Phishing attacks succeed 45 percent of the time, which is why Google launched a free Password Alert Wednesday, Google Security Engineer Drew Hintz and Google Ideas Product Manager Justin Kosslyn wrote in a blog post. “Nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords.” Google’s new Password Alert protects Google and Google Apps for Work Accounts by warning if a site isn’t a Google sign-in page, but asks for a Google password, they said. The Chrome-extension remembers a “scrambled” version of the Google password for a consumer account, so if a password is typed into a site that isn’t actually a Google page, Password Alert will notify the consumer, Google said. For Google Work customers, an administrator can receive alerts when a problem is detected, they said. “This can help spot malicious attackers trying to break into employee accounts and also reduce password reuse,” Google said.
A new survey paid for by CTIA found that 61 percent of Americans who own smartphones and tablets use PINs and passwords to protect them, a 20 percent increase from 2012. CTIA said the increase is a reason for the reported decline in device thefts. The FCC has made curbing device theft a priority. Recent data suggests device thefts are down 40 percent in London, 22 percent in San Francisco and 16 percent in New York City, according to numbers released at the April meeting of the FCC Technological Advisory Council (see 1504010055). “One of the reasons for this increase by Americans to protect their personal data stored on smartphones and tablets is thanks to the collective wireless industry’s consumer education activities as well as the initiatives developed by individual companies,” CTIA said. Harris Poll conducted the online survey. CTIA released only preliminary results, the association said Thursday.
A 40 percent plurality of registered voters in a Morning Consult poll said cyberattack prevention should be Congress’ top technology agenda focus this year, said Morning Consult, an email briefing service, Monday. The House passed two cybersecurity information sharing bills last week -- the Protecting Cyber Networks Act (HR-1560) and the National Cybersecurity Protection Advancement Act (HR-1731) -- that House leaders will now combine into a single bill for Senate consideration (see 1504230062 and 1504220066). The full Senate hasn't voted on its own information sharing bill, the Cybersecurity Information Sharing Act (S-754). Data security standards ranked as voters’ second most-identified top tech policy priority, getting the support of 19 percent of voters. Surveillance reform ranked third at 10 percent of voters, while net neutrality came in fourth at 8 percent and drone regulation ranked fifth at 7 percent. Morning Consult said it surveyed 1,595 registered voters April 17-20 for the poll.
The Internet Crime Complaint Center (IC3) issued an alert warning law enforcement personnel and public officials of increased risk of cyberattacks. “Doxing -- the act of gathering and publishing individuals’ personal information without permission -- has been observed,” IC3 said in Tuesday's alert. “Hacking collectives may exploit publicly available information identifying officers or officials, their employers, and their families,” IC3 said. “These target groups should protect their online presence and exposure.”
British Telecom launched what it’s calling an “ethical hacking service” to test the exposure of connected cars “and help all market players develop security solutions,” the company said in a Monday announcement. Connected cars rely on a variety of connectivity options, including WiFi, 3G or 4G mobile data links, Bluetooth and other wireless technologies, BT said. “These provide a range of new on-board features and value-added services, such as predictive systems to bypass traffic jams, reduce carbon emissions, improve safety and vehicle performance. Vehicles are also becoming more connected through electronic systems like navigation, infotainment, and safety monitoring tools.” The proliferation of these services also “raises concerns about the ability of hackers to gain access and control to the essential functions and features of those vehicles and for others to use information on drivers' habits for commercial purposes without the drivers' knowledge or consent,” it said. BT is extending its security expertise to “advise vehicle manufacturers, insurance companies and other players in the automotive industry, with the aim of identifying and fixing vulnerabilities before the keys of a new vehicle are handed to a proud owner,” it said. The program it’s launching involves a range of tests targeted at the “attack surfaces” of the vehicle, BT said. “These cover interfaces that are accessible inside the car, such as Bluetooth links, USB ports, or the DVD drive, as well as external connections such as links to mobile networks or power plugs. BT looks at the end-to-end security by testing and verifying all the systems that interact with the connected vehicle. The ultimate objective is to identify vulnerabilities that would allow unauthorized alteration of configuration settings or that would introduce malware into the car.”
May 2012-March 2015, the FBI’s Internet Crime Complaint Center (IC3) “received complaints regarding criminals hosting fraudulent government services websites in order to acquire Personally Identifiable Information (PII) and to collect fraudulent fees from consumers,” the FBI said Tuesday in a public service announcement. The volume and loss amounts are minimal, but the victims' PII data may have been used by criminals to create fraudulent IDs, passports, loans and tax refunds, as the PII often includes the victim’s name, address, phone number, email address, Social Security number, date of birth and mother’s maiden name, the FBI said. The bureau said the “fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website” instead of the real government website.
Akamai Technologies has become a strategic investor in Rubicon Labs, the cybersecurity firm said Wednesday. Rubicon said it has now closed its Series A financing round after garnering a combined $11 million from Akamai and earlier investors Pelion Ventures and Third Point Ventures. “Akamai invested in Rubicon because it has the unique capability to make encryption keys invisible so that authorized users and potential hackers alike have no knowledge of what they are,” Akamai Chief Architect Stephen Ludin said in a news release. “Rubicon has developed a true zero knowledge system whose protocols are cryptographically sound for use in data centers but also light enough to scale down to emerging IoT applications.” Akamai's investment “represents an opportunity for Rubicon to work closely with the industry’s leader in cloud security to explore and develop next-generation secure communications technology,” Rubicon CEO Dave Lundgren said in a news release.
Some WordPress sites for news organizations, commercial entities, religious institutions, federal, state and local governments, foreign governments and a variety of other domestic and international organizations were defaced by “individuals sympathetic to" ISIS, who exploited WordPress plug-in vulnerabilities, the FBI said Tuesday in a public service announcement. The FBI said the “defacements demonstrate low-level hacking sophistication” but are “disruptive and often costly." Software patches are available for identified vulnerabilities, the FBI said.
Most companies aren't prepared for a data breach, since 57 percent of non-Security for Business Innovation Council (SBIC) respondents that have formal incident response plans have never updated or reviewed their plans, said a news release from RSA Tuesday on a global breach readiness survey. The RSA survey covered 30 countries and compared its results with a survey of SBIC members, the release said. Using the SBIC results as a benchmark, the RSA survey results “suggest that the majority of organizations are not following incident response best practices and are not well prepared to face the challenges of today’s advanced cyber threats,” the release said. The survey focused on four major areas of breach readiness and response -- Incident Response, Content Intelligence, Analytic Intelligence and Threat Intelligence -- and found “organizations continue to struggle with the adoption of technologies and best practices that will allow them to more effectively detect, respond to, and disrupt the cyberattacks that turn into damaging breaches,” the release said. The survey found 55 percent of respondents lack the ability to identify and monitor critical assets, and only 50 percent have a plan in place for identifying “false positives.” Though most organizations recognized basic log collection through security information and event management systems “only provides partial visibility into their environment,” only 42 percent of respondents had sophisticated forensic networks, the release said. While external threat intelligence and information sharing was seen as a way for organizations to stay up to date, only 43 percent of respondents leveraged external threat intelligence to supplement their efforts, it said. "Organizations are struggling to gain visibility into operational risk across the business,” RSA Chief Trust Officer Dave Martin said. “As business has become increasingly digital, information security has become a key area of operational risk and while many organizations may feel they have a good handle on their security, it is still rarely tied in to a larger operational risk strategy, which limits their visibility into their actual risk profile," he said. “People and process are more critical than the technology as it pertains to incident response,” Thales Australia and New Zealand Chief Information Security Officer Ben Doyle said. A “security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour,” Doyle said. But he said it's “just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organizations improve response procedures over time."
The user database of online communications tool Slack was breached, said a company news release Friday. The database, which was attacked during a four-day period in February, contained user names, email addresses and “one-way encrypted” passwords, it said. Slack said it contacted law enforcement about the breach and recommended users install two-factor authentication and a password “kill switch.” Media reported Thursday that Slack recently agreed to a funding round of up to $160 million at a $2.76 billion valuation.