Gmail Phishing Emails

Phishing.jpg 300x200 Gmail Phishing Emails by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis ValleyPhishing” is the industry term for emails asking you to connect to a website to enter your security information, such as your username & password.  They frequently appear to be from someone you know, or a reputable company warning you that your account is at risk.  For example, a common phishing scam involves an email warning you that “Your banking information may have been compromised, please click here to update your account password to avoid account closure.”  They simply toss the emails onto the net, and hope someone bites: hence phishing.

A new round of phishing emails purporting to be related to Google’s Gmail accounts are currently making the rounds, so here’s a few handy tips to avoid falling victims to such scams:

  • Most reputable companies never email links to update passwords, since most reputable companies are well aware of phishing attempts, so your first impulse should always be to assume it is not a legitimate email.  Barring that:
  • If you receive an email asking you to update ANY information for a reputable site you use, NEVER CLICK the emailed links.  Simply open up the website via a bookmark or app (or however you normally access that website) and check to see if there’s any system notifications for you.
  • If you would like additional confirmation, do not reply to the email for confirmation.  Go to the website, and use their contact form, or their official email address, or call technical support for the company, and ask for conformation.
  • If the message is coming from an email address for someone you know, please notify that individual via a different contact method (eg: phone, facebook, twitter).  If their email address has been compromised, simply replying to their email will not work.

The individuals perpetrating phishing scams have very little to lose, since it only takes a few bites for them to make it profitable.  Avoiding being one of those bites is easy by following the simple steps above.

Microsoft Announces New Service – Windows Defender Advanced Threat Protection

Microsoft announced a new service called Windows Defender Advanced Threat Protection, which it calls the next step in its efforts to protect enterprise customers.

The service helps enterprises detect, investigate, and respond to advanced attacks on their networks, building on existing security features in Windows 10. There’s a new post-breach layer of protection.

“With a combination of client technology built into Windows 10 and a robust cloud service, it will help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations,” says Terry Myerson, Executive Vice President of Microsoft’s Windows and Devices Group.

“Just like we developed Windows 10 with feedback from millions of Windows Insiders, we worked with our most advanced enterprise customers to address their biggest security challenges, including attack investigations and day-to-day operations, to test our solution in their environments,” Myerson says. “Windows Defender Advanced Threat Protection is already live with early adopter customers that span across geographies and industries, and the entire Microsoft network, making it one of the largest running advanced threat protection services.”

Myerson discusses how the offering detects advanced attacks, its response recommendations, and how it complements Microsoft’s other threat detection solutions here.

Microsoft of course insists that all Windows users upgrade to Windows 10 to have their most advanced security features.

The post Microsoft Announces New Service – Windows Defender Advanced Threat Protection appeared first on SecurityProNews.

Read more here:: Security Pro News

Google Is Enhancing Google Drive’s Security and Privacy Controls For Businesses

Google says the number of paying organizations actively using Google Drive crossed a million earlier this year. The company is taking steps to improve security and privacy protection for Drive as well as Google Apps for Work and Google Apps for Education.

For one, Google Drive is getting enhanced eDiscovery for Google Apps Vault, which gives businesses more visibility and control over employee files. In other words, Drive will fall under the same retention policies and legal hold capabilities available for email and chat. Google says these capabilities will help businesses meet their legal obligations and ensure employee files are archived and available as long as needed, even if employees delete them from their Drive. This is in limited rollout and will be generally available in the coming months.

Google has also updated the Mobile Device Management (MDM) for Google Drive business customers, enabling businesses to monitor usage, enforce strong passwords, and enable device encryption. If a worker loses their phone or leaves the company, the data can be wiped. Business data can we wiped without wiping their personal data. Earlier this year, Google Drive debuted on comScore’s list of the top 25 mobile apps. In August, it was number 16 on the list.

Finally, Google is adding the new ISO/IEC 27018:2014 privacy standard to its compliance framework.

“This audit validates our privacy practices and contractual commitments to our customers, verifying for example that we don’t use your data for advertising, that the data that you entrust with us remains yours and that we provide you with tools to delete and export your data,” explains Google Drive Director of Product Management Scott Johnston.

In a post on the Google for Work blog, Head of Global Compliance Marc Crandall says:

We continuously work with independent auditors to verify our data protection commitments. For example, over the years we’ve completed third-party SOC2 / SOC3 security audits and achieved ISO 27001 certification to provide transparency and accountability around our security procedures.

The 27018 audit also validates that our Google Apps data protection commitments meet a rigorous international privacy and data protection standard. We think that this a great step forward for both our customers and for the industry. While laws and regulations vary from country to country, the principles set forth in the standard are widely recognized.

Independent auditor Ernst & Young has verified Google’s privacy practices and contractual commitments for Google Apps for Work and Google Apps for Education comply with the new standard.

The post Google Is Enhancing Google Drive’s Security and Privacy Controls For Businesses appeared first on SecurityProNews.

Read more here:: Security Pro News

Email Marketing, Shipping & Security Features Were Recently Added To GoDaddy’s Online Store

GoDaddy announced the integrations of GoDaddy Email Marketing, Shippo, and McAfee Secure Certification with GoDaddy Online Store to help users grow their small businesses without having to “deal with disparate technologies.”

“GoDaddy Email Marketing will help small business owners easily communicate with current customers and start relationships with prospects,” a spokesperson for the company tells WebProNews. “Shippo will give Online Store users a single dashboard to manage and track orders, print shipping labels, and offer small businesses shipping rate discounts which gives a leg up against other sites that attract customers with promises of low cost shipping. Lastly the McAfee SECURE trustmark will help ensure the security and safety of GoDaddy online stores to visitors.”

GoDaddy Online Store first launched last year, and now has over 40,000 customers.

The email marketing integration will enable small businesses to easily collect email addresses, manage contacts, and send email campaigns. This and the other features join previously released updates like integration with Facebook stores (through a partnership with Shopial) and the inclusion of customer reviews (via a partnership with Yotpo).

“We created Online Store to make it easier for small businesses to build ecommerce websites. We are proud to expand our offering with GoDaddy Email Marketing integration, Shippo, and McAfee SECURE certification,” said Lauren Antonoff, SVP Presence & Commerce at GoDaddy. “We are constantly working to provide tools that improve the lives of small business owners who need our products to work without having to sift through technical details. Online Store answers this call for functionality without hassle; our customers will now be able to easily keep in touch and with and better serve their customers, driving more repeat business.”

GoDaddy Online Store is available to small businesses in the US, UK, Canada, Australia, New Zealand, Ireland, Philippines, Singapore, and India.

The post Email Marketing, Shipping & Security Features Were Recently Added To GoDaddy’s Online Store appeared first on SecurityProNews.

Read more here:: Security Pro News

Should You Be Using Flash?

Screen shot 2015 07 09 at 11.38.28 AM Should You Be Using Flash? by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley

The writing has been on the wall for quite a while. Flash is dying a slow death, yet it continues to gasp for air. After some new vulnerabilities were discovered, many have been calling for the plug to be pulled.

Facebook’s Chief Security Officer called for its demise the other day.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” he said. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”

Then, Mozilla blocked all versions of Flash in Firefox after security researchers discovered vulnerabilities that affect various operating systems, that hadn’t been patched.

Yes, this was temporary. Adobe issued an update on Tuesday about a resolution for the vulnerabilities. Here’s thecompany’s statement in full:

A few days ago we were notified of two vulnerabilities within the Flash Player that could potentially allow an attacker to take control of an affected system. Upon investigation, we confirmed and fixed the issues, and took steps to ensure that this class of attack cannot be used as a future attack vector.

We released an update to Flash Player this morning, and are proactively pushing the update out to users. We are also working with browser vendors to distribute the updated player.

We would like to thank Dhanesh Kizhakkinan of FireEye and Peter Pi of TrendMicro and slipstream/RoL for reporting the issues and working with us to help us quickly address them.

Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers. We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered.

We continue to partner with browser vendors to both improve Flash Player security as well as invest in, contribute to and support more modern technologies such as HTML5 and JavaScript.

Nothing in there about killing Flash. Still, the calls for its death continue.

Wired, one of the most well known magazines in tech, published an article on Wednesday called, “Flash. Must. Die.” In that, the technology is called “That insecure, ubiquitous resource hog everyone hates to need.”

The headlines related to Flash are rarely positive. Earlier this year, YouTube deprecated Flash embeds and its Flash API. Then Google started automatically converting Flash ads to HTML5. Flash can potentially hurt websites in search rankings. Google even announced that it would try to save people’s laptop batteries by pausing Flash in Chrome.

Despite the wide disdain for Flash, it’s still being very heavily used in advertising. We recently looked at a study from Sizmek, which called this a “major issue”.

What’s happening is that Flash ads that would otherwise be dynamic are appearing as static images on mobile device, and this can ultimately cost the advertiser clicks and conversions.

“This raises questions as to whether or not marketers are aware of how many of their ads are not being seen properly and how much ad spend they are wasting,” a spokesperson for the firm tells WebProNews.

“As mobile inventory grows, the channel is also changing, particularly in the realm of rich media. The days of Flash-supported inventory on mobile devices are numbered,” the report says. “iOS devices have never had native Flash support, and it’s been six full operating system versions since Android devices supported Flash. This means that only 11% of Android devices are capable of supporting Flash, and those devices are running significantly out-of-date software. Because mobile support for Flash inventory is nearly extinct, rich media ad formats that rely on Flash are likely to default – or revert to a single, static image – nearly 100% of the time. This means 5.35 billion rich media impressions served to mobile devices were squandered in Q1 of 2015 alone.”

According to Sizmek’s findings, only 8.3% of HTML5 impressions defaulted, while these formats represent less than half of rich media ads served to mobile devices.

“The Flash mobile default problem isn’t exclusive to just a few advertisers,” the report notes. “Among campaigns that served at least 1 million impressions in Q1, the average default rate was 35.2%. Many advertisers had it much worse than that – 36% of the advertisers in this sample defaulted much more than average, including the 12% of advertisers that never successfully served a rich media ad to a mobile device. The rate of rich media failure was much lower on desktop inventory, where 60% of advertisers defaulted at a rate of less than 3%.”

Screen shot 2015 07 09 at 11.40.11 AM Should You Be Using Flash? by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis ValleyYou can take a look at the full report here.

The post Should You Be Using Flash? appeared first on SecurityProNews.

Read more here:: Security Pro News

No, we do not “data-cap” our customers…

No Data Cap No, we do not data cap our customers... by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley

You may have heard that a Nova Scotia ISP has recently decided to put a data-cap on their clients, meaning that clients have a maximum number of bytes they can download before getting charged overage fees.  We think that’s just plain crazy, and would like to reassure you that there is NO DATA CAP on our internet services.  You can download as much as you want, whenever you want.  You will never have to live in fear of “using the internet too much” as an Authcom client.  Click here for pricing, or click here to contact us.

Dropbox Is now Used By Over Eight Million Companies

dropbox Dropbox Is now Used By Over Eight Million Companies by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley

Dropbox is celebrating its 8th birthday by sharing a bunch of stats, including the fact that it has surpassed 400 million registered users. According to the company, users are taking Dropbox to work at over 8 million businesses. They also have 100,000 actual Dropbox for Business customers.

“It’s been eight years since Drew Houston submitted his Y Combinator application in the summer of 2007,” a spokesperson for Dropbox said in an email. “Today, Dropbox is excited to announce that they now have more than 400 million registered users. There are now 50 countries around the world in which at least 1 million individuals have Dropbox accounts.”

“While it started off as a way to give people simple, secure access to their files anytime, anywhere, today Dropbox has become a place where people create amazing things together,” the added. “There’s a shift in how people are using our products: over a quarter of our users are using Dropbox to create, share, and collaborate on content.”

According to the company, users sync 1.2 billion files every day, create over 100,000 new shared folders and links every hour, and make 4,000 edits every second.

“When Dropbox for Business first launched, companies used Dropbox primarily for on-the-go access and backup. But over the past two years, we’ve seen their usage of Dropbox evolve,” the spokesperson said. “Today, companies like National Geographic use Dropbox to share tens of thousands of large images from far flung locations with their photo editors in Washington, D.C. and Under Armour uses Dropbox to exchange large design files with its manufacturing partners in Asia, increasing the speed of production and reducing the time it takes to bring new fashions to the market.”

Here’s an infographic showing Dropbox’s progress over the years:

Of its business tools, the company said in a blog post, “We’re committed to building simple, secure technology for businesses that employees love using. Over the past year, we’ve brought you a better way to manage teams with Groups, better sharing controls, and powerful integrations with best-in-class tools for eDiscovery, DLP, and other business-critical applications thanks to the Dropbox for Business API. And just today we announced more management and security features for IT.”

Dropbox has ten global offices and a team of over 1,200 people.

The post Dropbox Is now Used By Over Eight Million Companies appeared first on SecurityProNews.

Read more here:: Security Pro News

Take a Look At How Various Industries View Security

Biscom shared some results of a new IT Survey finding that although regulated industries say security is a high concern, many are still using solutions that are inadequate for protecting their data.

The survey compared attitudes and behaviors related to enterprise security across 13 industries including healthcare, financial services, retail, computer hardware, software, and manufacturing. Security concerns have only gotten higher across those mentioned.

Tools and protocols vary greatly across industries, but all sectors see security as critical, and “need it to be core features of their file synchronization products” the survey finds.

“Our survey confirmed what we were already starting to see: that security will be the key focus in all areas of business for 2015,” said Biscom CEO Bill Ho. “The data breaches within the past year have shown us that all businesses are increasingly at risk and should be actively assessing tools and processes which can help reduce their exposure.”

70% of respondents in the survey said security was the top feature they looked for in file transfer. While 60% said they use SFT to transfer files at work, 86% said they use email. 51% said they still use FTP. 72% name security as “critical” for sync and share services like Google Drive and Dropbox.

According to Biscom, the healthcare industry is one of the most polarizing in terms of security as the industry is extremely concerned about security, but it’s the least likely to use the most secure methods for storing, syncing, and sharing data.

The financial services industry is the most secure, based on the survey’s findings.

You can learn more from the survey here.

The post Take a Look At How Various Industries View Security appeared first on SecurityProNews.

Read more here:: Security Pro News

The Best Form of Web Application Security Scans

Automatic versus manual. A heavily debated subject whatever you speak of, and it is no different in the web application security industry. Should you do a manual penetration test or automatically scan all your websites with an automated web application security scanner? With which process you would find most vulnerabilities and which one has the best return on investment?

In reality you need a bit of both. Actually, with today’s complex web application you cannot do without automation. By automating the majority of a penetration test, i.e. scan your website with a web vulnerability scanner you ensure that the security audits are more accurate, detect more vulnerabilities and save time. And when you save time you keep costs lows and have enough time to finalize the penetration test with a manual check for logical vulnerabilities.

In this article I will walk you through the different stages of a web application penetration test which help in highlighting the fact that automation is a must in web application security.

Web Application Coverage – Identifying the Attack Surface

The first thing you do before auditing the security of a website is find all the possible attack surfaces, or as they are also called possible point of entries. Attack surfaces can be input fields such as those found in contact forms, shopping carts and login forms, parameters in the URL and also hidden parameters in the code. Now let’s keep in mind that a typical medium sized modern web application can have hundreds or even thousands of such inputs and many of which are very difficult to identify.

An automated web application security scanner such as Netsparker has a crawler component which is specifically built for this purpose; to crawl the web application and identify all possible attack surfaces so they can be checked if they are vulnerable to cross-site scripting, SQL injectionand other type of web application vulnerabilities and security issues. Typically the scanner crawls such a website in less than an hour and automatically identifies all attack surfaces. Would you do this manually? In theory yes you can. In practise? Definitely not! It would take days, even weeks for a seasoned penetration tester to accomplish such a task, not to mention the high chances of missing input fields.

It is very important to identify all possible attack surfaces, else not all can be tested. And a malicious attacker only needs to find one vulnerable input field to hack a web application.

Identifying Vulnerabilities and Security Flaws in a Timely Manner

During an automated web application security scan each possible attack surface is checked for hundreds of different vulnerabilities within a few hours. The same as with the crawling, it is impossible to do such task manually.

A typical modern and small web application can contain at least 100 possible attack surfaces. If it takes a security professional at least a minute to complete each test (and he needs to be really good and quick to do it that fast) it will still take him around 83 working hours to test each input parameter for at least 50 different vulnerability variants. That is roughly 10 man days of checking for routine things. This is an unsustainable amount of time, and task.

We humans are prone to make mistakes especially when we do repetitive but yet complex work, while automated tools are build to do exactly that. Take advantage of such tools and alwaysautomated the repetitive in web application security.

Identifying More Web Application Vulnerabilities

If a web application is audited manually, the security audit is limited to the knowledge of the penetration tester. On the other hand, a heuristic web application security scanner has a vast list of web application vulnerabilities and security checks that is backed by a whole team of security engineers and researchers that regularly update it to include new attack vectors, bypasses and security checks.

Identifying Low Hanging Fruit Vulnerabilities

Many security professionals claim that automated tools will only identify low hanging fruit and technical vulnerabilities. True, but history has showed us that the majority of successful web application attacks exploited a technical vulnerability such as an SQL Injection or Cross-site Scripting. Very rarely attackers exploited logical vulnerabilities.

This does not mean you should ignore logical vulnerabilities, but you should automate the repetitive and use the saved up time to identify logical vulnerabilities. If you try to do both manually you will not manage to keep up with the development of the web application and the myriad of new attack variants.

Identifying Logical Vulnerabilities

There are two types of web application vulnerabilities, logical and technical vulnerabilities. Technical vulnerabilities are vulnerabilities in the code which can be identified by automated tools, such as the popular SQL Injection and Cross-site Scripting vulnerabilities. Logical vulnerabilities are vulnerabilities in the logic of the web application and not the code, hence only a person who is familiar with the scope of the web application can identify such vulnerabilities.

What is a Logical Vulnerability?

An advertising agency launches a promotion that gives away $100 to anyone who buys $100 worth of adverts. Though even when users buy less than $100 worth of advertising, the web application still gives away the free $100. Even though this is not a vulnerability in the code of the web application this is still a vulnerability which attackers can abuse.

Scanning Many Web Applications and Keeping Them Secure

The problem of identifying vulnerabilities and security flaws in web applications can get really worse when you have tens or even hundreds of web applications. In such cases it is not viable nor practical to do manual penetration tests. How can you quickly identify all the vulnerable web applications in case of a vulnerability outbreak, such as heartbleed? A desktop based web application security scanner will not scale up and do the job. Instead you should look into an online web application security scanner, which is purposely built to scale up and has the necessary tools to allow teams to collaborate and ensure all vulnerabilities are remediated before they are exploited by malicious hackers.

Web Application Security Convenience

Nowadays businesses heavily depend on web applications. New functionality is frequently being added to web applications to keep up with the business requirements. Every change that is applied should be tested prior to being implemented on the live servers. If you have an easy to use web application security scanner your own employees can scan the new web application changes and remediate any vulnerabilities the scanner reports prior to it being used in a live environment, without slowing down the deployment process.

You Need Automated Web Security Tools to Complete the Job

The benefits of automated tools can be many when it comes to web application security. Apart from saving time and ensuring accurate penetration tests, you can also save on budget too. If you use an easy to use and false positive free web application security scanner your own QA and testing teams can do the vulnerability scans, even if they are not web security experts. Since the scanner’s results are accurate they do not have to verify its findings so no training is required.

Emulate Malicious Hackers – Hack Your Website

Malicious hackers do not have access to the web applications’ code therefore they use automated black box scanners to scan websites in the hope of identifying vulnerabilities. Unfortunately most of the time they do identify vulnerabilities. As a matter of fact many internet security and monitoring organizations claim that at least a website is hacked every five seconds.

Therefore by emulating malicious hackers and using a web application security scanner to identify web application vulnerabilities in your websites and web applications is the best way to go about it. There is definitely no better way to secure your web applications.

Web Application Security Done Right

To recap it all, It is humanly impossible and unsustainable to manually audit a modern web application and check if it is vulnerable for every type of known and unknown vulnerability without making a mistake or within a respectable time frame. At the same time it is impossible for an automated tool to find all vulnerabilities. A perfect example is the OWASP Top 10 list. As explained in An Automated Scanner That Finds All OWASP Top 10 Security Flaws you have to do both automated scans and manual audits to identify all the vulnerabilities listed in the OWASP Top 10. Therefore even if you are thinking of hiring a penetration tester rather than doing the job yourself, If they do not use automated web security tools I recommend you to look somewhere else.

In web application security automated tools should not and will not replace the human factor, but the human alone cannot do a good job without using automated web security tools.

The post The Best Form of Web Application Security Scans appeared first on SecurityProNews.

Read more here:: Security Pro News