Author: admin

Interesting research: “Hyperlink Hijacking: Exploiting Erroneous URL Links to Phantom Domains“:

Abstract: Web users often follow hyperlinks hastily, expecting them to be correctly programmed. However, it is possible those links contain typos or other mistakes. By discovering active but erroneous hyperlinks, a malicious actor can spoof a website or service, impersonating the expected content and phishing private information. In “typosquatting,” misspellings of common domains are registered to exploit errors when users mistype a web address. Yet, no prior research has been dedicated to situations where the linking errors of web publishers (i.e. developers and content contributors) propagate to users. We hypothesize that these “hijackable hyperlinks” exist in large quantities with the potential to generate substantial traffic. Analyzing large-scale crawls of the web using high-performance computing, we show the web currently contains active links to more than 572,000 dot-com domains that have never been registered, what we term ‘phantom domains.’ Registering 51 of these, we see 88% of phantom domains exceeding the traffic of a control domain, with up to 10 times more visits. Our analysis shows that these links exist due to 17 common publisher error modes, with the phantom domains they point to free for anyone to purchase and exploit for under 20, representing a low barrier to entry for potential attackers.

Summer vacations are a time for families to relax, unwind, and create lasting memories together. Whether you’re heading to the beach, embarking on a road trip, or exploring new destinations, it’s important to prioritize the online safety of your loved ones. However, our Safer Summer Holidays Travel Report found that almost half (48%) of travelers admitted to being less security conscious when on holiday, such as by choosing to connect to Wi-Fi networks even though they look a bit suspicious (22%).

With the increasing prevalence of online threats and the growing reliance on technology, taking proactive steps to protect your family’s digital well-being is more crucial than ever. Here are some actionable tips to ensure a safe and enjoyable online experience during your summer adventures.

1. Educate Your Children

Teach your children about the importance of practicing safe online behavior and what safer online habits are. Explain the risks of sharing personal information online, interacting with strangers, and clicking suspicious links or attachments. Talk about the concept of “phishing” and how to recognize suspicious links or messages. Encourage open communication and make sure your children feel comfortable coming to you if they encounter any concerning or questionable content online.

2. Use Secure Wi-Fi Networks

When connecting to the internet while on vacation, be cautious about the Wi-Fi networks you use. Public Wi-Fi networks, such as those found in hotels, airports, and cafes, may not be secure and could expose your family to cyber threats like hacking and identity theft. That’s because they are often a missing layer of protection called encryption. Encryption acts like a secret code, scrambling the data as it travels from your device to the Wi-Fi router, so nobody else can understand it. Without this protection, hackers can easily sneak in and read the information you’re sending over the Wi-Fi network, putting your privacy and security at risk. If you do need to connect to a public Wi-Fi network, use a virtual private network (VPN) to encrypt your internet connection and protect sensitive data from prying eyes.

3. Beware of Certain Payment Methods

When traveling, it is essential to be cautious of certain payment methods, especially when dealing with vacation rentals, tours, or travel packages. Scammers often insist on wire transfers, gift cards, or cryptocurrency as the only acceptable forms of payment for accommodations. These payment methods are untraceable and nearly impossible to recover once sent. Exercise skepticism and avoid any requests for payment through these channels, as they are typically red flags indicating fraudulent activity. Instead, opt for secure and traceable payment methods, such as credit cards or reputable online payment platforms.

4. Secure Your Devices

Take precautions to secure your devices against theft or loss while traveling. Use strong passwords or biometric authentication methods to lock your devices and prevent unauthorized access. Consider installing tracking apps or software that allow you to remotely locate, lock, or erase your devices in case they are lost or stolen. Additionally, avoid leaving your devices unattended in public places and always be vigilant of your surroundings.

5. Monitor Your Accounts

While traveling, keep a close eye on your bank accounts, credit card statements, and other financial accounts. Check for unauthorized transactions or suspicious activity and immediately report any discrepancies to your financial institution. Consider enabling alerts or notifications on your accounts to receive real-time updates on account activity and detect any signs of fraud or unauthorized access.

6. Update Your Devices and Software

Before you leave for vacation, ensure all devices within the family have the latest software updates. Cybercriminals often exploit vulnerabilities in outdated software to gain access to devices and steal sensitive information. Updates not only improve performance but also fix any security vulnerabilities that cybercriminals could exploit to gain unauthorized access to your devices and potentially compromise your sensitive information.

7. Set Up Parental Controls

Before you embark on your vacation, take the time to set up parental controls on all your devices. Vacations might involve more downtime or long journeys, leading to increased screen time for children. Parental control features can allow you to restrict access to certain websites, apps, and content, allowing you to more effectively ensure that kids stay safe and engage with only appropriate content. Use these tools to create a safe online environment for your children and prevent them from stumbling upon inappropriate or harmful content. Our Social Privacy Manager can also help protect your child’s social media visibility and data.

With McAfee+ Family plans, you can safeguard up to 6 family members under one subscription with each member receiving individualized identity and privacy protection, secure VPN, and personalized notifications offering guidance on enhancing their online security. Rest assured, each family member can connect with confidence, knowing their personal information, online privacy, and devices are all securely protected.

Following these family-friendly cybersecurity tips, you can enjoy a safe and secure online experience during your summer vacations. Taking proactive steps to protect against cyber threats can help ensure peace of mind, knowing that your family’s online safety is safeguarded wherever your summer adventures may take you.

The post Family-Friendly Online Safety Tips for Summer Vacations appeared first on McAfee Blog.

Experts advised that crisis management and recovery is as much about communications and testing as it is about technical defense measures

Organizations need a culture that goes beyond reporting incidents, where the business wants to collaborate with the security team

Despite reported attempts from Patchstack to contact the vendor, no response has been received

The flaw enables attackers to gain control over the AI service by submitting harmful prompts

Sophos Wiesbaden takes on the epic J.P. Morgan Corporate Challenge in Frankfurt on its 30th Anniversary

Peru has set a lower squid quota for 2024. The article says “giant squid,” but that seems wrong. We don’t eat those.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

The US Justice Department has dismantled an enormous botnet:

According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide. These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.

[…]

This operation was a coordinated multiagency effort led by law enforcement in the United States, Singapore, Thailand, and Germany. Agents and officers searched residences, seized assets valued at approximately $30 million, and identified additional forfeitable property valued at approximately $30 million. The operation also seized 23 domains and over 70 servers constituting the backbone of Wang’s prior residential proxy service and the recent incarnation of the service. By seizing multiple domains tied to the historical 911 S5, as well as several new domains and services directly linked to an effort to reconstitute the service, the government has successfully terminated Wang’s efforts to further victimize individuals through his newly formed service Clourouter.io and closed the existing malicious backdoors.

The creator and operator of the botnet, YunHe Wang, was arrested in Singapore.

Three news articles.

This week, I hosted the seventeenth Workshop on Security and Human Behavior at the Harvard Kennedy School. This is the first workshop since our co-founder, Ross Anderson, died unexpectedly.

SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security. The fifty or so attendees include psychologists, economists, computer security researchers, criminologists, sociologists, political scientists, designers, lawyers, philosophers, anthropologists, geographers, neuroscientists, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

Our goal is always to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to six to eight minutes, with the rest of the time for open discussion. Short talks limit presenters’ ability to get into the boring details of their work, and the interdisciplinary audience discourages jargon.

Since the beginning, this workshop has been the most intellectually stimulating two days of my professional year. It influences my thinking in different and sometimes surprising ways—and has resulted in some new friendships and unexpected collaborations. This is why some of us have been coming back every year for over a decade.

This year’s schedule is here. This page lists the participants and includes links to some of their work. Kami Vaniea liveblogged both days.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, thirteenth, fourteenth, fifteenth and sixteenth SHB workshops. Follow those links to find summaries, papers, and occasionally audio/video recordings of the sessions. Ross maintained a good webpage of psychology and security resources—it’s still up for now.

Next year we will be in Cambridge, UK, hosted by Frank Stajano.