Bad news for application developers and early security advice for Black Friday shoppers.
Welcome to Cyber Security Today. It’s Wednesday, November 16th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
There’s bad news for application developers who think they’re careful coders: Ninety-five per cent of the 2,700 websites and applications recently tested by researchers had some sort of vulnerability. At least 20 per cent of them were high-risk vulnerabilities, according to Synopsys, which conducted the research. Another 4.5 per cent were critical vulnerabilities. A common fault was cross-site scripting. A report concludes developers should run a wide variety of tests on their websites and applications before putting them into production, including penetration testing.
Last week I told you about a threat actor hiding malware in images in a package left on the open source PyPi Python language repository. This week researchers at Checkmarx said they have identified the attackers. They’ve been given the name Wasp. The group is still active and is releasing more compromised packages. The malware steals all of a victim’s Discord accounts, passwords, crypto wallets, credit card numbers and any other interesting files on the victim’s computer. This attack shows the impotence of sharing threat intel in the open-source community, says Checkmarx.
I’ve mentioned several times that you can’t take shortcuts when creating a password. Threat actors know all the tricks. As a reminder, Specops Software of Sweden looked at the top passwords attackers tried using last month in attempting to log into systems the company protects. Common were variations of the word ‘password’, including substituting the letter ‘a’ with the ‘at’ symbol used in email addresses, dollar signs for the letter ‘s’ and a zero for the letter ‘o’. Yes, crooks figured those out a long time ago. Experts say safe passwords — and easy to remember — are passphrases made up of three or four random words totaling more than 14 characters. And to keep track of all your passphrases, use a password manager.
Threat actors are able to create convincing fake audio messages to employees pretending to be from senior management. They can do it by using artificial intelligence on recordings of public speeches or corporate presentations executives post on social media sites like YouTube. But there may be clues that something’s wrong. For example, the caller unexpectedly asks you to shift company money or data. Another tip-off: The request is a message left when you’re not in the office, like early in the morning. However, some deepfake audios are good enough to use over the phone in conversations with victims. If you suspect a caller is a deepfake audio, Neil Sahota, an IBM expert and lead advisor to the United Nations on AI, has this advice: Toss in a random and unexpected phrase or word that doesn’t fit into the conversation. An artificial intelligence program won’t know how to respond. Another tactic is to hang up and try to reach the person you think was on the line with using a phone number you have used before, to verify they were calling.
A recently-fixed flaw in Zendesk’s analytics service called Zendesk Explore could have allowed a hacker to access a lot of sensitive data. Researchers at Varonis, who found the SQL injection vulnerability, said an attacker could have seen and copied conversations, email addresses, support tickets and more from Zendesk accounts. To have exploited the vulnerability an attacker would have had to register as a new user for the ticketing service of an organization using Zendesk Explore. Varonis says there is no evidence any Explore customer accounts were exploited. Zendesk, a software-as-a-service operation, quickly fixed the hole early in September.
Online retailers are already circulating notices for Black Friday sales. Officially they start Friday, November 25th, followed by Cyber Monday sales beginning November 28th. However, some sellers may jump the gun. Before you get trigger-happy, experts at ZeroFox warn this is also a time of online sales scams. Many will involve too-good-to-be-true pricing on computers, smartphones, earbuds and other products. Many will use look-alike websites of brand-name manufacturers or retailers. So before the online holiday sales really kick in, remember this: Avoid clicking on links sent via social media or email offering deals. Instead go to sites directly to verify offers, especially coupon promotions. Hover over links before clicking: If the product is supposed to be sold by Joe’s Retailing, why does the link go to www.oxnard123.co? And be suspicious of unique payment methods, such as only being able to pay via PayPal. Police say paying by credit card online is the safest way.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.