Verizon DBIR 2016 - Top 3 are related to humans

#1 - 40% were Web app attacks  and 817 out of 879 of them resulted from stolen credentials.

#2 - Privilege misuse (intentional)

#3 - Misc Errors (unintentional)

Check Here
https://securingthehuman.sans.org/blog/2016/05/17/2016-verizon-dbir-its-about-people

Be careful with USB device - Ransomware can now spread thru them

REMEMBER:
 Backup is important . More important than that is to ensure that your Backup device is disconnected from your computer (before and after the backup)

Newly spotted ZCryptor ransomware has also the ability to spread like a worm

It encrypts all files that sport one of 88 extension

changes their extensions to .zcrypt

Once it infects a system, it also copies itself on removable drives, in the hopes that the same drives will end up plugged into another system and spread the infection



For more info:
https://www.helpnetsecurity.com/2016/05/27/zcryptor-ransomware-spreads-via-removable-drives/

Fact is stranger than fiction: Most Top executives in banks don't know if they have been hacked

 

• 12 percent of CEOs don’t know if they’ve been hacked in the past two years, the lack of awareness only grows when compared to the next level of executives.   
• Approximately 47 percent of banking executive vice presidents and managing directors reported that they didn’t know if their bank had been hacked.  
• 72 percent of senior vice presidents and directors stated that they didn’t know.

For more info:
https://www.helpnetsecurity.com/2016/05/27/banking-ceos-dont-know/

Another security buzzword "PasteJacking"

This one is not from a hacker but a POC from a security researcher.


From the article:

Researcher-warns-PasteJacking-hack-attacks-targeting-users-clipboards

Researcher Dylan Ayrey explains that some web browsers now allow developers to add content to a user's clipboard under certain circumstances.

Attackers can theoretically exploit this ability to trick users into running commands they otherwise wouldn't want entered on their computers, in order to gain remote code execution. These types of attacks generally make use of HTML/CS


For more info
https://www.grahamcluley.com/2016/05/researcher-warns-pastejacking-hack-attacks-targeting-users-clipboards/

Strange security flaw in Instagram Android App

Block incorrect password guesses after 1000 attempts from the same IP address but allow every other attempt after the 2000th

combine that with Missing Controls

1. weak password policies
2. lack of two-factor authentication

For more Info:
http://www.hotforsecurity.com/blog/20-million-instagram-accounts-were-put-at-risk-through-sloppy-security-hole-13982.html

How to spot a PayPal Phishing Scam works?

Look and feel is nice but, shouldn't the user think why he is entering all this information?
(Remember "There is not substitute for stupidity")


Check this link
http://www.csoonline.com/article/2997190/leadership-management/from-start-to-finish-inside-a-paypal-phishing-scam.html

Change your LinkedIN Password now - 117 million email/passwords are up for sale

From the article:
Peace is selling the data on the dark web illegal marketplace The Real Deal for 5 bitcoin (around $2,200). The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords.




For More Info:
https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password