Daily Archives: February 6, 2020

Women in Payments: Q&A with Amy Zirkle

We at the PCI Security Standards Council believe strongly that there is a need for more women in cybersecurity and in 2020 we are pleased to be launching the second blog post in the Women in Payments: Closing the Gender Gap in Payment Security series. This series will profile a different woman in our industry each month and highlight their remarkable career as well as their guidance and advice to other women on how to develop a career path in cybersecurity. Today we profile Amy Zirkle, Vice President, Industry Affairs at Electronic Transactions Association (ETA) .

Protecting users from insecure downloads in Google Chrome

Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.
Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
We plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. Our plan for desktop platforms is as follows:

  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 82 (released April 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 83 (released June 2020):
    • Chrome will block mixed content executables
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 84 (released August 2020):
    • Chrome will block mixed content executables, archives and disk images
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 85 (released September 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text
    • Chrome will block all other mixed content downloads
  • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
Example of a potential warning
Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.

The coronavirus outbreak is being used to spread malware

Cyber criminals are exploiting the public’s fear of the Wuhan coronavirus outbreak in a new phishing scam, researchers have learned.

Experts at IBM discovered a spate of phishing emails being sent to Japanese citizens, asking them to open an attached Word document supposedly containing details of infections in the country’s main island.

The email reads:

Department of Health Services

For the new type coronavirus-related pneumonitis, patients are reported in the heart of Wuzhen City, China. Patients are also being reported in Gifu Prefecture in Japan.

Therefore, please check the attached notice.

Thank you for your infection prevention measures.

Those that open the attachment are asked to enable macros. This is often a bad sign, as one of the tricks scammers use to bypass spam filters is to hide malware in macros.

In this case, the Emotet banking Trojan is lying in wait. Once on your system, it can become part of a botnet, steal sensitive information or grab your passwords.

Phishing Word Document with Macros

Predictable attack

It’s no surprise that cyber criminals are exploiting coronavirus in a scam like this. Topical stories are often used in phishing emails, as there is an in-built sense of urgency that can make it more likely that a recipient will ignore their instincts and click a malicious link.

One of the most popular examples of this are phishing emails sent around tax season, but you’re just as likely to find similar scams in the run-up to Christmas or whenever there’s a major news story, such as an election or a sports event.

NFL fans have recently had to be on the lookout for Super Bowl scams, while this side of the Atlantic has had Brexit phishing emails to worry about.

Many will point to the insensitivity of using coronavirus for something as comparatively trivial as a phishing scam, but unfortunately criminals will use whatever topics they can to make money.

They are aware that any news on coronavirus will get an emotional response. At the time of writing, more than 550 people have been died from disease and another 3,500 are in critical condition.

The scam is likely to be particularly alarming in Japan, which recently confirmed 20 infections aboard a cruise ship that’s moored off the port of Yokohama.

How to prevent phishing scams

Even though cyber criminals are increasingly tapping into our fears, it can still seems unlikely that scams like this would work. Awareness of phishing is at a record high, popular targets like Amazon have dedicated phishing prevention pages and many bogus emails do a poor job of imitating their target.

It’s yet to be seen how successful this coronavirus scam will be, but based on past cases, plenty of people will fall victim.

So how can you keep yourself safe? Spam filters are an ideal natural starting point, and most email systems have one in place, but they are never foolproof.

Likewise, staff awareness training is a great way of teaching staff to spot the signs of a phishing email, but again, that’s not something you can rely on. Staff can easily forget what they’ve learned in heat of the moment – especially when scams are designed to elicit a sense of urgency, as was the case here.

You must instead combine both of those with an ongoing culture of security in your workplace. Remind employees regularly about the threat of phishing, encourage them to speak to a colleague if they’re unsure about the legitimacy of a message, implement technologies to mitigate the threat of an infection – such as file scans whenever you download something.

Phishing prevention shouldn’t ever be left to one person or one solution. It takes the organisation working as a whole to keep everyone safe.


The post The coronavirus outbreak is being used to spread malware appeared first on IT Governance UK Blog.

Why secure your IoT Devices?

Introduction to IoT This blog describes one of the current disruptive technologies in the market, i.e. IoT (Internet of Things) devices. The Internet of things (IoT) is the Internet of connected physical devices, vehicles, appliances and everyday objects that can collect & share information without any intervention. Due to IoT…