News broke overnight that Google are adding three new features to Google Chrome in order to block websites that redirect users to new URLs without user or website owner consent, landing a massive blow for security professionals against malvertising campaigns. IT security experts commented below.
Lisa Baergen, APR, MCC, Marketing Director at NuData Security Inc.:
“The news that an estimated quarter million logins are stolen each week serves as a wake-up call on many levels. Gmail and the Google Platform are deeply interwoven into corporations and consumers’ lives – one minor example is the number of people who are likely to have used their work email addresses to verify a new Gmail address over the last several years. Now think about the online retail implications: how many of us conduct shopping online and get confirmations via Gmail? What data does that expose?
“The October 2017 Identity Proofing Platform Scorecard from Javelin Research shows that everyone – from major merchants, to industrial boardrooms, to consumers – have a great deal to learn.
“With Black Friday, Cyber Monday and the Holiday shopping season just around the corner, it’s worth considering that merchants and other companies transacting online *can’t* determine consumer identity solely based on previously confidential consumer data and outdated authentication processes. Javelin Research notes: “In the complex financial ecosystem of 2017, a bifurcated model of identity verification and authentication fails to meet the needs of accountholders or financial institutions. Accordingly, a much more holistic approach is needed to take into account a richer array of context around the identity and behavior of the consumer.”
“Today’s news affects every company, not just those in the retail sector. Many people (including employees) continue to reuse usernames and passwords across many sites. Is it time for employer policies that prohibit the employee’s use of off-duty passwords for corporate email accounts, and likewise, the use of workplace emails as secondary verification for personal accounts? A leap from a user’s personal Gmail account into their workplace account sets up a scenario for new levels of successful Whale Phishing.
“Cybercrime isn’t “loners in the basement” anymore – it’s highly organized, well-resourced, and technologically advanced. The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call that it’s time to fundamentally re-think authentication, and incorporate continuous validation techniques data that can’t be mimicked, such as passive biometrics. Email contains so much strategic information – it’s time to equip that ubiquitous yet critical application with the security it deserves.”
Chris Olson, CEO at The Media Trust:
“As evidenced by Google and other media industry leaders, updating the U.S. campaign finance laws to address digital advertising makes sense. Any effort to drive accountability and transparency into the digital advertising ecosystem is welcome by most industry participants–from brands and advertisers to ecommerce and media publishers. Fundamentally, the Honest Ads Act and other industry-led initiatives require knowing and evaluating the activity of all the parties that contribute to the website/mobile app user experience. This knowledge goes a long way in managing digital vendor risk in an uncontrolled and opaque environment.”
Andy Norton, Director of Threat Intelligence at Lastline:
“Any advancement in browser safety is always a good thing. Malvertising represents a continual risk to organisational safety, especially, when normally safe websites which are not inspected by traditional web security tools become compromised by malverts delivering exploit kits. This is why more and more organisations are turning to real time dynamic content inspection platforms, of both web and email traffic to ensure satisfactory levels of risk. As more and more organisations embrace the three pillars of security, best practices driven by new regulations such as GDPR, continuous monitoring and auditing for attacks via web traffic and email will become ever-more essential.”
Mike Schuricht, VP Product Management at Bitglass:
“Organizations have few tools in place to detect and prevent credential compromise. One of the most overlooked risks is that of employees navigating to malicious websites. When phishing kits provide a site that looks legitimate, many employees willingly enter their credentials on the spoofed login page. As cloud and mobile are adopted in the enterprise, organizations need tools to achieve visibility, identify risky destinations, and prevent phishing attacks in real time.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.