Cyber incidents are fast moving and increasing in number and severity. When a cyber incident occurs, the attacked enterprise responds with a set of predetermined actions. Get trending information on exploits, and vulnerabilities every week to help your organisation to be better equipped to avoid being victim of cybercrimes. Anglo African brings you the weekly cyber-attack news wrap-up and remedy tips to support your business to defend against hackers.
In what is being called the largest Google account breach to date, more than a million Android users stand at risk as a malware called Gooligan is giving access to hackers to root their devices remotely. Researchers from Check Point say they have stumbled upon this family of Android-based malware which has been found in at least 86 apps available in third-party marketplaces.
An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed. The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we’re told. If your camera is one of the at-risk devices, and it can be reached on the web, then it can be attacked, infected with malware and spied on.
In 2016, drone technology entered the mainstream and can now be used for aerial photography, media filming, law enforcement surveillance and – if the promises from pioneering digital giants like Amazon come to fruition – home deliveries. Yet as more of these small flying devices take to the skies, cybersecurity experts are warning that they will inevitably become an open target for hackers. In what is being dubbed as “dronejacking”, experts say cybercriminals are likely already looking at ways to exploit these devices.
Amazon customers are being urged to keep their wits about them in the run-up to the festive season following reports of a new scam targeting shoppers. Fraudsters have been tricking Amazon customers into purchasing Amazon gift cards and then sending the codes as “payment” for goods that never turn up. Amazon, meanwhile, appears unable to step in on the issue. Amazon is currently stepping up attempts to fight fraud on its online superstore, where it’s currently waging war against fake merchants peddling counterfeit wares as well as customers offering five-star reviews in return for free products.
Protect your website from hackers through the following tips:
You may not think your site has anything worth being hacked for, but websites are compromised all the time. Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software.
Keep software up to date
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.
SQL injection
SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.
XSS
Cross site scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form to attempt to run malicious code for visitors of your site. When creating a form always ensure you check the data being submitted and encode or strip out any HTML.
Error messages
Be careful with how much information you give away in your error messages. For example if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.
Server side validation/form validation
Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.
Passwords
Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
SSL
SSL is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data. Use an SSL certificate
Website security tools
Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.
Intrusions happen, threats emerge and your security operation needs to be at its peak efficiency. Anglo African solutions can quickly intercept threats and thus help in avoiding data breaches. For more information about cyber security kindly contact Anglo African on 2331636 or by e-mail at contact@infosystems.mu