{"id":31342,"date":"2022-11-16T09:02:36","date_gmt":"2022-11-16T14:02:36","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=513544"},"modified":"2022-11-17T12:13:35","modified_gmt":"2022-11-17T17:13:35","slug":"cyber-security-today-nov-16-2022-bad-news-for-application-developers-and-early-security-advice-for-black-friday-shoppers","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-nov-16-2022-bad-news-for-application-developers-and-early-security-advice-for-black-friday-shoppers\/","title":{"rendered":"Cyber Security Today, Nov. 16, 2022 \u2013 Bad news for application developers and early security advice for Black Friday shoppers"},"content":{"rendered":"<p data-ar-index=\"0\">Bad news for application developers and early security advice for Black Friday shoppers.<\/p>\n<p data-ar-index=\"1\">Welcome to Cyber Security Today. It\u2019s Wednesday, November 16th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"2\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/25029183\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"3\"><strong>There\u2019s bad news<\/strong> for application developers who think they\u2019re careful coders: Ninety-five per cent of the 2,700 websites and applications recently tested by researchers had some sort of vulnerability. At least 20 per cent of them were high-risk vulnerabilities, <a href=\"https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/software-vulnerability-trends.html?cmp=pr-sig&amp;utm_medium=referral\" rel=\"noopener\">according to Synopsys<\/a>, which conducted the research. Another 4.5 per cent were critical vulnerabilities. A common fault was cross-site scripting. A report concludes developers should run a wide variety of tests on their websites and applications before putting them into production, including penetration testing.<\/p>\n<p data-ar-index=\"4\"><strong>Last week I told you<\/strong> about a threat actor hiding malware in images in a package left on the open source PyPi Python language repository. This week<a href=\"https:\/\/medium.com\/checkmarx-security\/wasp-attack-on-python-polymorphic-malware-shipping-wasp-stealer-infecting-hundreds-of-victims-10e92439d192\" rel=\"noopener\"> researchers at Checkmarx<\/a> said they have identified the attackers. They\u2019ve been given the name Wasp. The group is still active and is releasing more compromised packages. The malware steals all of a victim\u2019s Discord accounts, passwords, crypto wallets, credit card numbers and any other interesting files on the victim\u2019s computer. This attack shows the impotence of sharing threat intel in the open-source community, says Checkmarx.<\/p>\n<p data-ar-index=\"5\"><strong>I\u2019ve mentioned several times<\/strong> that you can\u2019t take shortcuts when creating a password. Threat actors know all the tricks. As a reminder, <a href=\"https:\/\/specopssoft.com\/blog\/attackers-using-these-passwords-to-attack-rdp-port\/\" rel=\"noopener\">Specops Software of Sweden looked at<\/a> the top passwords attackers tried using last month in attempting to log into systems the company protects. Common were variations of the word \u2018password\u2019, including substituting the letter \u2018a\u2019 with the \u2018at\u2019 symbol used in email addresses, dollar signs for the letter \u2018s\u2019 and a zero for the letter \u2018o\u2019. Yes, crooks figured those out a long time ago. Experts say safe passwords \u2014 and easy to remember \u2014 are passphrases made up of three or four random words totaling more than 14 characters. And to keep track of all your passphrases, use a password manager.<\/p>\n<p data-ar-index=\"6\"><strong>Threat actors are able to create<\/strong> convincing fake audio messages to employees pretending to be from senior management. They can do it by using artificial intelligence on recordings of public speeches or corporate presentations executives post on social media sites like YouTube. But there may be clues that something\u2019s wrong. For example, the caller unexpectedly asks you to shift company money or data. Another tip-off: The request is a message left when you\u2019re not in the office, like early in the morning. However, some deepfake audios are good enough to use over the phone in conversations with victims. If you suspect a caller is a deepfake audio, Neil Sahota, an IBM expert and lead advisor to the United Nations on AI, has this advice: Toss in a random and unexpected phrase or word that doesn\u2019t fit into the conversation. An artificial intelligence program won\u2019t know how to respond. Another tactic is to hang up and try to reach the person you think was on the line with using a phone number you have used before, to verify they were calling.<\/p>\n<p data-ar-index=\"7\"><strong>A recently-fixed flaw<\/strong> in Zendesk\u2019s analytics service called Zendesk Explore could have allowed a hacker to access a lot of sensitive data. <a href=\"https:\/\/www.varonis.com\/blog\/zendesk-sql-injection-and-access-flaws\" rel=\"noopener\">Researchers at Varonis,<\/a> who found the SQL injection vulnerability, said an attacker could have seen and copied conversations, email addresses, support tickets and more from Zendesk accounts. To have exploited the vulnerability an attacker would have had to register as a new user for the ticketing service of an organization using Zendesk Explore. Varonis says there is no evidence any Explore customer accounts were exploited. Zendesk, a software-as-a-service operation, quickly fixed the hole early in September.<\/p>\n<p data-ar-index=\"8\"><strong>Online retailers are already circulating<\/strong> notices for Black Friday sales. Officially they start Friday, November 25th, followed by Cyber Monday sales beginning November 28th. However, some sellers may jump the gun. Before you get trigger-happy, experts at ZeroFox warn this is also a time of online sales scams. Many will involve too-good-to-be-true pricing on computers, smartphones, earbuds and other products. Many will use look-alike websites of brand-name manufacturers or retailers. So before the online holiday sales really kick in, remember this: Avoid clicking on links sent via social media or email offering deals. Instead go to sites directly to verify offers, especially coupon promotions. Hover over links before clicking: If the product is supposed to be sold by Joe\u2019s Retailing, why does the link go to www.oxnard123.co? And be suspicious of unique payment methods, such as only being able to pay via PayPal. Police say paying by credit card online is the safest way.<\/p>\n<p data-ar-index=\"9\">Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.<\/p>\n<p data-ar-index=\"10\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-nov-16-2022-bad-news-for-application-developers-and-early-security-advice-for-black-friday-shoppers\/513544\">Cyber Security Today, Nov. 16, 2022 \u2013 Bad news for application developers and early security advice for Black Friday shoppers<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode reports on vulnerabilities found in applications, password variations hackers have figured out, advice for suspected deepfake audio messages<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[716,389],"class_list":["post-31342","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-black-friday","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=31342"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31342\/revisions"}],"predecessor-version":[{"id":31407,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31342\/revisions\/31407"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=31342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=31342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=31342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}