Cyber-scammers and hackers are the ones equipped with the ability to bring about a downfall to online shopping as we have come to know it. Retailers and other businesses that depend on secure internet network battle it out by bringing in help from Lean Security, the number one professional managed security service provider in Australia. This blog is a follow-up of our  Cyber-scammers Confess: Every Trick in the Book That Hurts Our Internet Security (Part 1). Take a look at what these cyber scammers have up their sleeves, and how you can outsmart them at their own game! 

Trick #1: We Lure You with “Shocking” Videos on Facebook

Interesting videos and other content tends to circulate on social media, posted and shared by millions of people. You may have come across videos posted by friends on Facebook with words like ‘shocking’, ‘incredible’, and ‘must see’ etc, strategically titled so as to grab your attention. Such video links, when clicked, ask you to take a survey or download a media player that, in reality, will install malware on the computer.

How to Outsmart Them: To see whether the video is legitimate and on YouTube, type the title (of the video) on Google. It’ll be already reported if the video is actually a scam.

Trick #2: We Can Break Into Routers That Use WEP Encryption

In fact, scammers and computer hackers do this very easily! How do they do this? There’re many old modelled routers that still rely on Wired Equivalent Privacy (WEP) encryption which, when compared to the newer routers, is much easier to crack. This is done with the help of a software program that’s widely available and can be downloaded by anyone.  

How to Outsmart Them: Make sure to use the most secure type of encryption for your router, which is WPA2 (WIFI Protected Access 2) or WPA. If your router doesn’t provide either one of the encryptions, give a call to its manufacturer or managed security service provider and see what needs to be done. Always remember to change the Wi-Fi password of a new router from its preset settings. 

Trick #3: We Impersonate Trustworthy Companies

Cyber-scammers and hackers are often masters of disguise, fooling users into believing something that isn’t true. They may send a fake financial warning your way from the bank or credit card company you have your accounts in; or may send an order confirmation from a well known retailer; or perhaps a social networking invitation from someone in your network etc.  

How to Outsmart Them: Internet users forget that most companies will never ask you outright for account or other financial information. This type of scam can almost always be spotted if you hover the mouse over address in the ‘From’ field or simply by clicking on the ‘Reply All’ button. If the message is indeed a scam, you’ll notice a lot of misspellings or strange email addresses. Another helpful tip is to call the company (not on the number given in the email!) when in doubt.

The security experts at Lean Security always emphasize on taking caution when surfing the net, conducting an online transaction from the bank, or making a purchase from an online store. The same goes for businesses that must also employ security measures like web application testing and scanning, amongst others from Lean Security.   

The number one threat when it comes to our internet security are computer hackers, who have numerous tools and complex software at their disposal to wreak havoc on our internet systems, web applications and online security. Following are some tips that Lean Security gleaned from the experts themselves on how to better protect your privacy while online:

Trick #1: We Send You Personal Emails

The spear phishing method, i.e. when cyber-scammers and hackers send targeted emails with the purpose of stealing sensitive information (in form of financial details or passwords) has become incredibly sophisticated. Previously, Internet users could easily spot dubious emails. This was due to the common tell-tale signs of punctuation and spelling errors; today, however, such emails may address the user by name, professional title and even mention a project that they’ve been working on!  

How to Outsmart them: You can easily spot phishing emails by keeping an eye out for unusual or incorrect URLs, requests for money or your personal information, suspicious attachments, or a message that’s actually an image. Opening attachments or clicking on links is a bad idea if you aren’t 100% certain of the sender’s identity.

Trick #2: We Crack Simple Passwords…In No Time!

Even amateur hackers have access to complex programs that work in a systematic and constant manner, testing millions upon millions of possible password combinations. Their schedule isn’t hampered by the program, in fact they could fall asleep and the program will still be working next morning, attempting to gain access to your information!

How to Outsmart Them: The experts that provide security testing services at Lean Security recommend creating an iron-clad password for your email and other important accounts. Choose a phrase, use characters and letters from it as well add numbers and upper or lowercase letters (e.g. Jack and Jill went up the hill could become J@jwnPThl). A password manager that spurts out and remembers random and difficult to figure passwords can also be used.    

Trick #3: We Sneak While You Surf

A new method of attack is used by a growing number of cyber-scammers and hackers, which is the ‘drive-by download’. The user isn’t able to tell the difference between a malicious website and a perfectly harmless one; but once clicked, users are redirected to several other sites running in the background, one of which launches an attack. Often, the owner of the website won’t even know his/her site has been compromised.

How to Outsmart Them: Make sure all available updates are already installed to your browser. You may also consider using Firefox that automatically updates whenever one is available. Out of all the browsers, users of Internet Explorer are the ones most at risk of these attacks according security experts.

We at Lean Security understand how much important internet security is for businesses, which is why our security experts provide the best managed security services as well as mobile and web application security assessments to small, medium and enterprise businesses. Get a free assessment of your website today!

There has been a significant increase in high profile data breach cases over the past two years involving major corporations. This doesn’t mean that small business aren’t safe from hackers and thieves however, as small business don’t even have the necessary resources or know-how by which their important data can be protected.

Does this mean that small businesses are doomed? Lean Security doesn’t think so, as there’s absolutely no need to spend an exorbitant amount of money or resources to safeguard their network against threats prevailing and attacking businesses today. In addition to having a simple cyber plan, the Australian based managed security services reckons knowing about the threats is the first step to fighting against them.        

 #1: Malicious Code

You don’t want this to occur, what happened to a manufacturing firm where all the company code generators and programs were destroyed by a software bomb, subsequently causing the company to lose millions of dollars. As a result, the company was unceremoniously thrown out from its previous position in the industry and had to lay off 80 workers!

How Can This Not Happen To You: Install anti-virus, anti-spyware programs and firewalls on all computers that are being used in your business and make sure that the computer software is up-to-date and contain only the most recent patches.

#2: Stolen/Lost Laptop or Mobile Device

There have been occurrences of laptops being stolen from government officials’ homes, containing sensitive information that could have been and in most cases was used for illegal or devious purposes. In one instance, the affected department had to notify 26.5 million people of the incident, resulting in public scrutiny and hearings into the matter.

How Can This Not Happen To You:  Have all the data of your customers encrypted when travelling and taking it anywhere on a portable device which will make the data unreadable to outsides until a password or encryption key is entered.

#3: Spear Phishing

This threat is prevalent for those businesses that rely heavily on e-mail as a mode to conduct business. Imagine if your company received as many as 50,000 spam and phishing emails in the course of a normal business day. Do you your employees know the difference between a regular email and a spam one? If not, then your business runs the risk of accidentally opening a spear phishing email which can either bring a virus into the system’s network or steal important info such as the administrator password.

How Can This Not Happen To You: If such an email is received, it’s recommended that employees either contact their manager or simply pick up the phone and get in touch with the one who supposedly emailed it.  

The above threats and more can be aptly addressed by Lean Security, the only managed security services in Australia that offer a free security assessment of your company’s website. So what are you waiting for?

Data breaches will occur whether you run a small scale business or a fully fledged enterprise. It’s understandable that you would want the best for your business but when it comes to data breaches, being aware of the potential threat is often the first step that’s taken to mitigate this security threat as best as possible. Lean Security, your neighborhood  penetration testing service provides the following tips that can be used to safeguard against security and data breaches.

Institute End User Awareness

This training when carried out provides a definite advantage to the business, but only when end user awareness changes the very culture of the company and makes it more security minded. Moreover, this training if carried out properly can help to eliminate mistakes that typically lead to a security breach as well as help the concerned notice odd behavior or fraudulent activity inside the company.

Deploy Intrusion Detection and Prevention

This should be used for all mission critical systems, as well as those that can be accessed via the internet, i.e. through web servers, e-mail systems, servers housing customer or employee data, active directory server, and/or any other system that’s considered mission critical.

Stop drive-by Downloads

Or in other words, implement content filtering tactics. A number of breaches that occur due to drive-by downloading which open up your machine by a malicious or compromised website, making it easy to exploit and access any information. The ability to block where insiders go is an important component to a good security policy.

Perform Regular Vulnerability Assessments

Conducting regular vulnerability assessments lets organizations know where there security systems stand and what more has to be done to ensure no security breaches takes place. Companies typically perform vulnerability scans once a quarter, but these should be carried out week according to Leak Security. In addition, scans should be performed against every system in the network be it internal or external.

Implement Insider Behavior Monitoring

The system monitoring program will be one where the HR person in your company or any compliance officer has the resources to view and replay behavior of employees can prove to be invaluable to ensuring data security. There are programs and software that can be made use of where you can combine that with data loss prevention technology and come up with rules that block sensitive content from leaving the network.

Implementing this and more will make the difference between a good and secure network that can be achieved by one of many  penetration testing services by Lean Security. After all, why do it yourself when the same can be done for you in a much better manner? 

Are you deciding to build a mobile application for your business? Well, there are certain advantages of doing so but it’s extremely important to be fully clear as to what your objectives are from the very start. Following are some reasons and popular routes of having a mobile application as shared by Lean Security. 

Active Customer Engagement

The best thing perhaps that businesses can take advantage from going mobile is the increased potential that doing so will provide when it comes with customer interaction. Not only this but companies will be able to interact with their clients in real-time, by location and profile information complete that will also let them know of the demographics that visit the application.

Increased Customer Service and Support

People look for simple interfaces when online shopping, which helps them to navigate easily throughout the site. Many businesses are making mobile applications for their websites just because of this, because their clients now prefer to use their mobiles to do online shopping. Not only this but such mobile applications also offer tools that make the experience even simpler and effective, making their lives easier with 24/7 customer support and service on board.

Promotion of Brand

Having a mobile application provides businesses the advantage of 24/7 promotion and marketing of their products and offers, as they can showcase whatever is new straight in the mobile application making everyone view it. One effective way of using this to the utmost is by offering coupons, which will help increase sales as people are more likely to visit your apparel store for example, after being notified on their mobile phones regarding an offer that they can miss out on.

Moreover, developing a mobile application is a very good idea especially if you sell services or products online as this will provide your customers with the one thing that will make all the difference, i.e. mobility. This will not only increase your sales but your clients’ base as well.

The end result that you should be working on is how to capture the attention of existing or potential customers, increase your product range and offerings, entice people to buy from you etc which will only be possible with a web and mobile application that runs without any hitch. Learn more about the web and mobile assessment solutions that Lean Security offers here.        

Source code analysis is basically the automated testing of a program’s source code. The main purpose of source code analysis is finding faults and fixing them before the application is deemed ready to be distributed or sold.

Basically, source code analysis could be compared to static code analysis. During static code analysis, the original source code is analyzed simply just as code while the program itself is not running. This way, the need for creating and using test cases is almost completely eliminated. Overall, source code analysis finds faults in the program that may prove to be damaging to its proper functionality, i.e. like crash causing lines of code.

·        How Does it Work?

First things first: source code analysis is automated code debugging. Here, the main goal is to find faults and bugs that might come across as obvious to the programmer. This is done to find fault such as:

·         Untidy use of pointers

·         Misuse of garbage collection functions

·         Possible buffer overflows

If these faults are not caught on time then there is a chance that they can be exploited by malicious entities.

Analyzers of code take the help of standard rules to tell them what to look for. Analyzers need perfect precision balance for this process to work. Too much precision and the source code analysis might take too long to finish. And if there is not enough precision, then the users might be flooded with useless warnings and a lot of false positives.

There are two types of analyzers:

·         Intra-procedural: Focuses on pattern matching and relies on different kinds of patterns the user is looking for.

·         Inter-procedural: Detects patterns from one function to the next. These patterns are connected so that the analyzer can generate a model and simulate execution paths.

·        How Does it Strengthen the Security of Your Business?

Business security is mostly focused on application level nowadays. Since most security efforts have been successful in protecting the business perimeter, hackers have focused on enterprise applications to continue their malicious attacks.  Hackers make the errors in software or embedded code to work in their favor and control company computers and access classified data and customer records.

Static Code Analysis (SCA) is a security tool which is used to verify detrimental code and flaws in applications before they are either used or distributed. Code reviewers use automated tools to determine vulnerabilities keeping the complexity of current applications in mind. The SCA tools decrease the time it takes to assess intricate codes and detect problems that need to be prioritized.

In short, source code analysis can help make your applications safe before they have the chance to do some real damage. Static Application Security Testing should be viewed as a mandatory practice for all IT organizations procuring or developing applications. Keeping that in mind, you can contact us anytime to avail our web application scanner and security testing services. 

In today’s age, mobile communication has become an integral part of personal and professional life for most people. But as the need for mobile communication has grown, so has the number of mobile security threats. For the hackers, mobile threats can prove to be lucrative.. For most organizations, however, they are nothing but an ever growing pain.

Currently, there are many mobile security threats that leave even the experts stymied. Continuing from where we left off in the last post, here are some threats that the pros find especially problematic.

6.     Android Fragmentation

Most security threats associated with Android are very rarely highlighted in public forums, despite the fragmentation of the Android mobile OS being well documented and discussed.

Security patches are often not the top consideration with so many variations. The security patches include the infrastructure essential to deploy the update on a per-carrier basis and worldwide. Many devices never see a patch or a full OS upgrade but are still released with an operating system.

7.     Non Responsive Insiders

It might surprise you to know this but over 35% of corporate and enterprise employees thoroughly believe that data security is not their responsibility. And a surprising 59% of the employees believe that a laptop or a mobile device with company data would not result in a threat to the security of the company.

This could be easily taken care of by educating the employees about security threats and how to be wary of them. Sadly, most organizations believe that the employees ought to know better on their own.

8.     Sophisticated Mobile Attackers

Attackers continue to be even more sophisticated about their attacks despite the fact that companies and security specialists come up with ways to block the attacks and enhance the existing security measures. This is why organizations need to be sure they have a comprehensive and up-to-date security solution set in place.

9.     Hostile Enterprise Signed Mobile Apps

Hostile enterprise signed mobile apps are a collection of malicious apps that thwart app store controls by leveraging enterprise application distribution ability in Android and iOS. This class of apps uses private OS APIs to gain detailed device information.  They might even change settings, mine address books and profile enterprise networks, and send that information to the malicious entities.

10.Legit Mobile Apps that Mine Corporate Information

More often than not, the security threats faced by organizations come from apps present in the devices of the employees. Most people simply don’t realize that personal and corporate data may be sent to remote servers and advertising networks all over the world. From there, that data can be mined by malicious entities and hostile governments seeking access to corporate networks.

Most experts agree that in the coming years, corporate hacking will be done through apps. This is why you should give mobile app security testing special consideration. You can get in touch with us to avail this service and other services like web application penetration testing. To read this list from the beginning, head over to part 1 of this blog. To know more about web and mobile application security, you can browse our website. 

The thing about mobile apps is that they are not only popular with knowledge workers, but hackers too. This makes the issue of securing the apps complex even for the professionals. Here are some of the most problematic mobile security threats usually faced by security pros.

1.     Lack of a Proper Mobile Device Policy

A policy should be created regarding mobile security that establishes rules for authentication. This should include credential storage. For emails and the device itself, PII restrictions should be up held. Restrictions should also be applied on passwords, PINs, and usage. 

In essence, a mobile device policy should be made part of the onboarding process. It is also suggested that new employees at a company, before receiving their device or access to company resources, should read and sign off on the policy informing them of the established mobile security policy. 

2.     Connection Hacking

One of the most common examples of connection hacking is the ‘man-in-the-middle’ attack. Employees often use company devices to access company servers in open spaces. They might think they are safe behind the corporate firewall, but in reality, attackers set up a rogue access point and they start receiving all personal information the second they log in. This has the potential to leak a lot of sensitive data. 

3.     Authentication Attacks

Although not necessarily for stealing data on a mobile device, authentication consolidation will more than likely result in data specific exploits.

Industry experts predict that mobile devices will be progressively targeted for broader credential stealing. Either that, or for authentication attacks to be used at later on in the future.

For example, think of mobile devices as a direct conduit to cloud. The cloud just keeps on getting bigger as it is provided more and more data. Almost all organizations use numerous devices (laptop, tablet, mobile, etc.) to access that data. This means that by cracking just the device, the malicious entities could have access to the ever expanding cloud filled with sensitive information.

4.     Rootkits

Because of their very nature, rootkits are almost impossible to trace. Due to this, the attacker gets absolute control of the device. What is even more worrying is that it is very much possible for personal and sensitive information to be extracted through rootkits. This is especially worrying as more and more people have started to depend on mobile devices for their day to day activity. With a rootkit, malicious attackers can cause unprecedented damage.

5.     Mobile Payment Security Sources

The new payment platform of Facebook uses third party resources for security. If Facebook has a Trusted Service Manager platform installed in place and agreements with the manufacturers of the handsets, for the management of secure elements, then their payment solution would introduce Facebook into classical payment. Though, this is quite difficult and Facebook may not evolve in that way.

All these points just emphasize the need for mobile app security testing. Having your app tested by the professionals will ensure that it is safe from most mobile app security threats. To avail this service and others like web application penetration testing, get in touch with us.