new income and keeping new opportunities for sales ever present. Frequent touch points with these new clients is important in the conversion process too. An opportunity for a newsletter or mailing just to them is welcomed when you are helping them increase your sales options and it's working.
  4. Create Online Courses For Education In Your Industry - Publish content targeted to your user needs and keywords and phrases. Research, analytics and keyword research to hand in hand helping to drive that traffic to your website and convert them into sales. You also add them to your ongoing marketing efforts at the same time and start creating your own list which can be divided into they type of list it is, and then send out appropriate marketing strategies to them throughout the year. Online course websites are out there in industries to post your courses to which can also help with generation of leads.
  5. Include Testimonials - Be sure to place Customer Service Testimonials in prime locations on your side bars for every page or at least the home page. Visible real success stories and customer satisfaction go a long way in driving traffic to your business or service based website and converting them to a sale.
  6. Consider Launching Infographics On Your Home Page - These useful graphics like on our iComEx home page tell a simple story, and help people to see and understand your content in a new way. Outreach of this type can be linked to all your existing Social Media as well and expose your company to a wider audience. Of course be sure to link back and forth to both the Media and your website for maximum exposure.
  7. Create a Google Account for all your Media and Videos - Posting these in appropriate pages where applicable in your website means you have a spokes person out there a click away from teach your potential new client about you, your company, products and services they may need. It only takes a moment to create a moment. One click to you can initiate a call by them for more information.
  8. Create Quick Forms For New Visitors Asking For More Information - A quick form requesting information, a quote, a service offering geared toward their company, or even a quick call to you is so easy. We are all busy, and work to the max every day. A simple easy form that can be done in a matter of minutes is so easy to get you started.
  9. Do You PodCast? Post Your Interviews - Grow a podcast audience means inviting influential people to your podcast. It's simply an audio version of a guest post or testimonial. Target podcast producers and get onto their shows
  10. Expand Appropriate Social Media For Your Needs - Facebook, Twitter, Pintrest, and the like are affordable. If your budget supports it, Adwords are an option but maximize that exposure to new websites, special offerings, or even consider permanent Press Releases all of which can be rotated on a regular basis quite easily. These have demographic options as well as the ability to target selected keywords that hit your target potential clients.
  11. Pay Per Click Can Be A Great Tool - When used for conversion oriented keywords, new audiences are ready to convert right away. Keeping specific to those markets or consumers is an additional strategy to try with new products and services as well.

Thank you for taking the time to look in on our iComEx website. For 20 years we have served the industry of small and medium size business clients in putting their websites to work for them. New strategies must bring change annually to insure sales and iComEx is here to help meet your current challenges this year. iComEx offers a variety of website services to business clients here in the United States, and we hope you consider our company as your option for 2017 in driving more traffic to your new or current website.

iComEx provides fully managed, boutique style web site hosting services, where we take a very hands-on approach to your needs. Utilizing scalable VPS hardware infrastructure, dedicated servers and best-of-breed enterprise hosting management solutions, backed by a 24/7 team of highly-trained network engineers, iComEx works proactively to prevent service interruptions and keep your website infrastructure up to date so you can stay focused on your business.

Advantage You.

Call us today. 972-712-2100 for a professional who will help you evaluate your current needs, or simply complete the form by clicking here: http://www.icomex.com/contact  We look forward to speaking with you and getting started on meeting your needs with our services.

Phishing And Your Data Protection

Technique Being Exploited

Take a few minutes to read this. Phishing schemes abound. This one alert can go a long way toward protecting yourself and your business and family computer users from attacks like this one. Wordfence is a great source for keeping up to the minute on keeping your data safe.

This entry was posted in General Security, Miscellaneous on January 12, 2017 by Mark Maunder    

Update at 11:30pm on Tuesday January 17th: I have received an official statement from Google regarding this issue. You can find the full update at the end of this post.

As you know, at Wordfence we occasionally send out alerts about security issues outside of the WordPress universe that are urgent and have a wide impact on our customers and readers. Unfortunately this is one of those alerts. There is a highly effective phishing technique stealing login credentials that is having a wide impact, even on experienced technical users.

I have written this post to be as easy to read and understand as possible. I deliberately left out technical details and focused on what you need to know to protect yourself against this phishing attack and other attacks like it in the hope of getting the word out, particularly among less technical users. Please share this once you have read it to help create awareness and protect the community.

The Phishing Attack: What you need to know

A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….

You go ahead and sign in on a fully functional sign-in page that looks like this:

GMail data URI phishing sign-in page

Once you complete sign-in, your account has been compromised. A commenter on Hacker News describes in clear terms what they experienced over the holiday break once they signed in to the fake page:

The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.

The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.

Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.

Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.

What I have described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique.

How to protect yourself against this phishing attack

You have always been told: “Check the location bar in your browser to make sure you are on the correct website before signing in. That will avoid phishing attacks that steal your username and password.”

In the attack above, you did exactly that and saw ‘accounts.google.com‘ in the location bar, so you went ahead and signed in.

To protect yourself against this you need to change what you are checking in the location bar.

This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

GMail phishing data uri showing script

There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.

As you can see on the far left of the browser location bar, instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘https://accounts.google.com….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.

You are probably thinking you’re too smart to fall for this. It turns out that this attack has caught, or almost caught several technical users who have either tweetedblogged or commented about it.  There is a specific reason why this is so effective that has to do with human perception. I describe that in the next section.

How to protect yourself

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

Gmail phishing secure URI example

Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.

Why Google won’t fix this and what they should do

Google’s response to a customer asking about this was as follows:

“The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are – obviously – trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.”

This is likely a junior person within the organization based on the grammatical errors. I disagree with this response for a few reasons:

Google have modified the behavior of the address bar in the past to show a green protocol color when a page is using HTTPS and a lock icon to indicate it is secure.

Gmail phishing secure URI example

They also use a different way of displaying the protocol when a page is insecure, marking it red with a line through it:

During this attack, a user sees neither green nor red. They see ordinary black text:

That is why this attack is so effective. In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected. [Read more: Gestalt principles of human perception and ‘uniform connectedness’ and Content Blindspots]

 In this case the ‘data:text/html’ and the trusted hostname are the same color. That suggests to our perception that they’re related and the ‘data:text/html’ part either doesn’t matter or can be trusted.

What Google needs to do in this case is change the way ‘data:text/html’ is displayed in the browser. There may be scenarios where this is safe, so they could use an amber color with a unique icon. That would alert our perception to a difference and we would examine it more closely.

Update: How to check if your account is already compromised

I’ve had two requests in the comments about this so I’m adding this section now. (at 9:39am Pacific time, 12:39am EST).

There is no sure way to check if your account has been compromised. If in doubt, change your password immediately. Changing your password every few months is good practice in general.

If you use GMail, you can check your login activity to find out of someone else is signing into your account. Visit https://support.google.com/mail/answer/45938?hl=en for info. To use this feature, scroll to the bottom of your inbox and click “Details” (very small in the far lower right hand corner of the screen). This will show you all currently active sessions as well as your recent login history. If you see active logins from unknown sources, you can force close them. If you see any logins in your history from places you don’t know, you may have been hacked. [Thanks Ken, I pasted your comment in here almost verbatim. Very helpful.]

There is a trustworthy site run by Troy Hunt who is a well known security researcher where you can check if any of your email accounts have been part of a data leak. Troy’s site is https://haveibeenpwned.com/ and it is well known in security circles. Simply enter your email address and hit the button.

Troy aggregates data leaks into a database and gives you a way to look up your own email in that database to see if you have been part of a data breach. He also does a good job of actually verifying the data breaches he is sent.

Spread the word

I’ll be sharing this on Facebook to create awareness among my own family and friends. This attack is incredibly effective at fooling even technical users for the reasons I have explained above. I have the sense that most ordinary users will be easy pickings. Please share this with the community to help create awareness and prevent this from having a wider impact.

Mark Maunder – Wordfence Founder/CEO – @mmaunder

Update: Official Statement from Google

This is an update at 11:30pm PST on Tuesday the 17th of January 2017. I was contacted by Aaron Stein from Google Communications. He has provided the following official statement from Google:

We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.

I asked Aaron two follow-up questions:

Chrome 56 will include the text “Not secure” in the location bar on non-SSL websites where a page contains a password field or credit card input field. This is a fine example of a visual indication in the location bar that helps secure users. Are the Chrome dev team considering some visual indication in the browser location bar for data URI’s? That would help defeat this attack because, currently, there is no visual indication of anything awry when viewing a phishing data URI. It’s worth noting that the safe browsing system is currently unable to detect malicious data URI’s because it is currently geared for traditional hostname-path URL’s.

Second question: Emails that contain malicious data URI’s are the attack vector in this case. Are the GMail team considering any additional filtering or alerting related to data URI’s as attachments in the GMail web application?

I think any guidance you can provide on the above two questions will go a long way to put Chrome and GMail user’s minds at ease.

He responded with:

I can’t speak to things that aren’t out yet, but *please* watch this space. Should have more to share soon

My thoughts on this response:

I think this is a perfectly acceptable response from Google. To be clear, there are several teams within the Google organization that this affects:

The Google Chrome browser team will be the ones who would implement any change in the location bar behavior when viewing a phishing data URI. The GMail team would implement filtering and alerting within the GMail application with a data URI attachment is received with other associated phishing markers. The Google Safe Browsing team may add support for malicious data URI’s in the GSB API and make that available to the Chrome browser team.

There may be other parts of the Google organization that touches including operations.

Asking Aaron to provide early guidance on how Google will mitigate this when it affects so many teams was a big ask, but I would be remiss if I didn’t hit him with a couple of follow-up questions. The good news is that Google is aware of the issue and we have an official statement that indicates there will be something forthcoming in future releases of Chrome, GMail and possibly other products that can help mitigate this.

1 Billion Accounts Have Data Stolen

Yahoo Logo

Yahoo has announced another huge security breach, leaving its users fretting once again about their personal information.

We understand that if you have seen the latest news articles on mainstream TV, a serious breach of data by Yahoo is again making the news. Reports on all major news agencies say the latestest data thefts have  affected more than one billion accounts, Yahoo (YHOO, Tech30) says. That's roughly double the number involved in the cybersecurity incident it announced in September, which is believed to be separate.

"Yahoo has now won the gold medal and the silver medal for the worst hacks in history," said Hemu Nigam, CEO of online security consultancy SSP Blue.

The embattled tech company said it's notifying users who may have been affected by the breach and making them change their passwords. The problem is it happened all the way back in August 2013. That means whoever plundered the information has had more than three years to exploit it, security experts say. But there are still several ways to make your information more secure.

Use different passwords for all online accounts

People who create a really strong password for one site but then use it across others are vulnerable to attacks, said Shuman Ghosemajumder, chief technology officer of Shape Security. Having your credentials stolen "is a matter of the lowest common denominator, the site with the least security," he said. Hackers obtained more than just names and passwords in the Yahoo breach -- they also nabbed answers to security questions. Cybercriminals can use that info to conduct automated attacks called "credential stuffing." That's when hackers take the stolen information of millions of users and build a program that tries to log in to other online accounts like banking, retail and airline rewards.

Yahoo is advising people to change the passwords and security answers on any other accounts for which they used the same or similar information as their Yahoo account. Since strong, unique passwords are a huge pain to memorize, Ghosemajumder recommends using a password manager. Platforms like 1Password or LastPass generate and store passwords and security answers for every account you have, so you only have to remember a single master password.

Beware of emails asking for more information

Hackers can use stolen credentials to craft emails that have the veneer of legitimacy, according to Nigam. Such emails might disclose the answer you gave to a security question, for example, and then ask if it's still up to date and request more information. "Criminals will give you information to gain your trust, and victimize you further," he said.

Related: Yahoo facing lawsuits in the wake of massive data breach

Be extra cautious about clicking on links or opening downloads from unknown email addresses. Never share any account information or passwords over email. Block access to your credit report Nigam recommends that you put "a freeze on your credit report and use a company that monitors your credit for you." Hackers who have valuable credentials will often try to open a credit card in your name.

Related: You could have a yahoo account without even knowing it

When that happens, the first thing a bank will do is run a credit check. If you've put a freeze on your credit report, you will be alerted that an institution is trying to run a check and can flag that you didn't request it.

"I would strongly recommend it, even if you don't have a Yahoo account," Nigam said. It's not all on you. Companies need to step up security measures to protect themselves not only against hacking, but also against the aftereffects of hacking like credential stuffing attacks, according to Ghosemajumder. "The trust that your users have in you is directly tied to the level of security they expect," he said. But what about closing accounts? After two major breaches, is it time to say goodbye to Yahoo?

Related: What to do if your Yahoo account was hacked

"If you don't have confidence [in Yahoo] in the future, that's a personal decision people need to make," Ghosemajumder said, noting that Yahoo has a large security team and has invested heavily in security.

"But I think this is a severe setback for them and the entire company," he added.

-- Heather Kelly contributed to this report. http://money.cnn.com/2016/12/15/technology/yahoo-security-breach-billion-users/

Yahoo released its semiannual transparency report today, the first issued by the company since Reuters revealed earlier this month that Yahoo scanned its users’ email accounts at the behest of the U.S. government.

In an effort to inform consumers about how frequently the government snoops on their information, and how often companies are able to narrow or refuse the requests, Yahoo and many other technology companies make public on a regular basis data about requests from law enforcement agencies for user data.

“We review demands for narrowness, legal sufficiency, duration, and scope, and consider all appropriate options before we comply, including seeking clarification or modification of the demand, or even challenging the demand in court,” Yahoo general counsel Ron Bell wrote in a blog post accompanying the transparency report.

Bell was reportedly one of the Yahoo executives, along with CEO Marissa Mayer, who approved the installation of software in spring 2015 that scanned Yahoo email accounts for specific data. The software was quickly discovered by members of Yahoo’s security team, who initially believed hackers had broken in and installed the program. The resulting clash between leadership and security engineers reportedly lead to the departure of chief information security officer Alex Stamos.

As we previously reported, Yaho’s spring 2015 transparency report does not reflect an unusually high number data disclosures to the government, as might be expected from a dragnet email scanning program. At the time, the company only reported 21,000-21,499 user accounts requested under the Foreign Intelligence Surveillance Act and 0-499 accounts requested with National Security Letters. However, Yahoo allegedly scanned all of its nearly 300 million users’ email accounts — a vastly larger group than reported.

iComEx has clients in states across our nation such as Colorado, Louisiana, Oregon, and many others.

  Connect with Us

iComEx

Phone: 972-712-2100

Toll Free: 877-282-6900

Fax: 214-291-5853

Email: Click Here

Facebook

Google+

Twitter

YouTube

LinkedIn