Join us each month on https://www.brighttalk.com/channel/6331 for the Symantec Website security threat update webinar a short 25 mins of web threats and security update news.
1. Andrew Horbury
Product Marketing Manager
andy_horbury@symantec.com
Andrew Shepherd
EMEA Marketing Manager
andrew_shepherd@symantec.com
WEBSITE SECURITY THREATS:
APRIL 2014 UPDATE
Thursday 17th April 2014
Website Security Threats: April 2014 Update
2. Agenda
Website Security Threats: April 2014 Update
1
2
3
4
5
6
Heartbleed Update
Month in Numbers
Annoying Malware
Watering Holes and Phishing
Insider Threats
Stranger than Fiction
7 Good news
3. Heartbleed – OpenSSL Vulnerability
• This is not a vulnerability with SSL/TLS
• SSL/TLS is not broken, nor are the SSL certificates issued by Symantec
• Users of Open SSL versions 1.0.1 through (and including) 1.0.1f are affected
Advice for Businesses
Check your version of OpenSSL and either:
• Recompile OpenSSL without the heartbeat extension
• Update to the latest fixed version of the software (1.0.1g) if you are using
OpenSSL versions 1.0.1 through (and including) 1.0.1f
• After moving to a fixed version of OpenSSL, contact the SSL certificate’s
issuing Certification Authority for a replacement
• Finally, businesses should also consider resetting end-user passwords that
potentially may have been visible in compromised server memory.
Website Security Threats: April 2014 Update
4. Heartbleed – OpenSSL Vulnerability 2
Advice for Consumers
• Be aware that your sensitive data such as passwords may
have been seen by a third party if the sites you visit used a
vulnerable version of the OpenSSL library
• Monitor any notices from the vendors or companies you use.
Once a vendor has communicated to you to change your
passwords, please change promptly
• Watch out for potential phishing emails from attackers asking
you to update your password.
• Stick to reputable websites and services. They are most likely
to have immediately addressed the vulnerability.
• Monitor your bank and credit card statements to check for
any unusual transactions.
www.safeweb.com/heartbleed
Website Security Threats: April 2014 Update
5. The month in numbers
• Zero
• 91% the number that targeted attack campaigns
increased over 2012
• 1 in 392 overall Phishing Rate
• 6,787 New Vulnerabilities
• 23 New 0-Day Vulnerabilities
• 78% of Websites scanned found with vulnerabilities
• 1 in 8 Websites have critical vulnerabilities
• 1 in 566 Websites scanned found with malware
• Ransomware attacks grew by 500% in 2013
Website Security Threats: April 2014 Update
6. The month in numbers 2
• Slow to fix vulnerabilities
– 342 days Education
– 276 days Healthcare
– 274 Insurance
• 158,000 Boxee.TV forum accounts leaked
• 18 Months – Miss Teen USA’s extortionist sentenced
Website Security Threats: April 2014 Update
7. New Annoying Malware
Website Security Threats: April 2014 Update
• Browlock ups the ransom price
– Infections have increased
– Uses JavaScript to prevent user from
closing a browser tab
– Poses as local law enforcement
• Trojan.Zbot variant
– Locks desktop by displaying multiple
websites
– Prevents users opening any other
windows or files
– Can be avoided using “show desktop”
command
8. Watering holes and Phishing attacks
• Attackers infect Chinese takeaway
menu to enter company’s
network
• EA Games website hacked,
hosting fake Apple phishing page
• Grand Theft Auto V – PC beta
testers wanted
Website Security Threats: April 2014 Update
9. Insider Threats
Website Security Threats: April 2014 Update
• Angry ex-Microsoft employee
leaked OS code
– Worked at Microsoft for 7 years
– Leaked to blogger as revenge after
poor performance review
– Charged with theft of trade secrets
• UK supermarket Morrisons suffers
data theft
– Data stolen from staff payroll system
and published online
– “initial investigations suggest that this
theft was not the result of an external
penetration of our systems”
10. Stranger than fiction
Website Security Threats: April 2014 Update
• Triathlete wiped out by “hacked” camera
drone
• Man receives threats from his own
printer
• Prince Harry needs some new parquet
floors at Buckingham Palace
– Or does he…?
• US Army Commander causes widespread
confusion in multiple agencies
11. Good News
• Hacked domain and website takeover
of Ramshackleglam.com ends well
– Risky sting pays off for tenacious blogger
who was not helped by her hosting
company or domain name registrar.
• Five years on UK agency fixes XSS
vulnerability in their website
• CyrptoDefense criminals bundle
encryption keys with Ransomware
Website Security Threats: April 2014 Update
12. Link Glossary (Print screen now)
• Heartbleed
– http://www.symantec.com/outbreak
– https://www.staysecureonline.com/heartbleed
– https://ssltools.websecurity.symantec.com/checker/
– www.safeweb.com/heartbleed
• ISTR Resources
– Report http://bit.ly/1ip92jU
– ISTR Blog http://bit.ly/1ip93UQ
• Speed of different verticals to fix vulnerabilities http://bit.ly/1iZMaEi
• Hackers Lurking in Vents and Soda Machines (and menus) http://nyti.ms/1eyxmjM
• Ramshackglam hack http://on.mash.to/1ip9gaC
• ICO XSS Vulnerability http://bit.ly/1mcxJk4
• CryptoDefense Blog http://bit.ly/1hLezT8
Website Security Threats: April 2014 Update