After writing last week about how Christmas can be a lucrative time for the bad guys, we now have some research which suggests many consumers agree.
But we also have some great resources that spell out the security basics you need if you wish to stay safe online, as well as on the telephone, along with a warning for those of you who rushed out to buy the latest, greatest “smart” TVs.
1. 1-in5 people won’t buy Christmas presents online this year due to security concerns
As an InfoSec professional working in the realm of security awareness and training, I’d like to think that the majority of people are aware of the risks posed by the internet. And, by and large, I think we may be winning that war.
I’d also like to say that, as an industry, we’re doing a pretty good job at informing people how to mitigate those risks so that, with a basic level of knowledge at their disposal, people can search the web and buy online without coming a cropper. But, sadly, I think we still have a long way to go on that front.
And the figures from a poll conducted recently by Dr Jess Barker go some way in backing up that assertion: almost 1-in-5 British consumers have refrained from buying a festive present online due to concerns over cyber security.
As Jess herself notes, that’s hardly surprising, given how her previous research has revealed how many of us don’t employ even the most basic of security measures, but it’s also a figure that comes with a real cost.
With online retail sales likely to reach £52.25 billion this year, the number of people passing up the opportunity to purchase goods online represents a potential £13 billion of lost sales annually, not to mention higher prices for those affected.
So I guess we still have a way to go in teaching people security basics and how to use this wonderful technology at their fingertips to improve their lives and make savings on their festive and everyday purchases.
2. Staying safe online
Richard Bejtlich, Chief Security Strategist at FireEye, this week took to his own blog to give us 7 tips to enhance our personal security online.
Featuring fairly basic tips such as protecting your email account, keeping your software up to date, running a modern web browser, installing a password manager and backing up your data on a regular basis, it also courts a little controversy (though I actually agree myself) by suggesting tablet and smartphone buyers should seek out Apple devices running iOS rather than the inherently less secure alternatives on the market today.
There’s nothing particularly new about his advice but it’s just these kind of basic security tips that are needed by the 20% of people mentioned in point 1 above – so well worth a read if you fall into that camp.
3. Tech support scams and how to avoid them
Tech support scams have been around for years. The basic premise behind them is that an attacker will try to persuade a potential victim that there is something wrong with their computer that needs fixing urgently.
Typically, this is achieved over the phone by tricking non-technical folk into thinking the caller is from a bona fide organisation such as Microsoft, and that their device is infected with malware.
If the victim bites, the scammer will then use a variety of means, including misunderstood tools such as Event Viewer (it features lots of yellow triangles and warning messages which are perfectly normal) to ‘prove’ their case, thus gaining the level of trust they require to then successfully suggest that they should be allowed to remotely connect to the device in order to ‘fix’ the problem.
Once that outcome has been achieved, they will then proceed to actually place malware on the system which will then allow them to steal banking logins and other sensitive information.
For those who don’t know much about computers, it is an easy trap to fall into, and the sort of people who do fall victim are just as unlikely to know what to do next.
Thankfully, David Harley has recently published a blog post which gives more detail on how these scams work, the steps to take if you have already fallen victim, and some sound advice on how to spot a fake support call in the first place.
With links to genuine, well-respected organisations that can offer further help and advice, it makes highly recommended reading.
4. How your Smart TV could be held to ransom
Lastly this week, news that that most insidious form of malware – ransomware – has spread its wings and jumped from the personal computer to the smart TV.
Ionut Ilascu, writing for The Security Ledger, told us about new research published by Symantec which suggests ransomware on the most popular of entertainment devices is a very real threat, and one that will likely be harder to deal with than its PC equivalent.
The gist of the research is that Smart TVs are at particular risk from ransomware and other types of malware because they don’t necessarily approach security in the same way as more traditional network-enabled devices, if at all.
So, if a user chooses to install an app on their TV, and a man-in-the-middle (MitM) attack can direct them to an alternative, malicious server, a fake ransomware app can be sent back to the device.
Should this happen, the TV set will be rendered unusable.
Of course operating systems, such as Android, that feature on Smart TVs are designed by default to only allow downloads from legitimate domains – but the problem is that firmware updates are not controlled as well as they could be, opening the door for MitM attacks.
While users can lessen the risks by checking their Smart TV’s security settings and restricting installation of new applications to verified locations, this issue does highlight the problems of the Internet of Things and the security after the fact mindset that many manufacturers seem to have adopted.