Join us each month on https://www.brighttalk.com/channel/6331 for the Symantec Website security threat update webinar a short 25 mins of web threats and security update news.
Citation preview
1. Andrew Horbury Product Marketing Manager
[email protected] Andrew Shepherd EMEA Marketing Manager
[email protected] WEBSITE SECURITY THREATS: APRIL 2014
UPDATE Thursday 17th April 2014 Website Security Threats: April
2014 Update
2. Agenda Website Security Threats: April 2014 Update 1 2 3 4 5
6 Heartbleed Update Month in Numbers Annoying Malware Watering
Holes and Phishing Insider Threats Stranger than Fiction 7 Good
news
3. Heartbleed OpenSSL Vulnerability This is not a vulnerability
with SSL/TLS SSL/TLS is not broken, nor are the SSL certificates
issued by Symantec Users of Open SSL versions 1.0.1 through (and
including) 1.0.1f are affected Advice for Businesses Check your
version of OpenSSL and either: Recompile OpenSSL without the
heartbeat extension Update to the latest fixed version of the
software (1.0.1g) if you are using OpenSSL versions 1.0.1 through
(and including) 1.0.1f After moving to a fixed version of OpenSSL,
contact the SSL certificates issuing Certification Authority for a
replacement Finally, businesses should also consider resetting
end-user passwords that potentially may have been visible in
compromised server memory. Website Security Threats: April 2014
Update
4. Heartbleed OpenSSL Vulnerability 2 Advice for Consumers Be
aware that your sensitive data such as passwords may have been seen
by a third party if the sites you visit used a vulnerable version
of the OpenSSL library Monitor any notices from the vendors or
companies you use. Once a vendor has communicated to you to change
your passwords, please change promptly Watch out for potential
phishing emails from attackers asking you to update your password.
Stick to reputable websites and services. They are most likely to
have immediately addressed the vulnerability. Monitor your bank and
credit card statements to check for any unusual transactions.
www.safeweb.com/heartbleed Website Security Threats: April 2014
Update
5. The month in numbers Zero 91% the number that targeted
attack campaigns increased over 2012 1 in 392 overall Phishing Rate
6,787 New Vulnerabilities 23 New 0-Day Vulnerabilities 78% of
Websites scanned found with vulnerabilities 1 in 8 Websites have
critical vulnerabilities 1 in 566 Websites scanned found with
malware Ransomware attacks grew by 500% in 2013 Website Security
Threats: April 2014 Update
6. The month in numbers 2 Slow to fix vulnerabilities 342 days
Education 276 days Healthcare 274 Insurance 158,000 Boxee.TV forum
accounts leaked 18 Months Miss Teen USAs extortionist sentenced
Website Security Threats: April 2014 Update
7. New Annoying Malware Website Security Threats: April 2014
Update Browlock ups the ransom price Infections have increased Uses
JavaScript to prevent user from closing a browser tab Poses as
local law enforcement Trojan.Zbot variant Locks desktop by
displaying multiple websites Prevents users opening any other
windows or files Can be avoided using show desktop command
8. Watering holes and Phishing attacks Attackers infect Chinese
takeaway menu to enter companys network EA Games website hacked,
hosting fake Apple phishing page Grand Theft Auto V PC beta testers
wanted Website Security Threats: April 2014 Update
9. Insider Threats Website Security Threats: April 2014 Update
Angry ex-Microsoft employee leaked OS code Worked at Microsoft for
7 years Leaked to blogger as revenge after poor performance review
Charged with theft of trade secrets UK supermarket Morrisons
suffers data theft Data stolen from staff payroll system and
published online initial investigations suggest that this theft was
not the result of an external penetration of our systems
10. Stranger than fiction Website Security Threats: April 2014
Update Triathlete wiped out by hacked camera drone Man receives
threats from his own printer Prince Harry needs some new parquet
floors at Buckingham Palace Or does he? US Army Commander causes
widespread confusion in multiple agencies
11. Good News Hacked domain and website takeover of
Ramshackleglam.com ends well Risky sting pays off for tenacious
blogger who was not helped by her hosting company or domain name
registrar. Five years on UK agency fixes XSS vulnerability in their
website CyrptoDefense criminals bundle encryption keys with
Ransomware Website Security Threats: April 2014 Update
12. Link Glossary (Print screen now) Heartbleed
http://www.symantec.com/outbreak
https://www.staysecureonline.com/heartbleed
https://ssltools.websecurity.symantec.com/checker/
www.safeweb.com/heartbleed ISTR Resources Report
http://bit.ly/1ip92jU ISTR Blog http://bit.ly/1ip93UQ Speed of
different verticals to fix vulnerabilities http://bit.ly/1iZMaEi
Hackers Lurking in Vents and Soda Machines (and menus)
http://nyti.ms/1eyxmjM Ramshackglam hack http://on.mash.to/1ip9gaC
ICO XSS Vulnerability http://bit.ly/1mcxJk4 CryptoDefense Blog
http://bit.ly/1hLezT8 Website Security Threats: April 2014
Update
13. Thank you! Copyright 2013 Symantec Corporation. All rights
reserved. Symantec and the Symantec Logo are trademarks or
registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of
their respective owners. This document is provided for
informational purposes only and is not intended as advertising. All
warranties relating to the information in this document, either
express or implied, are disclaimed to the maximum extent allowed by
law. The information in this document is subject to change without
notice. Andrew Shepherd [email protected] / +44 7912 552
896 Andrew Horbury [email protected] / +44 7703 468 966
@andyhorbury Website Security Threats: April 2014 Update Next
webinar: Thursday 22nd May 2014 9.30am UK / 10.30am CET