Week in review 19 September 2014
There was something of a focus on phishing this week, whether it was a University using “fake” phishing emails, or more domains being available for phishing sites. Mobile security continues to be an issue, and Apple launched iOS 8, fixing many security holes in the process. Finally, we all want a holiday, but be careful of sites that offer the chance to win vouchers in return for personal information. McGill University came up with the novel idea of using fake phishing emails to increase awareness of phishing and to educate its users on email security.
The idea is to send out fake phishing emails to users. If the user clicks on a link, they are re-directed to a site informing them of the phish, and encouraging them to take an online course in email security. Not a bad idea, especially given the growth in email phishing attacks this year. Help Net Security reported that 75% of mobile apps will fail basic security tests.
The reason for so many apps failing are probably well known in the developer community. Developers mostly check an app works; security is the last issue on their mind. Nevertheless, the fact so many apps are insecure has consequences in the new age of Bring Your Own Device (BYOD). The advice is for companies to do app security testing; this will at least mitigate the risk of allowing an insecure app to access the network. Targeted phishing attacks took place this week at several US financial and healthcare entities. The emails sent appeared legitimate, featuring Google and Google Drive logos. However the links were to a phishing site. Again, do not click on links from emails.
It is close to school holidays in Australia, which is probably why a Facebook scam with a fake Qantas Facebook page appeared this week. The fake page asked users to enter in personal information, in order to be in a draw to win a $1500 travel voucher. It is a scam. The big news this week (it was hard to avoid) was the launch of iOS 8, the operating system used by Apple’s iPhone and iPad range. What was less reported was that the new release addressed 40 or so existing vulnerabilities. Probably the most prominent fix was in the implementation of the 802.1x driver. An identified vulnerability left the user open to having Wi-Fi credentials stolen; this was addressed in iOS 8. It’s always good to get more Top Level Domains – or is it? ICANN have recently released another 300 Top Level Domains, but as Infosecurity reported, there are already many signs that the new Top Level Domains are being used for malicious purposes.
Malicious purposes include phishing; ISC reports on phishing attacks being directed at Bank of America customers. It is expected that phishing attempts will become more widespread with the release of the 300 Top Level Domains.