Each week we scour the web to discover the latest developments, news and tips that will help you keep your technology (and your business) safe and secure.

Here are the most interesting articles we’ve found this week that could be helpful to you:

---

 

83% of InfoSec Pros Think (Another) Successful Cyberattack On Critical Infrastructure Likely In 2016

When 2900 cybersecurity experts voice their opinions, we listen. This article gives you valuable insights into what these experts are thinking – and how it can impact the security of your organization.

Believe it or not, basic cybercrime does not win the top spot as the worst threat to organizations, according to respondents; in fact it’s not even in the top three. Social engineering is number one (52.26%), followed by insider threats (40.34%) and advanced persistent threats (38.84%) — all ahead of cybercrime, malware, and distributed denials of service.

22 Sites Where You Should Enable Two Factor Authentication RIGHT NOW

Two factor authentication is a vital line of defense against attacketrs. Here is a good list of sites that support two factor authentication that you should enable as soon as possible.

Some of the most popular websites have added another layer of security that makes it a lot harder for attackers to get to your stuff. The cool part is that these same websites have worked really hard to make sure this extra layer of security isn’t a huge hassle for legitimate users.

Security Experts Speak: Biggest AppSec Priorities and Concerns in 2016

Another great article with lots of good insights into what top security pro’s are worried about in 2016.

To help give a bit of perspective to what top security experts are gearing up for this year, we asked eight of the world’s top security experts in various roles, including a pentester, several CISOs, a secure developer, a security engineer and an international speaker on security topics, to share their thoughts with us.

Malvertising – why fighting adblockers gets users’ backs up

A new type of attacks has recently been spreading itself around the internet. This form of attack ads malicious code to otherwise good websites (which you might visit).

…malvertising, short for malicious online advertising, which is where usually-trustworthy sites temporarily go rogue because one of the ads they display turns out to be booby-trapped, and tries to foist malware or potentially unwanted content on your computer.

A Flaw on eBay’s Site Allowed Hackers To Steal User’s Passwords

This is a scary situation: attackers have managed to plant a phishing site within the EBay domain. Most phishing scams just try to replicate the website’s look and feel. This criminal was able inject this malicious webpage into the eBay.com domain. This particular presentation would have fooled almost all casual observers. There are two key take always:

1. Have Two Factor Authentication (2FA) enabled for every site possible, especially ones with access to critical data or information about yourself (eBay, bank accounts, credit cards, etc…)
2. These scams start out as a standard phishing scam where the attacker sends an email to you and tries to get you to click on a link that will lead you to the compromised site.

This is a common web bug, also known as XSS, which attackers can exploit to inject malicious code into a website. Several websites in the past have been hit with XSS vulnerabilities. Perhaps the most well-known case of XSS is when a teenage Samy Kamkar, now a well-known security researcher, was able to trick one million MySpace users into becoming his friend thanks to a self-replicating worm that took advantage of an XSS bug on the social network. That incident, which put Kamkar in the law’s cross hairs, changed the internet for

PayPal and zero dollar invoice spam

This is another interesting new way scammers found to send spam without being detected by the normal filtering process. The normal phishing rules don’t protect you against this one.

Mac Users Vulnerable To Malware As Gatekeeper Security Hole Not Yet Fixed Four Months After Discovery

Everyone always said that the Mac’s day for security issues was coming. I think it has finally arrived. Mac users: you’re not as secure as you think.

While Gatekeeper carries out several checks on apps before they are launched on a Mac, it does not prevent apps from running or loading other apps or dynamic libraries from an alternate directory. This is because Gatekeeper only verifies the first application that the user launches.

The security researcher that found the Gatekeeper Vulnerabiltiy has released a tool that fixes the issue until Apple release a patch.

Wardle has released a personal tool named Ostiarius that would do a better job than Gatekeeper in the prevention of such attacks for the protection of OS X users, as it could block the execution of all unsigned Internet binaries.

Internet Explorer 11 – now the only way to go

Finally, one of the buggiest pieces of software has deprecated all version except the latest: Internet Explorer 11.

…the Internet Explorer cumulative update that was published by Microsoft on Tuesday 12 January 2016 (MS16-001) is the last ever update for Windows 7 that will patch IE 8, 9 and 10.

Each week we scour the web to discover the latest developments, news and tips that will help you keep your technology (and your business) safe and secure.

Here are the most interesting articles we’ve found this week that could be helpful to you:

---

 

Antivirus software could make your company more vulnerable

You rely on your antivirus software to keep your technology safe from attacks. But what if these very tools can be used to break into your organization? Bad news: they can.

Security researchers are worried that critical vulnerabilities in antivirus products are too easy to find and exploit

When it Comes to Cyberattacks, Half Protected is Half Not Protected

Your credentials are your digital “keys to your kingdom”. Protecting your credentials is one thing. But making sure that your credentials don’t have more rights than are needed on a daily basis is just as important. This article shows why Security Awareness and proper Privileged Account controls will continue to be extremely important in the effort to keep small and medium businesses safe from information security “bad actors”.

According to cyber security experts Verizon and Mandiant, over half — and trending toward 100% — of recent data breaches were due to compromised credentials. These credentials are the digital “keys to the kingdom” and give hackers everything they need to access corporate apps, siphon off sensitive data and damage or destroy critical systems.

The Latest Pawn in the Warranty Fraud Game? Fitbit Users – McAfee

Even your fitness device can be a security threat. Make sure sure that you don’t use the same password that you use for your personal or work email account for other accounts. By gaining access to these less secure accounts your critical accounts can be easily breached.

All that stands between you and a cybercrime is a not-so-strong login. In fact, just this week, the problem of weak passwords played a strong role in the latest hacker ploy: a warranty fraud scheme aimed at Fitbit users.

Data Insecurity: Flawed Technology Or Outdated Business Process?

Business process security is another soft target that can be taken advantage of.

When it comes to protecting critical data, legacy processes are just as vulnerable as legacy software.

At a recent healthcare conference I attended, one insurance company compliance executive admitted that his organization found eight copies of their main patient record database in their enterprise environment

Fake Tech Support Scams Evolve to Include Support, Purchase History

Fake Tech Support scams keep evolving. Each iteration of these scams gets harder and harder to tell from a real call. For SMB’s the telltale sign is that Dell would not call you directly about product support. If there is ever a doubt whether a call like this is legitimate, offer to call them back using the vendor information that you have on file. Or better yet: contact your Managed Service Provider to have them ferret out the situation.

Various other versions of this scam can involve ransomware being installed on victims’ PCs, which can cost the victims quite a bit of money. However, the latest variant involves not random, ill-informed people throwing things against the wall, but rather highly knowledgeable scammers who know highly specific details of each target’s history with the company they’re spoofing. A case in point is a recent rash of calls to Dell customers in which the caller says he is from Dell itself and is able to identify the victim’s PC by model number and provide details of previous warranty and support interactions with the company.

James Veitch: This is what happens when you reply to spam email

Scammer tries to scam innocent guy. Guy messes with scammer. Here’s a funny video about one guy having enough and fighting back. I don’t recommend this but, it’s funny nonetheless.

Suspicious emails: unclaimed insurance bonds, diamond-encrusted safe deposit boxes, close friends marooned in a foreign country. They pop up in our inboxes, and standard procedure is to delete on sight. But what happens when you reply? Follow along as writer and comedian James Veitch narrates a hilarious, weeks-long exchange with a spammer who offered to cut him in on a hot deal.

Cyber Wars: Star Wars of Cyber Crime |

Getting confused with all these technical terms thrown around when talking about cyber crime? Are you more familiar with Star Wars instead? Then this funny Star Wars to Cyber Crime analogy will entertain you!

Life in the Galaxy hasn’t been the same since the emergence of cyberspace. Cyberspace’s impact on life has been colossal. Galaxy citizens now refer to it simply as the Internet – the international network where all species communicate and share their experiences, powers and thoughts.

Each week we scour the web to discover the latest developments, news and tips that will help you keep your technology (and your business) safe and secure.

Here are the most interesting articles we’ve found this week that could be helpful to you:

---

 

Advent tip #24: The Big One! |

The Sophos Security Blog put together a great list of cyber security tips and published it in December. Here are a bunch of simple, but really important security tips to use your technology responsibly.

Software with the most vulnerabilities in 2015: Mac OS X, iOS, and Flash | VentureBeat | Security | by Emil Protalinski

Did you know that six out of the top ten pieces of software with the the most vulnerabilities of 2015 are in regular use by small- and medium-sized businesses across the country? They are. Read this article to see if you use these vulnerable tools (and how to use them safely).

Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities.

The Employee Password Habits That Could Hurt Enterprises

If your employees use weak passwords, they can hurt your company. Quality passwords are one of easiest safeguards that your company can make to improve your threat surface area. Read more about it in this article.

Inside an SMB Hack | Breach Secure Now!

This research conclusively shows that security breaches are more likely to happen in small and medium businesses.

In a Verizon Data Breach Investigations Study, they found that 71% of breaches occurred in businesses with less than 100 employees. You would think that Small to Midsize Businesses (SMBs) would be very worried about security. And many SMBs might be worried but for the majority they just don’t believe that they need to worry or that they could be a victim.

Information Security Testing Continuum – Cybersecurity Defense Solutions

Great blog post that illustrates the increasing levels of a cyber security plan.

There are a lot of companies out there who will sell you anything they can, even when your business is not ready for it. These companies are not doing our industry or your business any favors by selling assessments and tests that your business will in the end see little value in. We will try and shed some light on this for the average business owner/IT Manager.

Ransom32 Is a JavaScript-Based Ransomware That Uses Node.js to Infect Users

New threat incoming. Ransomware authors continue to innovate. This particular version is cross platform and spread by phishing emails.

Ransom32 is currently distributed only via spam email campaigns. This is a classic method of distributing any type of malware, not just ransomware, and is not unique to Ransom32.

Microsoft mirrors rivals, pledges to warn customers of state-backed hacks after leaving users in the dark | Computerworld

Just in case you missed it,  cloud providers are going to notify users of government request for information. Microsoft finally joins the pack.

Microsoft this week announced that it, too, would alert users when they are beset by state-sponsored cyber attacks, following the lead of Google, Facebook and, most recently, Yahoo.

Each week we scour the web to discover the latest developments, news and tips that will help you keep your technology (and your business) safe and secure.

Here are the most interesting articles we’ve found this week that could be helpful to you:

---

 
Security’s Biggest Winners and Losers in 2015 | WIRED

This is a quick overview of the cyber security stories that made the headlines this year.

THIS YEAR, LAWMAKERS surprised us by taking initial steps—albeit, baby ones—to rein in some of the NSA’s mass spying and provide better oversight of the intelligence agency’s activities. It’s unclear, however, if these gains and other privacy victories will hold or will be undone in the panic after the Paris attacks.

15 Cybersecurity Lessons We Should Have Learned From 2015, But Probably Didn’t

Cyber security threats are everywhere: from breaches, to flash, zero days, ransomware, and “insiders”. You can’t hide from them. The only way to feel safe is becoming aware of the issues and techniques to deal with them.

Another infosec year is almost in the books. What did all the breaches, vulnerabilities, trends, and controversies teach us?
As is the case every year in the cybersecurity field, 2015 was full of lessons to be learned. Some brand new, others that it’s absurd we haven’t learned yet.

Cyveillance Weekly Phishing Report – December 28, 2015

Staggering phishing numbers show that this cyber scam keeps growing each month. With overall increases in SPAM, how long will it be before email goes away for good?

In this week’s phishing activity report, we saw an increase (>35%) in overall phishing activity for the top 20 brands we’re tracking, grouped by industry. Banking (>145%) and Computer Hardware (>100%) saw the greatest increases in phishing activity last week. While we saw an increase in almost all industries last week, Telecommunications (>15%) was the only industry which showed a slight drop.

Top 5 Cyber Security Predictions for 2016 : security

Ransomware is one of the most prevalent security issues companies will face in 2016. Here are a few other things to keep your eyes on this year.

Until now, hackers have used ransomware – or malware that prevents users from accessing their data until they pay a ransom fee – as forms of petty crimes against small businesses and government agencies. And although ransomware has been around for decades, there’s been a steep rise, specifically a 165% increase, in ransomware related incidents this past year.