Following the news around the World Wide Web Consortium (W3C), the organization behind all web standards, formally promoting the Web Authentication API to the title of official web standard, James Barclay, Senior R&D Engineer at Duo Security commented below. James Barclay, Senior R&D Engineer at Duo Security: “The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication. As pioneers in the authentication space, Duo Security knows that for security to be effective, it has to be easy. WebAuthn’s security and privacy protections, built-in phishing resistance and ease-of-use give it the potential to drive widespread adoption across enterprise and…
ISBuzz Team
It has been reported that Google revealed that a patch for Chrome last week was actually a fix for a zero-day that was under active attacks. The attacks exploited CVE-2019-5786, a security flaw and the only patch included in the Chrome 72.0.3626.121 version, released last Friday, March 1, 2019. According to an update to its original announcement and a tweet from Google Chrome’s security lead, the patched bug was under active attacks at the time of the patch. Travis Biehn, Technical Strategist – Research Lead at Synopsys: “Google Chrome is some of the most robustly engineered C and Cpp code on the planet, the security…
Cardiff was the UK’s first test-bed for facial recognition technology that can scan thousands of faces and match them to a watchlist. https://twitter.com/mugsensation/status/1103396879709229056 Expert Comments below: David Emm, Principal Security Researcher at Kaspersky Lab: “Facial recognition plays an ever-increasing role in our lives, and it’s no surprise to see police in Cardiff trialling new tactics through enhanced technology. However, it’s important for law enforcement – and other implementors of the technology – to remember that facial recognition technology is not perfect. We’ve seen problems that still exist, for example the recent case with Amazon’s facial recognition technology demonstrated that there is a lot of work to be…
Following a report by cybersecurity firm Comparitech that was recently published, which revealed that 3 in 5 politicians’ websites don’t use basic HTTPS encryption, Tim Helming, director of product management at DomainTools, offers the following commentary. Tim Helming, Director of Product Management at DomainTools: “Considering the state of both online security, and political discourse, this is a worrying study. Organisations that fail to use HTTPS encryption are leaving themselves open to interception of traffic, which can help to damage brand reputation and, more dangerously, be used to facilitate cybercrime. For politicians, this is even more relevant, as failing to use appropriate HTTPS protection leaves them open to…
New Mobile malware evolution 2018 findings from Kaspersky state that “Users of mobile devices in 2018 faced what could be the strongest cybercriminal onslaught ever seen. In 2018 we recorded a doubling of the number of attacks using malicious mobile software: 116.5 million (against 66.4 million in 2017).” Incidences of mobile banking trojans, dropper trojans, adware and miners were all analyzed. “New records were set in terms of both number of mobile banking Trojans detected and number of attacked users. The root cause of this hike is not clear, but the main culprits are the creators of the Asacub and Hqwar Trojans.” Expert Comments below: Sam Bakken, Senior Product Marketing Manager…
It has been reported that the NSA has released an open-source, reverse-engineering, hacking tool, called Ghidra into the public domain. https://twitter.com/NFGMBA/status/1103629078198972417 Experts Comments below: Adam Brown, Manager of Security Solutions at Synopsys: “Ghidra made open source will be of interest to security consultants and hackers, however its not like anyone didn’t have this capability before with other tools. The process of reverse engineering – understanding the intricacies of how a piece of software processes its data and how it flows while only having the binary executable code – is not a simple process, therefore this tool is only useful in very capable hands. Despite Ghidra having user interface features to…
According to the APWG’s Q4 2018 Phishing Activity Trends Report, the number of confirmed phishing sites declined as 2018 proceeded. The total number of phishing sites detected by APWG in 4Q was 138,328 – down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1. This general decline in the number of phishing campaigns as the year went on may have been a consequence of anti-phishing efforts – and/or the result of criminals shifting to more specialized and lucrative forms of e-crime than mass-market phishing. On the other hand, phishing that targeted SaaS and Webmail services jumped from 20.1 percent…
Following the news that CyberInt has discovered a re-emerging international phishing campaign that delivers Ramnit Worm/Botnet malware targeting financial organisations in Asia which it believes is heading for the UK as well, Corin Imai, senior security advisor at DomainTools offers the following commentary. Corin Imai, Senior Security Advisor at DomainTools: “Unfortunately, there is no one-size-fits-all advice against phishing campaigns, which maintain effectiveness because they are continuously edited and upgraded to look legit. Criminals consistently up their game, designing backsplashes and corporate-looking malicious landing pages, coupled with social engineering techniques such as impersonating an anti-fraud exercise, making it very tricky for people to recognise an email as fraudulent. The stranger-danger rule of thumb should be applied…
Mimecast’s latest report reveals that one in 61 emails to corporate inboxes contain malicious links. In light of this news, Jake Moore, Cyber Security Specialist at ESET commented below. Jake Moore, Cyber Security Specialist at ESET: “Targeted attacks where hackers know far more about you than you realise are better disguises and often get through using social engineering technique. Coercing someone into clicking on a link with well-crafted emails has become a full time job for cyber-criminal gangs. They are able to collect a huge amount of information on their victims before they drop the email and make it look like it’s come from…
Today the government has published their annual FTSE 350 Cyber Governance Health Check which assesses and reports on cyber security risk management in the UK’s 350 largest firms. The main findings were: Many boards still don’t fully understand the potential impact of a cyber-attack Less than a fifth (16%) of boards have a comprehensive understanding of the impact of loss or disruption associated with cyber threats This is despite almost all (96%) having a cyber security strategy in place Additionally, although the majority of businesses (95%) do have a cyber security incident response plan, only around half (57%) actually test them on…