Wednesday, January 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

86% of Australia’s top websites can’t detect bot attacks: Research

April 16, 2019
in Internet Security
This server was online for under a minute before hackers were trying to crack it
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

New research shows that the vast majority of Australia’s top 250 websites can’t tell the difference between a human using a web browser and a bot running a script, leaving them vulnerable to so-called credential stuffing attacks.

Researchers from Australian cybersecurity firm Kasada selected the target websites based on their Alexa ranking. They focused on the industries most often targeted by bot attacks: Retail, property, wagering, finance, airlines, utilities, and health insurance.

You might also like

Predictive policing is just racist 21st century cyberphrenology

10-years-old Sudo bug lets Linux users gain root-level access

F5 Networks fiscal Q1 revenue, profit beat expectations, revenue outlook higher as well

The researchers then loaded the sites’ login pages in three ways: A regular web browser; a script using curl or Node.js; and an automation tool, Selenium.

Around 86% of the tested websites failed to detect the difference, meaning that an attacker could also load the login page with a credential abuse tool, attempting to log in repeatedly using stolen usernames and passwords.

In addition, 90% of the websites failed to detect those automated logins.

Credential stuffing is the one kind of attack where it’s easier for the bad guys to build a return on investment, encouraging them to spend money to evade detection, according to Kasada’s lead field engineer, Nick Rieniets.

“Visibility of activity on that login page is where it all needs to start,” Rieniets told ZDNet.

“Our observation is these credential abuse attacks, in many cases, have been going on for weeks before the organisations realise what’s going on … the attackers are doing a great job of evading detection.”

In and of itself, a login request isn’t malicious traffic, Rieniets explained, but a pattern of failing login attempts is, even if they don’t all come from the same source. But how many failed attempts you allow before blocking the traffic depends on the context.

“It’s difficult for consumer-facing sites to lock down logins, because the more you lock it down, the more support cases you end up creating,” he said.

Kasada’s researchers also found that out of 100 credential abuse bot attacks on their own customers, 90 percent came from within Australian ISP networks.

While 100 is a small sample size, the customers included traditional retailers and more modern e-commerce businesses, online gaming operators, and utilities, and therefore skewed to more high-value targets.

Kasada published its research findings and an action plan for organisations in the report Bits Down Under on Tuesday.

Recommendations for cybersecurity teams are to only allow regular web browsers to access the login page; enforce adherence to request flow patterns; take actions to alter the economics of attacking your site; and visualise the human versus bot activity against your login paths.

For organisations, it was recommended that they establish a regular cadence of reporting on these issues; make sure the necessary security controls are in place; and establish and test a data breach response plan.

These recommendations don’t match some other priority lists for attack mitigations, such as the Australian Signals Directorate (ASD) Essential Eight. But Rieniets says his reference for establishing priorities is the data on notifiable data breaches published by the Office of the Australian Information Commissioner (OAIC).

“Credential abuse, which they call brute force attacks … is actually the third most likely attack type that results in a data breach. For me, that’s pretty significant,” he said.

Credential stuffing is a reasonably new attack type, Rieniets said, at least in terms of the number of organisations having to deal with it for the first time. Chief information security officers (CISOs) both in Kasada’s customer base and elsewhere are telling him that preventing them is a priority.

“If it’s not the number one priority for most CISOs this year, it’s certainly very high up,” he said.

Security Coverage

The Windows 10 security guide: How to safeguard your business

How do you configure Windows 10 PCs to avoid common security problems? There’s no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here’s what to watch out for.

Microsoft discloses security breach that impacted some Outlook accounts

Incident took place after hackers compromised a Microsoft support agent’s account.

Building a data pipeline to defend New York from cyber threats

Responsible for protecting a large, complex and federated network of city systems, NYC Cyber Command built its own, open-source data pipeline.

Windows 10 security: A guide for business leaders

Protecting Windows 10 PCs from common security problems requires ongoing vigilance and effort. This ebook explains what steps to take and what risks you should watch out for.

Credit: Source link

Previous Post

Expert says hype cycle will give way to 'rich harvest' of useful AI

Next Post

Does AI Have a Place in Education? – Becoming Human: Artificial Intelligence Magazine

Related Posts

Predictive policing is just racist 21st century cyberphrenology
Internet Security

Predictive policing is just racist 21st century cyberphrenology

January 27, 2021
10-years-old Sudo bug lets Linux users gain root-level access
Internet Security

10-years-old Sudo bug lets Linux users gain root-level access

January 27, 2021
F5 Networks fiscal Q1 revenue, profit beat expectations, revenue outlook higher as well
Internet Security

F5 Networks fiscal Q1 revenue, profit beat expectations, revenue outlook higher as well

January 27, 2021
Apple fixes another three iOS zero-days exploited in the wild
Internet Security

Apple fixes another three iOS zero-days exploited in the wild

January 27, 2021
Firefox support for Flash ends on January 26
Internet Security

Firefox 85 removes Flash and adds protection against supercookies

January 27, 2021
Next Post
Does AI Have a Place in Education? – Becoming Human: Artificial Intelligence Magazine

Does AI Have a Place in Education? – Becoming Human: Artificial Intelligence Magazine

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Why 76% of enterprises are prioritising AI and machine learning in 2021 IT budgets – Cloud Tech
Machine Learning

Why 76% of enterprises are prioritising AI and machine learning in 2021 IT budgets – Cloud Tech

January 27, 2021
Predictive policing is just racist 21st century cyberphrenology
Internet Security

Predictive policing is just racist 21st century cyberphrenology

January 27, 2021
Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild
Internet Privacy

Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild

January 27, 2021
Airport Runway Foreign Object Debris (FOD) Detection System to bolster with Advancement in Sensor Technology!
Data Science

Airport Runway Foreign Object Debris (FOD) Detection System to bolster with Advancement in Sensor Technology!

January 27, 2021
New machine learning tool predicts schizophrenia
Machine Learning

New machine learning tool predicts schizophrenia

January 27, 2021
10-years-old Sudo bug lets Linux users gain root-level access
Internet Security

10-years-old Sudo bug lets Linux users gain root-level access

January 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Why 76% of enterprises are prioritising AI and machine learning in 2021 IT budgets – Cloud Tech January 27, 2021
  • Predictive policing is just racist 21st century cyberphrenology January 27, 2021
  • Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild January 27, 2021
  • Airport Runway Foreign Object Debris (FOD) Detection System to bolster with Advancement in Sensor Technology! January 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates