1. Andrew Horbury Product Marketing Manager andy_horbury@symantec.com Andrew Shepherd EMEA Marketing Manager andrew_shepherd@symantec.com WEBSITE SECURITY THREATS: APRIL 2014 UPDATE Thursday 17th April 2014 Website Security Threats: April 2014 Update

2. Agenda Website Security Threats: April 2014 Update 1 2 3 4 5 6 Heartbleed Update Month in Numbers Annoying Malware Watering Holes and Phishing Insider Threats Stranger than Fiction 7 Good news

3. Heartbleed OpenSSL Vulnerability This is not a vulnerability with SSL/TLS SSL/TLS is not broken, nor are the SSL certificates issued by Symantec Users of Open SSL versions 1.0.1 through (and including) 1.0.1f are affected Advice for Businesses Check your version of OpenSSL and either: Recompile OpenSSL without the heartbeat extension Update to the latest fixed version of the software (1.0.1g) if you are using OpenSSL versions 1.0.1 through (and including) 1.0.1f After moving to a fixed version of OpenSSL, contact the SSL certificates issuing Certification Authority for a replacement Finally, businesses should also consider resetting end-user passwords that potentially may have been visible in compromised server memory. Website Security Threats: April 2014 Update

4. Heartbleed OpenSSL Vulnerability 2 Advice for Consumers Be aware that your sensitive data such as passwords may have been seen by a third party if the sites you visit used a vulnerable version of the OpenSSL library Monitor any notices from the vendors or companies you use. Once a vendor has communicated to you to change your passwords, please change promptly Watch out for potential phishing emails from attackers asking you to update your password. Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability. Monitor your bank and credit card statements to check for any unusual transactions. www.safeweb.com/heartbleed Website Security Threats: April 2014 Update

5. The month in numbers Zero 91% the number that targeted attack campaigns increased over 2012 1 in 392 overall Phishing Rate 6,787 New Vulnerabilities 23 New 0-Day Vulnerabilities 78% of Websites scanned found with vulnerabilities 1 in 8 Websites have critical vulnerabilities 1 in 566 Websites scanned found with malware Ransomware attacks grew by 500% in 2013 Website Security Threats: April 2014 Update

6. The month in numbers 2 Slow to fix vulnerabilities 342 days Education 276 days Healthcare 274 Insurance 158,000 Boxee.TV forum accounts leaked 18 Months Miss Teen USAs extortionist sentenced Website Security Threats: April 2014 Update

7. New Annoying Malware Website Security Threats: April 2014 Update Browlock ups the ransom price Infections have increased Uses JavaScript to prevent user from closing a browser tab Poses as local law enforcement Trojan.Zbot variant Locks desktop by displaying multiple websites Prevents users opening any other windows or files Can be avoided using show desktop command

8. Watering holes and Phishing attacks Attackers infect Chinese takeaway menu to enter companys network EA Games website hacked, hosting fake Apple phishing page Grand Theft Auto V PC beta testers wanted Website Security Threats: April 2014 Update

9. Insider Threats Website Security Threats: April 2014 Update Angry ex-Microsoft employee leaked OS code Worked at Microsoft for 7 years Leaked to blogger as revenge after poor performance review Charged with theft of trade secrets UK supermarket Morrisons suffers data theft Data stolen from staff payroll system and published online initial investigations suggest that this theft was not the result of an external penetration of our systems

10. Stranger than fiction Website Security Threats: April 2014 Update Triathlete wiped out by hacked camera drone Man receives threats from his own printer Prince Harry needs some new parquet floors at Buckingham Palace Or does he? US Army Commander causes widespread confusion in multiple agencies

11. Good News Hacked domain and website takeover of Ramshackleglam.com ends well Risky sting pays off for tenacious blogger who was not helped by her hosting company or domain name registrar. Five years on UK agency fixes XSS vulnerability in their website CyrptoDefense criminals bundle encryption keys with Ransomware Website Security Threats: April 2014 Update

12. Link Glossary (Print screen now) Heartbleed http://www.symantec.com/outbreak https://www.staysecureonline.com/heartbleed https://ssltools.websecurity.symantec.com/checker/ www.safeweb.com/heartbleed ISTR Resources Report http://bit.ly/1ip92jU ISTR Blog http://bit.ly/1ip93UQ Speed of different verticals to fix vulnerabilities http://bit.ly/1iZMaEi Hackers Lurking in Vents and Soda Machines (and menus) http://nyti.ms/1eyxmjM Ramshackglam hack http://on.mash.to/1ip9gaC ICO XSS Vulnerability http://bit.ly/1mcxJk4 CryptoDefense Blog http://bit.ly/1hLezT8 Website Security Threats: April 2014 Update

13. Thank you! Copyright 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Andrew Shepherd andrew_shepherd@symantec.com / +44 7912 552 896 Andrew Horbury andy_horbury@symantec.com / +44 7703 468 966 @andyhorbury Website Security Threats: April 2014 Update Next webinar: Thursday 22nd May 2014 9.30am UK / 10.30am CET