online

Security remains top of mind as over 70 per cent of consumers noted they always think about their security/privacy when shopping online, according to Centrify. Unfortunately, despite the changing attitudes towards security, some consumers are still making basic security faux pas online.

security faux pas

Password hygiene is also a continuing problem when shopping online. Nearly 14 per cent admitted that they share passwords with friends and family so they can login to their accounts, whilst over 50 per cent said they save them to the retailer’s websites so as not to forget them. Over half also said that they only sometimes use different passwords for different retailer’s websites.

Most concerning is that one in eight said they would accept discounts and special offers from retailers in exchange for their passwords, highlighting the risks consumers are willing to take in order to save money online.

83 per cent would sometimes, or never, check the security and privacy terms and conditions of the retailer, leaving them wide open to hacking and data theft if shopping with an unknown or untrusted retailer.

On top of this, more than a fifth would still not ensure there is a secure padlock icon in the browser before making their purchases, and 27 per cent said they would only do this on some occasions.

With Black Friday around the corner and the Christmas shopping season well under way for most, frugal shoppers need to consider their online safety before making any purchases.

Centrify offers ten tips for consumers when shopping online:

  • Always shop with reputable sellers, and be cautious when entering URLs. A misspelled domain, or non-‘https’ site could land you on a false site designed to steal your information
  • Ensure you read the site’s privacy policy to understand how and where your personal information is being used. Lack of an easily visible privacy policy should be a red flag to using that site
  • Be suspicious of links in unsolicited emails – always type the link directly into your browser, do not click on them within the email. Hovering over the links should highlight if the link is unsafe, as you would notice the link underneath may be different to the text
  • Deals that appear too good to be true often are, so treat them with even more caution
  • If an online retailer requests extra personal information, such as a password for your email or bank account as part of the shopping process, do not enter them
  • Secure mobile phones if you plan to use them for shopping by enabling security features such as passwords and encryption
  • Always use different, long, and complex passwords (or passphrases) for each site. If you don’t, and a hacker steals your password for one account they will have free rein over the others! This would have devastating consequences on sites that have your personal and credit card information
  • Enable multi-factor authentication where possible. This involves combining two or more different ‘factors’ for extra security when logging in – such as something an individual has (like an ATM card or smart card), something a user is (such as a biometric characteristic like a fingerprint or retina scan) or something the user knows, like a password
  • Passwords are not meant to be shared. Never give out your passwords online, on the phone or even to friends or family
  • Do not store passwords. Many browsers, programs, or web applications will offer to store your password for you so you only have to enter the password once and never again. While seemingly a convenient option, it is a bad idea to store passwords associated with personal or financial accounts. This is especially true if you use public or shared computers.


Help Net Security

Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

GitHub profiles scraped

Troy Hunt, the security researcher who runs the Have I been Pwned? service and whose own information is in the compromised backup file, received the file, and ultimately notified GitHub of the matter.

His analysis of the file ultimately revealed that:

  • It contains 8.2 million unique email addresses, i.e. records about 8.2 million users of GitHub, Bitbucket (another web-based hosting service for projects), and possibly other online services.
  • Most of these records contain users’ names, usernames, email address, geographic location, professional skills, years of professional experience.
  • All of this information is already online on GitHub and those other services, accessible to anybody – GeekedIn just scraped it and created its own database, access to which is offered to companies interested in finding developers – for a fee.

When contacted, GitHub said that they allow third parties scraping of their users’ data, so long as it’s only used for the same purpose for which they gave that information to GitHub.

“Using scraped information for a commercial purpose violates our privacy statement and we do not condone this kind of use,” they told Hunt.

After he finally managed to get in touch with GeekedIn, they acknowledged the incidente and promised to secure the data.

Hunt made some of this data searchable in raw format through his service, but only a little over 1 million users will be able to find it. He only included the data of those who had a publicly available email address on GitHub.

“This incident is not about any sort of security vulnerability on GitHub’s behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service,” he made sure to note.


Help Net Security

blog-cached-online-mode-exchange_sqVarious configuration scenarios fit companies differently. Whether your Outlook users will be using cached or online mode depends on a wide range of factors.

Companies using Exchange Server are often confused around whether they should run cached mode or online mode on their Outlook clients. In this post, we are going to look at just what the differences are, and make some recommendations on when each is appropriate.

Cached mode, which first came out with Microsoft Outlook 2003, keeps a local copy of the user’s mailbox stored on the hard drive as an OST file. Running in cached mode, the Outlook client looks to the local OST file for all access, including reads and searches, while a separate process checks for new mail on the server and syncs data to the local cache.

Cached mode clients also keep a local copy of the GAL, called the Offline Global Address Book, to perform faster lookups for recipients in the organization. Running in cached mode, a user can still access mail even when the network connection to Exchange is down, such as when they are on an airplane or the WAN is down.

Cached mode is also very good for users with high latency connections to Exchange, as accessing the local cache isolates the user from delays in connectivity to the server. Searches done against the local OST are much faster, and the client generates much less network traffic.

You should use cached mode anytime a user must access their mail without network connectivity, such as users who travel. You should also use it for any users in an office with intermittent network connectivity, or whose network latency between client and server is typically high, like those with satellite or radio-based connectivity.

Online mode maintains a connection to the Exchange CAS server for all access to the mailbox and reads from the GAL. If the connection to the server drops, Outlook is unusable until the connection is restored. It also requires a much better connection to the server, as far as latency is concerned. The biggest difference though is that online mode does not require any disk space for a local file, making it ideal for clients with limited or no persistent storage.

You should user online mode when users have no persistent storage to which they can store their OST, such as VDI scenarios or on devices with limited storage capacity, such as tablets. You may also use online mode for extremely large mailboxes to improve overall performance, or where you do not want to risk having a local copy of the OST for compliance or other reasons.

I disagree with the general opinions about risks associated with using OST files. If you have a machine that leaves the physical security of your four walls, then you have a data risk no matter whether you use cached mode or online mode. Don’t fear the OST; instead, embrace full disk encryption such as that offered by BitLocker or various third party vendors, and ensure strong authentication is required to gain local access to the disk. It’s far better to secure all the data, then to shoot yourself in the foot with regards to Outlook performance.

Latency is really the most significant thing to consider when deciding between cached an online mode. If you have high latency, you should use cached mode; if you have consistent and reliably low latency, online mode is okay. What is high and what is low? That’s a good question which is as much answered by opinion as it is fact. As a rule of thumb, I consider 100 milliseconds to be the maximum latency for online mode.

If you are seeing client connections to the CAS server go over that consistently, you might want to switch to cached mode. Various Microsoft documents will vary between that and up to 500 milliseconds, and your own users’ experiences will ultimately decide what is good enough, but with anything over 100 milliseconds Outlook starts to pop notification bubbles that it has lost connectivity to Exchange. That usually generates helpdesk calls, and nobody likes those.

Cached mode needs local storage and that’s a problem for tablets with small SSDs or VDI systems without persistent storage. In the former, you can use a GPO to restrict the maximum size of the OST, as you may not need to cache the entire mailbox. When it detects a smaller disk drive, Outlook 2013 and later will automatically reduce the OST size by reducing the number of days cached.

For VDI, where persistent storage can be extremely expensive and sometimes even counter to the design intent, you have to make a tradeoff between space taken and performance. You can provision a certain minimum amount of persistent storage on high performance disks for VDI systems to store the OST, or instead you can direct VDI users to use OWA when latency is too high for online mode. If latency stays below 100 milliseconds, use online mode so you don’t have to provision persistent storage.

For Office 365 or other hosted Exchange customers, the answer is easy – use cached mode. The Exchange CAS server is not local to you, so you will have higher latency and cached mode will accommodate this. With Office 365 in particular, Microsoft will not prevent you from using online mode, but if performance is poor and you call support, they will instruct you to use cached mode.

For the rest of you, consider the following – if you do any of these, online mode may provide the better experience for your users:

  • Delegating access, when folders are not cached locally due to storage constraints (and local cache is the default)
  • Opening another user’s calendar or folder that is not cached locally (local cache is the default)
  • Using a public folder that is not cached. Though really, you’re still using Public Folders?
  • Using one or more large (>1GB) shared mailboxes

Ultimately, I tell all my customers to use cached mode, and if they cannot for any reason, to use OWA instead of Outlook. This generally provides Outlook users the best experience overall, while making sure VDI admins don’t break the bank provisioning persistent storage for their users.

If you need to deploy settings for cached or online mode to your users through GPO, see https://technet.microsoft.com/en-us/library/cc179175.aspx for more guidance on that.

You may also like:

  • New ways to connect: MAPI over HTTP
  • Troubleshooting Exchange Backups
  • Time to start thinking of the Exchange 2007 EOL


GFI Blog

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Yahoo Challenged on Claims Breach Was State-Sponsored Attack

September 29, 2016 , 2:15 pm

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

WordPress Update Resolves XSS, Path Traversal Vulnerabilities

September 8, 2016 , 12:23 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

  • Home
  • Mobile
  • Mobile Security

Afraid of online hacks? Worry more about your phone Credit: Thinkstock

I talk a lot about the security problems and weaknesses of the internet, as well as the devices connected to it. It’s all true, and we badly need improvements. Yet the irony is that security in our online world is actually better than in our physical world.

Think of how many people are scammed by someone phoning to say their computer is infected and needs repair. As InfoWorld’s Fahmida Rashid recently chronicled, they typically say they’re with Microsoft or a Microsoft partner, and your computer is infected and needs fixing immediately. Unfortunately, millions of people fall for this scam and end up installing malicious software on their system. They sometimes even pay for the privilege, compromising their credit card numbers in the process.

[ InfoWorld's Fahmida Rashid tells all: What I learned playing prey to Windows scammers. | Roger Grimes' free and almost foolproof way to check for malware. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The problem is there's no easy way in the real world to quickly and easily prove these phone solicitors are fake or legit. In the digital world, all the major browser and email manufacturers spend a significant part of their coding to detect pretenders. My browser URL bar turns green in approval when I visit a legitimate website protected by an Extended Validation digital certificate. That means I can trust it.

There’s nothing like that in the physical world. In the case of the fake Microsoft repair company, the best case I can hope for is to independently call the right Microsoft phone number and ask for verification.

Any of Microsoft’s trained responders will readily and quickly tell you that you’re being scammed -- mainly because Microsoft doesn’t proactively call people to tell them their computer is infected. But unless you know the phone number (800-426-9400) or the Microsoft website, or you enter the right words in an internet search engine, it’s going to take time and possibly a bunch of calls to get an answer.

That’s not Microsoft’s fault. It’s a huge, global company with tons of locations and products. It has blogged about Microsoft phone scams dozens of times over the years, and it does advertise the right numbers and places to call for such inquiries. However, not everyone has heard of the scams or knows where to go when they have a question, so it takes effort. Contrast that with looking at a green URL bar in one second.

A few times I’ve been called, out of the blue, by a company I’m already affiliated with offers I'd normally be interested in -- say, faster internet for less per month. It sounds great, and the company is ready to sign me up, but then asks for my “account password.” I ask the representative to tell me the account password on file, and I’ll verify it, but he or she says it doesn’t work that way. Thus, I hang up. If I try to call back in on the general, advertised phone number and get the same deal, it takes me an hour or I can’t find that call center at all.

My bank recently did the same. It was proactively calling to report that my debit card had been compromised. My bank had never called me before. How would I know that this complete stranger on the phone is who they say they are?

Brian Krebs recently related a story in which digital scammers claiming to be from Google called someone who used a two-factor-enabled Gmail account and asked the user to tell them the code sent to the victim’s phone (via SMS) to verify the account. Luckily, the victim was suspicious and brought in her security-minded dad, and they didn’t give up the code.

But it got me thinking. In this particular instance, two-factor digital authentication was the strongest part of the authentication chain. The phone call was the weak link and not easily verifiable. National Institute of Standards and Technology (NIST) now advises that SMS-sent two-factor authentications aren’t to be trusted, or at least not as trusted as we once thought them to be. But to be honest, most of the problems with two-factor authentication using SMS verification apply to the phone, not the computer.

We need a system that allows phone calls to be quickly and accurately verified. I want EV certificates for the physical world! I want multiple defensive software programs that investigate my incoming calls and alert me if something seems risky. Today most of those calls come in over cellphones. I have to think a centralized phone number repository and a local phone app could solve much of the problem. Heck, we’d easily be able to kill unsolicited junk calls at the same time.

The online world is nowhere near perfectly secure. But I’m quickly starting to realize that, though insecure, the digital world is often in better shape than the physical world. How about that irony?

Previous Post

Voting machines are still too easy to hack

We all know that scanning random QR codes is a risky proposition, but a newly detailed social engineering attack vector dubbed QRLJacking adds another risk layer to their use.

Many web apps and services offer the option of using QR codes for logging into the service: chat apps like WhatsApp and Weibo, email service QQ Mail, e-commerce services like Alibaba and Aliexpress, and others.

As detailed by Seekurity Labs researcher Mohamed Abdelbasset Elnouby, QRLJacking (i.e. Quick Response Code Login Jacking) is a method for tricking users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code.

A QRLJacking attack follows these basic steps:

OPIS

Ultimately, the attacker can take over the victim’s account completely and gather information about the victim’s device and its current location.

“All what the attackers need to do to initial a successful QRLJacking attack is to write a script to regularly clone the expirable QR Codes and refresh the ones that is displayed in the phishing website they created,” says Elnouby.

He demonstrated the attack against a WhatsApp user in this video:

More details about the attack vector, its usability, possible mitigations, and PoC attack code can be found on GitHub.


Help Net Security