Apply these nine tips to proactively fight fraudulent websites that use your brand to rip people off.

Brand impersonation is a particularly thorny problem for CISOs. Cybercriminals piggyback off a trusted brand to push scam lures through various means to onto unsuspecting customers. They could disguise themselves as part of the organization's IT team or someone familiar to trick employees into clicking on malicious links or send a message that looks like it is coming from a legitimate source to convince the recipient the contents are real.

Retailers, product creators, and service providers are increasingly having to deal with brand impersonation attacks. Mimecast’s "2022 State of Email Security Report" found that 90% of organizations experienced an impersonation attack over the previous 12 months. Further, the Mimecast "2021 State of Brand Protection Report" found that companies on the BrandZ Top 100 Most Valuable Global Brands 2020 list experienced a 381% rise in brand impersonation attacks over May and June of 2020 compared to before the pandemic. New domains suspected of brand impersonation also rose by 366%. These impersonation attacks include not only the typical phishing or malware attacks, but also fraud that sells or claims to sell products or services on behalf of the brand. These include fencing of stolen items, non-delivery scams, and counterfeit or grey market sales of product.

"\[Brand impersonation\] is a fraud problem and a security incident problem," says Josh Shaul, CEO of Allure Security. "People are stealing from you, and you're trying to prevent the theft."

Experts recommend that CISOs take a systematic and multidisciplinary approach to this problem. The right approach will not only require technology like automated detection, but also security leadership in helping business stakeholders to harden the brand on a number of fronts.

**1\. Engage in Trademark Basics**

Shaul says that a "shocking" number of companies don't go through the most basic actions of establishing and maintaining ownership of their brand's trademark. The most fundamental step for hardening a brand from online attacks is to cover the basics like registering trademarks, logos, and unique product images, as well as keeping trademarks up-to-date.

"Once you lose control of the trademark, somebody else might register your trademark," he says. "It's a real problem for you. You can't enforce it if you don't own it, so you've got to start there."

**2\. Take Ownership of Online Landscape**

From there, the other basic component companies need to think about is taking ownership of a brand's online landscape. This means not only picking up as many potentially relevant domain names as possible for the brand, but also setting up a footprint on all possible social media channels, Shaul says.

"A lot of companies are like, 'Hey, we do social media, but we don't do TikTok,' or 'We don't do Instagram,' and therefore they don't set up a presence there," he says. "If you don't set up a presence for your brand on a major social platform, there's nothing stopping somebody else from setting up a presence for your brand on that major social platform. Then you've got to try to recover it, which is kind of a nightmare. Just planting the flag is important."

**3\. Monitor Domains**

Organizations should not only be watching and monitoring the domains they own, but also their domain ecosystem, says Ihab Shraim, CTO of CSC Digital Brand Services.

"This means understanding the types of domains that are being registered around them because it’s a multidimensional cyber threat," he says.

As he explains, often larger enterprises manage thousands of domains, which can make it difficult to keep tabs on and effectively manage the entire portfolio.

"Companies need to devise policies and procedures to monitor and mitigate threats associated with all their domains as an integral part of their security posture," Shraim says. He explains that they should be continuously monitoring their domains and also digital channels within search engines, marketplaces, mobile apps, social media, and email to look out not only for phishing and malware campaigns but also brand abuse, infringements, and counterfeit selling on digital channels. "It is crucial for companies to understand how their brands are operating on the Internet."

**4\. Leverage Threat Intel**

Doug Saylors, partner and co-lead of cybersecurity for global technology research and advisory firm ISG, believes that organizations should leverage threat intelligence to help them with the adjacent domains and also the tricky tactics, techniques, and procedures used by bad actors in their impersonation attacks.

"Organizations need to invest in threat intelligence platforms that will help identify the use of fake domains, phishing campaigns, and other technologies to defeat the TTPs \[tactics, techniques, and procedures\] used to enable brand impersonation," he says.

**5\. Consider Full-Cycle Brand Protection**

Saylors is also a big believer in full-cycle brand protection. He recommends companies consider these services — not just for their detection capabilities but also their expertise in mitigation.

"They should engage the services of specialty firms that deal with the full lifecycle of brand protection to ensure scalability and absolute focus on reducing fraudulent activity," he says. "These firms have advanced capability to identify fake sites, catalogs, and catalog entries and remove them through industrial-strength takedown procedures."

As organizations evaluate online brand protection companies, they've got to keep in mind that this is another cat-and-mouse game detection category, where mileage may vary based on technology and how well companies keep up with evasive behavior from the attackers.

For example, when attackers found that their scams were being discovered through image processing and logo detection, they began with simple evasive techniques like changing the image file format and then evolved to use multiple nested images and text in a single collapsed image to trip up detection, says Shaul.

"So now, unless you can compare sections of an image, which is a super hard technical problem that some of us have solved, you can't detect these things anymore," he says. "They just bypass the evolving detections that organizations are putting out there."

Another new tactic they've taken is creating generic fake shops and evolving them into branded shops over time, he says.

"The scammers are working hard to understand how detection is evolving in the industry, and doing things to try to evade detection as aggressively as they can," he says.

**6\. Use Incident Responders Judiciously**

Incident responders hate handling the mitigation of brand impersonation because it is a different skillset than a lot of analysts who get into the field for fun investigative work and not to chase down registrars to do takedowns, says Shaul. Even if a company can make it fun for their responders, they have got to be careful that they're using their specialized responders in a cost-effective way.

He likes to tell the story of a banking customer that had been putting this on their IR team, who turned it into a fun exercise by breaking into phishing sites that were targeting the company's brand and doing a lot of offensive security work.

"The IR guys were having a ball with it, but they realized, 'Look how much time we're spending basically just playing games with the attackers,'" he says. "They had their best people doing hard work to just clean up after scams that already happened."

He suggests that by knowing in advance that response to these sites takes a different skillset than advanced analysts have, this might be a way to break in new security ops personnel and give early-career responders some experience through a planned career path that starts with impersonation takedowns.

**7\. Proactively Build Law Enforcement Relationships**

Additionally, organizations should understand that they're likely going to need to help from the authorities in many of these cases. Saylors says that CISOs should be working to proactively build partnerships with law enforcement agencies and other relevant government authorities around the globe.

"They should also have direct relationships with law enforcement organizations that will pursue and prosecute the criminals responsible for brand theft and the resulting revenue loss to legitimate companies," he says.

**8\. Educate Consumers and Employees**

Frequent and detailed awareness campaigns for customers about what brand impersonation looks like compared to the real deal can go a long way toward curbing their risk of falling for common frauds.

"Organizations, other than large banks, tend to fail in this area due to concerns about scaring their customers away," he says. But actually, awareness campaigns like this can bring customers closer to the brand when they're done right. Here's a great example of what an awareness site can look like. This is a detailed fraud awareness article put together by Burton Snowboards that provides examples of fake Burton scam sites, with clues for their customers to look for in detecting a scam and some additional pointers. Communications like these can be used as a technique to not only build trust and goodwill among customers, but also build up the brand.

**9\. Differentiate Your Brand**

One final thing that CISOs can encourage their organizations to do is to find ways to ensure all of their sites, pages, and experiences are visually and contextually recognizable as part of the brand. This is an opportunity for collaboration with the marketing department. Not only can customers recognize distinctive brands more easily, but it's also a lot easier for automated detection searches to automatically find impersonated images and logos out in the wild, says Shaul.

"Ensure there's something a little bit different about your brand that makes it so that your customers and even your employees can recognize it. That's great for marketing but also helps security in a big way," he says. "The more your brand has differentiated itself with the way it looks, the way it feels, the way it's set — with little things like how your VPN looks — and the easier it is to protect the brand."

What CISOs Can Do About Brand Impersonation Scam Sites

Starting with diego-release 2.55.0 and up to 2.69.0, and starting with CF Deployment 17.1 and up to 23.2.0, apps are accessible via another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate.

**Severity**

High

**Vendor**

Cloud Foundry Foundation

**Description**

Apps running on cf-deployment are accessible (unproxied) via a programmatically-generated port on diego cells. The route integrity with mTLS feature (rep.containers.proxy.require\_and\_verify\_client\_certificates), exposes an additional port that requires a client certificate signed by a specific CA for app ingress. Cells can be optionally configured (containers.proxy.enable\_unproxied\_port\_mappings) to remove the unproxied port, ensuring that apps can only be reached by authenticated clients (namely, gorouter).  
Starting with diego-release 2.55.0, apps are accessible via yet another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate. If the platform is not configured this way, there is no impact because applications were are already reachable via a non-mTLS port.

**Affected Cloud Foundry Products and Versions**

Severity is high unless otherwise noted.

*   Diego
    *   All versions between to 2.55.0 – 2.69.0 (inclusive)
*   CF Deployment
    *   All versions between to 17.1 – 23.2.0 (inclusive)

**Mitigation**

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

*   Diego
    *   Upgrade all versions to 2.69.1 or greater
*   CF Deployment
    *   Upgrade all versions to 23.3.0 or greater

**Credits**

This issue was responsibly reported by Maximilian Moehl of SAP

**History**

2022-12-08: Initial vulnerability report published.

**Sign up for the  
Cloud Foundry Newsletter today!**

CVE-2022-31733: CVE-2022-31733: Unsecured Application Port | Cloud Foundry

By Deeba Ahmed
Although a fix is available to patch vulnerabilities, the EV industry is slow in applying the updates.
This is a post from HackRead.com Read the original post: EV Charging Stations at Risk of DoS Attacks

Threat actors can remotely carry out DDoS and DoS attacks on vulnerable Electric Vehicle (EV) Charge Points (CPs) to cause service outages and access sensitive and personal information of customers.

According to recent studies, 5.8 percent of all vehicles sold in 2022 were electric. This is a big number considering how new the technology is. However, hackers are also keeping eye on these developments and any potential vulnerability related to electric vehicles or their charging stations can create havoc.

As per the Israeli EV infrastructure provider SaiFlow, cybercriminals can abuse **Electric Vehicle (EV) Charge Point (CP**) to prompt service disruption. According to their findings, threat actors can exploit different versions of OCPP (Open Charge Point Protocol), which use WebSocket communications.

Researchers Lionel Richard Saposnik, SaiFlow’s research VP, and Doron Porat, software engineer at the company, wrote that their discovered attack method is a combination of two new vulnerabilities found in the OCPP standard. The exploitation would allow hackers to shut down EV charging stations remotely.

Moreover, they can manipulate docking stations to recharge EVs for free. Multiple vendors have confirmed the flaws. The hacker must obtain the charger’s identity first and then obtain information about the CMSM platform to which the charger is connected.

**What Causes the Issue?**

The security flaws are related to the communication between the CSMS (charging system management service) and the EV charge point (CP), particularly with the OCPP. EV chargers are connected to a management system platform, which is available on the Cloud platform, and lets operators track the stability of the infrastructure, energy management, handling billing, and EV charge requests.

Basically, the protocol doesn’t understand how to handle more than one CP connection, and attackers abuse this by opening a new connection to the CSMS. When the attacker opens a new connection to the CSMS on behalf of the charge point, the attacker can force the original connection to be closed or dysfunctional. The other issue is related to weak OCPP authentication and chargers’ identities policy. 

**Potential Threats**

According to SaiFlow’s **blog post**, when the embedded vulnerability is exploited using the OCPP protocol, a hacker can hijack the connection between the charger and the management platform. When this access is acquired, the hacker can shut down the entire group of chargers using the protocol, whether installed at a highway gas station or at home.

Using other identifiers, they can steal energy from the chargers and access the vehicle’s surrounding components, such as battery management systems, smart meters, other energy managers, and even distributed energy resources.

SaiFlow’s CEO Ron Tiberg-Shachar revealed that when an attacker exploits the two flaws, they can launch a **DoS attack** to disrupt or disconnect a single charger and access sensitive information like server credentials or payment card data. Or, they can execute a **DDoS attack** and take down/disconnect all chargers connected to that network. The flaw affects OCPP 1.6J.

He further noted that although a fix is available, the EV industry is slow at applying the updates. SaiFlow is working with some leading EV charger providers to address the issue.

1.  UK Experimenting with Roads that Wirelessly Charge EVs
2.  Brokenwire Attack Disrupts Electric Vehicles from Charging
3.  Gone in Seconds: Hackers Steal Mercedes Car without Key
4.  Internet-connected cars can be hacked to gridlock major cities
5.  Anonymous hacks EV charging station with pro-Ukraine slogan

EV Charging Stations at Risk of DoS Attacks

Two new security weaknesses discovered in several electric vehicle (EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft.
The findings, which come from Israel-based SaiFlow, once again demonstrate the potential risks facing the EV charging infrastructure.
The issues have been identified in version 1.6J of the Open Charge

Automotive Security / Vulnerability

Two new security weaknesses discovered in several electric vehicle (EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft.

The findings, which come from Israel-based SaiFlow, once again demonstrate the potential risks facing the EV charging infrastructure.

The issues have been identified in version 1.6J of the Open Charge Point Protocol (OCPP) standard that uses WebSockets for communication between EV charging stations and the Charging Station Management System (CSMS) providers. The current version of OCPP is 2.0.1.

"The OCPP standard doesn't define how a CSMS should accept new connections from a charge point when there is already an active connection," SaiFlow researchers Lionel Richard Saposnik and Doron Porat said.

"The lack of a clear guideline for multiple active connections can be exploited by attackers to disrupt and hijack the connection between the charge point and the CSMS."

This also means that a cyber attacker could spoof a connection from a valid charger to its CSMS provider when it's already connected, effectively leading to either of the two scenarios:

*   A denial-of-service (DoS) condition that arises when the CSMS provider closes the original the WebSocket connection when a new connection is established

*   Information theft that stems from keeping the two connections alive but returning responses to the "new" rogue connection, permitting the adversary to access the driver's personal data, credit card details, and CSMS credentials.

The forging is made possible owing to the fact that CSMS providers are configured to solely rely on the charging point identity for authentication.

"Combining the mishandling of new connections with the weak OCPP authentication and chargers identities policy could lead to a vast Distributed DoS (DDoS) attack on the \[Electric Vehicle Supply Equipment\] network," the researchers said.

OCPP 2.0.1 remediates the weak authentication policy by requiring charging point credentials, thereby closing out the loophole. That said, mitigations for when there are more than one connection from a single charging point should necessitate validating the connections by sending a ping or a heartbeat request, SaiFlow noted.

"If one of the connections is not responsive, the CSMS should eliminate it," the researchers explained. "If both connections are responsive, the operator should be able to eliminate the malicious connection directly or via a CSMS-integrated cybersecurity module."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Is Your EV Charging Station Safe? New Security Vulnerabilities Uncovered

Accidental revisions to a US Help Center page sparked confusion about the streamer's next moves. But restrictions on account sharing are still coming soon.

After Netflix Spent years piloting different ways to crack down on password sharing, changes to its United States Help Center page this week seemed to indicate that the streaming giant had finally settled on a plan. But those tweaks quickly disappeared, leaving confusion and concern about potential changes to Netflix's account-sharing policies. Now the company is clarifying that nothing has changed this week, and no new restrictions are rolling out right now.

“For a brief time Tuesday, a Help Center article containing information that is only applicable to Chile, Costa Rica, and Peru went live in other countries. We have since updated it,” a Netflix spokesperson said in a statement.

The death knell for password sharing is still tolling, though, after the company said in its recent earnings call that it will announce and begin to roll out account-sharing changes around the world in the first quarters of 2023.

“We’ve got folks that are watching Netflix who aren’t paying us as part of basically borrowing somebody else’s credentials. And our goal is over this year to basically work through that situation and convert many of those folks to be paid accounts or to have the account owner pay for them,” Netflix chief operating officer and chief product officer Gregory Peters said in the company’s most recent earnings call on January 19. “So we’ve been working hard at this and trying to do some sort of thoughtful experimentation to let our members speak to us in terms of what set of solutions work for them. … We’re ready to roll those out later this quarter. We’ll stagger that a bit as we sort of work sets of countries, but we’ll really see that happen over the next couple of quarters.” 

The confusion about possible changes this week stemmed from content meant for one country’s help center page that was mistakenly published for other countries. The situation was also complicated by the fact that Netflix Help Center pages allow you to quickly toggle between information for different countries using a “Currently viewing information for” tool that lets you choose from a dropdown menu of country names.

For almost a year, Netflix has been piloting an approach in Chile, Costa Rica, and Peru in which the company is more serious about tying each account to a physical location or “household” and only allowing devices to regularly access the account from that place. To do this, the company says it uses “IP addresses, device IDs, and account activity” to establish where devices are streaming content from. An important component of the initiative in those three countries is the addition of a paid sharing or an “add an extra member” mechanism, similar to family plans offered by streaming services like Spotify, through which Netflix subscribers can pay a reduced rate to grant family members or friends shared-account access with their own login.

Based on the comments from Netflix executives in the recent earnings call, it seems that similar changes are likely coming to the US and other markets. But the specifics of what Netflix will be rolling out in each country aren’t yet clear. 

“Netflix is a company that’s built itself out of super fans and been very consumer-focused, so creating flexibility in whatever they do for edge cases is important for them, and adding restrictions could create friction,” says Jason Kint, CEO of the digital media trade organization Digital Content Next. (WIRED parent company Condé Nast is a member.) “They don’t want to build detractors that are critical of their service. But ultimately, those are still business decisions. … Their move will have downstream effects on other companies’ decisions.”

In the January earnings call, Netflix executives emphasized that they are bracing for blowback as they ready the password-sharing crackdown. “I think it’s worth noting that this will not be a universally popular move,” Peters said. “There will be current members that are unhappy with this move. We’ll see a bit of a cancel reaction to that. We think of this as similar to what we see when we raise prices.”

Netflix’s US Password-Sharing Crackdown Isn’t Happening—Yet

Debian Linux Security Advisory 5338-1 - Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou discovered that missing input sanitising in the handling of VMDK images in Cinder, the OpenStack block storage system, may result in information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5338-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 01, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cinderCVE ID         : CVE-2022-47951Debian Bug     : 1029562Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannoudiscovered that missing input sanitising in the handling of VMDK imagesin Cinder, the OpenStack block storage system, may result in informationdisclosure.For the stable distribution (bullseye), this problem has been fixed inversion 2:17.0.1-1+deb11u1.We recommend that you upgrade your cinder packages.For the detailed security status of cinder please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cinderFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmParskACgkQEMKTtsN8TjbMhxAAvApHGxPkLq1ldUi5fgMjTloVBouyRJS/Ytsq3p5U0Yx98SvnPI9ab9nLRlWdVBjpdy9Wb6l0ouhaiiLR2kPJEv9D2Ux7oWdHpvexdtYs9eHdgx7Ym6Zibu6d/7hMgxPaG8zKEwJLCf2zuMqXbr6l55ht+DAmFJrzO/VyQyU2mlhkSXvCdmL9NAX+csEEW4WtLjx1MPD1gFz99uI3Q6DY3kTBu45BWG2xKkU0hHThsap0kRRK+6M9QINjW2zylsyhW2pB5/0j5X8bUgMX9jDFNMj9p5tWcpN2FwQa6YvKQoIONHSNJIXEaOsHiMXRQUGytS8UwW9UfDiPLzsKSreoaOaWzbtkvQvGrfauHmbySrVjZ2WCq+ZNiFGIJV7EhlJstFi3IwlJ3oYlZgUHlLusNGahqQo+KD18ipVPiSE89LIM9Zq+p7KpjLLTzjlSMgC7gLj4IJmCDRfxz7uxR0fUg/o9w0nhQNAr63hKbjzeJWDmRGQwpsuh/DBLR7AgwwuqiMkpBj27uPMD/aPFisLysP8xmO7IJobfuZzdXU+mCQg0fbwMWWF3JQHcew971YDoreBB73Su9NsMVWrSgUd2WC4axp+EPFQTHNas6OLM+oEhpK/dUILczzy/h9jPzH4wDAmQgv0nSOZSqGu7cuXSxsSGCzf8J8hpYoeysRn91Gc=NXlC-----END PGP SIGNATURE-----

Debian Security Advisory 5338-1

Companies need to be aware of the work culture they foster. Diversity and inclusion aren't just buzzwords. Increasing female visibility and improving female mentoring to help women enter and advance within the cybersecurity industry are key steps forward.

Globally, about a quarter of cybersecurity jobs belong to women, which unfortunately doesn't quite correlate with the worldwide female population of 49.58%. We're not saying that every industry needs to have a perfect 50/50 split, but with cybersecurity being a male-dominated industry, it's time companies addressed the challenges women face when joining the cybersecurity workforce by striving for a more diverse workplace.

While progress has been made over the last decade (women occupied only 10% of cybersecurity jobs in 2013), more headway needs to be made. From a lack of industry role models to poor media representation and an absence of mentoring, women face a plethora of challenges in cybersecurity.

So, what are the top three obstacles women face?

**Underrepresentation in the Media**

The media plays a crucial role in creating and maintaining stereotypes. TV shows and films often push concepts and cliches that are then subconsciously accepted as fact by viewers.

Children are easily influenced by media stereotypes and, therefore, can be led into gendered thinking, particularly regarding jobs. This reasoning can then heavily influence a person's perception of the real world, including their life aspirations and career choices. For example, Navy recruitment went up 500% following the release of _Top Gun_, starring Tom Cruise.

In the 1990s, one show was proven particularly effective in persuading women to enter STEM occupations — _The X-Files_, with Gillian Anderson playing Dr. Dana Scully. A recent report looking into the "Scully effect" showed that as the only female STEM character on prime-time TV in the '90s, she had a significant impact on the female viewer base. The report revealed that 63% (PDF) of the women studied said Dana Scully increased their belief in the importance of STEM subjects.

These examples indicate how important representation is in the media and display how a lack of visibility can distort a viewer's perception of what they can achieve. It's time for the media to understand and recognize their influence and the stereotypes they enforce.

**Male-Dominated Workplaces Can Come With Several Issues**

With cybersecurity being made up of only about 25% women, this officially classes the industry as male dominated. Ask any woman; the thought of entering a workplace full of men isn't an enticing one. This is likely one of the reasons why, in 2021, only 6.5% (PDF) of US women worked in a male-dominated occupation.

With issues regarding the gender pay gap, sexual harassment, underrepresentation, lack of mentoring, and negative stereotyping, it's no wonder that women aren't running to join male-dominated workplaces en masse. For these points to be tackled, they need to be addressed from the top down. Cybersecurity leaders must be aware of the work culture they're fostering and be open to discussing and tackling any issues they find, however uncomfortable that may be.

A 2017 survey by the Pew Research Center found that women in male-dominated industries were more likely to be harassed than women working in female-dominated sectors. Therefore, businesses must create a safe space for employees, particularly women, to report any harassment and unwanted behavior at work. Another initiative for cybersecurity companies to establish is female mentor programs, which help to support their female workers, aid in their professional growth, and close the gender gap in cybersecurity.

**Lack of Industry Role Models**

While kids these days may not be hanging posters of their favorite celebrities in their bedrooms or lockers anymore, role models are still crucial. The importance of role models is often underplayed. Having a visible representation of what is possible encourages people to push boundaries, strive to be better, and be more ambitious.

Crest's report — "Exploring the Gender Gap in Cybersecurity" — found that 59% of women polled had a "mixed" experience within the cybersecurity industry as they received some support but also faced many challenges. The report identified two key areas for improvement: increasing female visibility and improving female mentoring to help women enter and advance within the industry.

The problem with a lack of role models is its knock-on effect. With fewer women in the industry to look up to, this can discourage women from entering and perpetuates disparity. It's time to disrupt this cycle.

Diversity and inclusion lead to a more rounded perspective, with various team members bringing different points of view, allowing them to solve new problems. While women's current obstacles in cybersecurity won't disappear overnight, identifying the issues and raising awareness welcomes opportunities for change and improvement. Cybersecurity is ready for a female revolution.

Beating the Odds: 3 Challenges Women Face in the Cybersecurity Industry

Categories: News
Tags: dark patterns

Tags:  CPC

Tags:  EC

Tags:  web shops

Tags:  countdown timers

Tags:  hidden information

Tags:  subscriptions

An investigation into 399 web shops by the European Commission and its partners found almost 40% of them using one of three dark patterns.



(Read more...)




The post 40% of online shops tricking users with “dark patterns” appeared first on Malwarebytes Labs.

The European Commission has been looking at retail websites to see if they're misleading consumers with "dark patterns". Spoiler: Yes, they are.

The Commission, along with the national consumer protection authorities of 23 EU member states, plus Norway and Iceland, have released the results of their screening of online shops. In a sweep of 399 sites the investigation discovered that 148 of them contained at least one of the three dark patterns they were checked for.

**Dark patterns**

Dark patterns, also known as deceptive design patterns, occur when a user interface has been carefully crafted to nudge or trick users into doing things they didn’t set out to do.

Dark patterns are _not_ subliminal messagaging, visual or auditory stimuli that the conscious mind cannot perceive, although advertisers have been accused of using that as well.

The investigation focused on three manipulative practices that can push consumers into making choices that may not be in their best interests:

*   Fake countdown timers, which create a sense of false urgency
*   Interfaces designed to lead consumers to certain purchases, subscriptions or other choices.
*   Hidden information.

**Numbers**

Frankly, the numbers are surprising, if not disappointing. The investigation found that “nearly 40% of the online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.”

The sweep found 42 websites that used fake countdown timers with deadlines for purchasing specific products. 54 websites directed consumers towards certain choices–from subscriptions to more expensive products or delivery options–either through their visual design or choice of language.

At least 70 websites hid important information or made it less visible for consumers. For example, this included information related to delivery costs, the composition of products, or on the availability of a cheaper option.

23 websites hid information with the aim of manipulating consumers into entering into a subscription.

**Follow-up**

The offending vendors will be contacted by their national authorities and ordered to rectify their websites. If necessary, further action will be taken. The Commissioner for Justice has called on all national authorities to make use of their enforcement capacities to take relevant action and fight these practices.

Tthe Commission is gathering feedback to analyze whether additional action is needed to ensure an equal level of fairness online and offline. The evaluation will look at three pieces of European Union consumer protection legislation to determine whether they ensure a high enough level of protection in the digital environment.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

40% of online shops tricking users with “dark patterns”

January saw a slew of security patches for iOS, Chrome, Windows, and more.

The Android security patch is available to Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, including Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including an already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw impacting the Windows Advanced Local Procedure Call that could lead to browser sandbox escape. 

By exploiting the bug, an adversary could gain System privileges, Microsoft wrote, confirming that the flaw has been detected in real-life attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager User Interface, CVE-2023-21726, is relatively easy to exploit and doesn’t require any interaction from the user.

January’s Patch Tuesday also saw Microsoft fix nine Windows Kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software firm Mozilla has released important updates for its Firefox browser, the most serious of which have been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Among the 11 flaws fixed in Firefox 109 are four rated as having a high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some could have been exploited to run arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

VMWare

Enterprise software maker VMWare has published a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated, malicious actor could inject files into the operating system of an impacted appliance, resulting in RCE, VMWare says.

Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those impacted by these vulnerabilities should patch as soon as possible.

Oracle

Software giant Oracle has released patches for a whopping 327 security vulnerabilities, 70 of which are rated as having a critical impact. Worryingly, 200 of the issues patched in January can be exploited by a remote unauthenticated attacker.

Oracle is recommending that people update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches, it says.

SAP

SAP’s January Patch Day has seen the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated as the most severe bug by security firm Onapsis. The flaw affects the majority of all SAP customers and its mitigation is a challenge, Onapsis says. 

The capture-replay vulnerability is a risk because it could allow malicious users to obtain access to an SAP system. “Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” Onapsis explains.

You Really Need to Update Firefox and Android Right Now

The demand is unmistakeable and the business case is readily justified — it's time to implement zero trust.

It's been nearly three years since the business world was catapulted into remote work, yet many organizations are still grappling with making essential technology upgrades. They're looking to provide better security for hybrid working, along with digitized production infrastructure, while managing emerging dependencies on the Internet of Things, operational technology, and 5G cellular. Now, they're also contending with challenging economic conditions, supply chain uncertainty, changing business demands, and budget pressures in a macro economy.

To succeed in this new climate, organizations need the agility and efficiency enabled by the cloud along with the security to protect their valuable assets and data. That's why more businesses are discovering they must accelerate digital transformation and adopt zero-trust security to address today's complex business needs.

**Securing the Case For Zero-Trust Security**

Embracing zero-trust security as a part of any digital transformation strategy has profound impacts, from changing company culture to creating new business models where technology enables innovation, change, and growth. As such, IT and security leaders have a key opportunity to bridge the gap and join forces in educating decision makers on the wide-reaching benefits of zero-trust infrastructure.

The common divide between the different business teams can lead to many misunderstandings around the rationale of embarking on a journey of zero-trust transformation. For instance, executive leaders tend to see digital transformation as a technology issue, moving spending from infrastructure to cloud providers, rather than an integral part of the business strategy that enables their organization to forge new revenue models, increase productivity, and scale without limitation.

Security leaders may confuse a zero-trust initiative as just another digital transformation IT project they have to help support while overlooking the workload reduction impacts on their own day-to-day operations. The deeper value of implementing inline threat prevention and continuous policy enforcement from a zero-trust architecture shifts the primary strategy from detection to prevention, combined with continuous authentication and visibility to limit the impact of incidents and provides rich telemetry to improve response times.

For their part, IT leaders focused on driving the business tend to best understand that transformation is not only about migrating apps to the cloud, but about futureproofing the business so it has all the requirements needed to safely scale, grow, and effectively reach new goals. The majority of IT decision makers agree that secure cloud transformation is impossible with legacy network infrastructure and that zero trust has clear advantages over traditional firewalls and VPNs for securing remote access.

With all the financial, social, and operational pressures on organizations today, it is critical for business leaders to shift perspective and recognize that now is the time to join forces and embrace zero trust as a requirement for enabling our remote workforces, protecting against the most damaging types of cyber threats, and as a high-value growth and business impact driver capable of delivering the significant cost savings organizations need to thrive.

**Unlocking Value with Zero-Trust Architecture**

Disrupting decades of legacy security and networking principles, the concept of zero trust has evolved into a framework for critically securing our users, devices, applications, and data. IT and security leaders globally are waking up to this imperative to transform their legacy infrastructure as they face more complex business, access, data, and security challenges than ever before. Against a backdrop of rapid digital transformation, a disappearing network perimeter, and evolving threats, organizations turn to zero-trust architecture as the gold standard for reducing risk and enabling productivity in a remote, distributed, and cloud-enabled world.

A comprehensive zero-trust platform has the power to redesign business and organizational infrastructure requirements. It can become a business driver that provides the hybrid work support employees need to succeed, and enables complete agility with:

*   **Cyber protection**: a holistic approach to better risk reduction by stopping things before they ever get to the enterprise or the customer.
*   **Data protection**: ensure only verified users with appropriate permission can access policy-enforced applications.
*   **Zero-trust connectivity**: zero trust eliminates access to the company network and the lateral threat movement enabled by access to traditional routable networks.
*   **Digital user experience**: frustration-free access for increased productivity.

Zero-trust architecture brings solving major IT, workforce, and security business challenges within reach by driving greater innovation, supporting better collaboration, and preventing large-scale cyberattacks. On top of these benefits, the right solution will also help deliver significant cost savings. Heeding the call means recognizing that full zero-trust digital transformation is the missing link helping businesses empower and ready themselves today for whatever threats and technologies the future brings.

Read more _Partner Perspectives_ from Zscaler.

Tag

#sap