Expert(s):
Principal Consultantfeature_status*/ ?>
Synopsys

Comments Dotted : 6
September 15, 2020

Expert Reaction On Personal Information Of 46,000 Veterans Was Compromised In Data Breach
organisations should conduct regular social engineering assessments against their staff to raise awareness
Social engineering is a very common attack strategy which threat actors use to gain access to applications or systems within a corporate network. At Synopsys, based on our security assessment services, we have found that at least one person will always fall for our social engineering attempts. To prevent a successful attack, there are several compensating controls an organisation can put in place. To start, any sensitive applications should have access restricted to the internal corporate.....Read More
Social engineering is a very common attack strategy which threat actors use to gain access to applications or systems within a corporate network. At Synopsys, based on our security assessment services, we have found that at least one person will always fall for our social engineering attempts. To prevent a successful attack, there are several compensating controls an organisation can put in place. To start, any sensitive applications should have access restricted to the internal corporate network or VPN endpoints. This will prevent an attacker from logging in from anywhere on the internet. If, for business reasons, these applications must be public facing they should be secured with multi-factor authentication to prevent any compromised credentials from being used. Lastly, organisations should conduct regular social engineering assessments against their staff to raise awareness around social engineering threats, thus reducing the chance of a successful attack.  Read Less
July 30, 2020

Experts Reaction Om OkCupid App & Web Security Flaws Discovered
Once an account is compromised, the attackers could use that account to facilitate additional compromise.
With the ability to send messages to users, the chances of social engineering within the application are high. There is both a mobile and web interface which gives attackers the possibility to script sending messages to various users with the aim of compromising user profiles. Setting up fake accounts with attractive photos has been used before in phishing attacks and could certainly be used again. Once an account is compromised, the attackers could use that account to facilitate additional.....Read More
With the ability to send messages to users, the chances of social engineering within the application are high. There is both a mobile and web interface which gives attackers the possibility to script sending messages to various users with the aim of compromising user profiles. Setting up fake accounts with attractive photos has been used before in phishing attacks and could certainly be used again. Once an account is compromised, the attackers could use that account to facilitate additional compromise by sending more messages to their contacts.  Read Less
July 24, 2020

Expert Insight On Instacart Customers’ Personal Data Sold On Dark Web
Google and Facebook appear to have strong account password policies and protections
"From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google, and Facebook. While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires 6 characters. This is below the industry standard and is considered a weak password policy. I don’t believe phishing is a likely attack vector in this case, as it would take much .....Read More
"From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google, and Facebook. While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires 6 characters. This is below the industry standard and is considered a weak password policy. I don’t believe phishing is a likely attack vector in this case, as it would take much more effort than the selling price would offer. However, credential stuffing—using common passwords or passwords obtained from a data breach—are a likely path to account compromise. I would recommend that Instacart investigate if there were a high number of failed login attempts on accounts which would indicate an attempt to password spray/stuff while also looking for login attempts from invalid users.  Read Less
January 23, 2020

Security Implications: Seattle-Area Voters To Vote By Smartphone In 1st For U.S. Elections
Based on the article, the voting software will require only the name and date-of-birth of the voter to allow them to vote.
Mobile voting is an appealing option to engage more voters by removing the time and physical space requirements of going to a polling place to vote. However, mobile voting presents additional security concerns that should be taken into account before rolling out a program. Based on the article, the voting software will require only the name and date-of-birth of the voter to allow them to vote. These two pieces of information can easily be obtained through various methods, but the most appealing .....Read More
Mobile voting is an appealing option to engage more voters by removing the time and physical space requirements of going to a polling place to vote. However, mobile voting presents additional security concerns that should be taken into account before rolling out a program. Based on the article, the voting software will require only the name and date-of-birth of the voter to allow them to vote. These two pieces of information can easily be obtained through various methods, but the most appealing one is the voter registration database that the state of Washington publishes. With this information, a malicious actor could script an attack to log in as any voter and submit a vote. This would, in turn, create a massive integrity concern of the election results. Before rolling out this service, voters should have the option to pre-register with non-public information to validate who they are when it comes time to vote. This could be accomplished by requiring in-person registration at a government office or by mailing unique PINs to each voter for them to use to register.  Read Less
January 01, 2020

Comment: Canadian Banks Impersonated In Two-year Long Phishing Attack
Regarding the human controls, employee security awareness training should be mandatory for all employees.
Phishing and email-based attacks present a twofold problem for companies to solve; the first is technical controls and the second is human education. Companies should invest in a spam and email filtering service to prevent known or suspicious emails from reaching recipients. Additional controls include end point protection software and configuring the corporate email client to present a banner on any external emails. The banner can be used to warn recipients that it is an external email and to .....Read More
Phishing and email-based attacks present a twofold problem for companies to solve; the first is technical controls and the second is human education. Companies should invest in a spam and email filtering service to prevent known or suspicious emails from reaching recipients. Additional controls include end point protection software and configuring the corporate email client to present a banner on any external emails. The banner can be used to warn recipients that it is an external email and to be cautious when opening any attachments, clicking links, or responding. Regarding the human controls, employee security awareness training should be mandatory for all employees and cover what typical phishing attack methods and what should make a recipient suspicious. Finally, a company should also invest in regular phishing security testing on their employees to ensure that the technical controls and human education components are working to prevent a real attack.  Read Less
July 31, 2019

Operating System Bug Exposes 200 Million Critical Devices
The proliferation of the internet and connected devices have removed that barrier.
Legacy systems that were developed without stringent security requirements are turning into a hunting ground for vulnerabilities. While these systems were at one time difficult to obtain or test, the proliferation of the internet and connected devices have removed that barrier. Specialized systems are becoming more exposed and this will inevitably lead to new vulnerabilities being discovered and published.