In May we brought you a host of new articles covering the latest security tips and stories, from the perils of Facebook to Kaspersky Lab’s latest partnership. If you missed any of our breaking news, don’t worry! We’ve rounded up the top posts from the month and highlighted them here, keeping you in the know on all things cybersecurity.
Five worst mistakes you can make on Facebook
Although Facebook can be a fun social outlet, it also brings with it a host of dangers. There are common typical mistakes people tend make on the network, and each could potentially cost you money, your reputation, or even relationships with people you value. So to avoid these perils, never publish your bio publicly, especially when it comes to sharing your birthday. Furthermore, when posting make sure your status updates are visible only to your friends, and be sure those friends are real connections. When sharing these updates, also avoid divulging your location, as this can make keeping tabs on your whereabouts much easier for cybercriminals. And finally, always make sure you choose a complicated account password to further reduce your risk of attack.
Study: majority of smart homes vulnerable to hacking
Smart homes are exactly what you think they are: homes in which appliances, heating and cooling systems, lighting, smoke detectors, and/or door locks all connect to the home network, and ultimately the Internet, along with computers, phones and tablets, and all other comparatively traditional Internet-able devices. They might sound appealing and like the homes of the future, but researchers have recently been poking holes in smart security systems. In fact, our friends at AV-Test.org tested the security posture of seven separate smart home kits, finding that four of those kits were insecure. The devices found to be vulnerable in this study could be exploited by internal — and, in some cases, external — attacks targeting either the home network and the machines connected to it, or the home itself and the things inside of it. AV-Test focused on whether communication among devices was encrypted, and three products failed to use encryption at all. Broadly speaking, an attacker could manipulate connected systems in order to cause damage to them, but since most criminal hackers are after money, the most likely attacks would be those that use weaknesses in these systems as access points to eventually obtain valuable data stored on the home network. Here’s the good news: AV-Test believes that, if the makers of these products take the time to develop a solid security concept instead of rushing their wares to market, then it is very possible to create secure smart home systems. Here’s the other good news: if you’re thinking of buying one of these systems, AV-Test is telling you what to look for: systems that always require authentication and always encrypt their communications.
Kaspersky helps Watch_Dogs developers to get hacking right
Nowadays, privacy and pervasive surveillance are topics of conversation that reach well outside of the tech community. Average citizens don’t have much in the way of options when it comes to fighting the spread of surveillance technology, but the new Ubisoft video game Watch_Dogs gives players the ability to bend an omniscient surveillance infrastructure that runs everything to their own whims, as vigilante Aiden Pearce. The game was developed with content input from Kaspersky Lab security experts after the script was sent to Kaspersky for a reality check. It ended up in the hands of Vitaly Kamluk, a principal security researcher at Kaspersky, who looked through it and liked what he saw. “I only made a few small suggestions”, Kamluk said during an interview at the Ubisoft offices in San Francisco during a preview event for Watch_Dogs in April. “They did a nice job. They got it right, while still having the game be fun.” People often don’t want a bunch of reality getting in the way of their fantasy, but Watch_Dogs seamlessly weaves the use of exploits and CCTV hacking into the fabric of the game. “It’s not the typical Hollywood hacking,” Kamluk said. “It’s real life.”
Read highlights from our top #security news posts in May.
Tweet
A new variant of ransomware targeting users on Android is associating itself with CryptoLocker, which is known for encrypting critical computer files and demanding a ransom to decrypt them. In this case, a group of criminals responsible for a different variety of ransomware – known as Reveton – are advertising a CryptoLocker-like piece of malware capable of infecting Android mobile devices. A well-known security researcher who operates under the handle ‘Kafeine’ uncovered this new strain and wrote about it on his blog Malware don’t need Coffee. He found that when victims on Android devices connect to a domain infected with this strain of malware, they are redirected to a pornographic site that deploys a bit of social engineering in order to trick users into an application file containing the malware. You would have to install this malware yourself in order to become infected, which is why we recommend only installing applications from the legitimate Google Play store. The extent to which this piece of ransomware relates to the notorious, desktop targeting CryptoLocker is unclear, but whoever made it is clearly playing off the success of the old CryptoLocker as some sort of criminal marketing scam. This is interesting in and of itself, because it demonstrates the ways in which cybercriminals replicate legitimate business practices to maximise profit, though this is a story for a different day.
Keep calm and stay vigilant, OpenID and OAuth are vulnerable
Just a few weeks after the disturbing Heartbleed bug discovery, we have a new seemingly widespread issue to be concerned with. The issues were found inside popular Internet protocols OpenID and OAuth; the former is utilised when you log in to websites using your existing login from Google, Facebook, LinkedIn, etc., and the latter comes into play when you authorise sites, apps or services with Facebook/G+/etc., without actually revealing your password and login to third-party sites. These two are typically used in conjunction, and as it turns out, may put your information into the wrong hands. You can find a more technical explanation on Threatpost, but it basically goes like this: first, a user visits a malicious phishing site, which has the typical “Login with Facebook” buttons. Once you click on the button, a real Facebook/G+/LI popup will appear, prompting you to enter login and password information for authorisation to access your user profile. Finally, the authorisation to use the profile is sent to the wrong (phishing) site using improper redirection, and a cybercriminal receives the proper authorisation (OAuth token) to access your profile with whatever permissions the original application had. For the most cautious, the bulletproof solution would be giving up using OpenID and those handy “Login with…” buttons for a few months. To avoid the hurdle with memorising tens or even hundreds of different logins for various sites, you may finally start using an efficient password manager. However, if you plan to continue using OpenID authorisation, there is no immediate danger in doing so. You just have to be extremely vigilant and avoid any phishing scams. If you log in to a service using Facebook/Google/etc., make sure you open the site of that service using a manually typed address or a bookmark, not the link from your emails or messengers. Double check the address bar to avoid visiting sketchy sites, and don’t sign up for new services with OpenID, unless you are 100% sure that the service is reputable and you’ve landed on the proper website. In addition, use a safe browsing solution like Kaspersky Internet Security ― Multi-Device, which prevents your browser from visiting dangerous places, including phishing sites.