News & Sports Websites 'vulnerable to attack'

News and sports websites have some of the lowest levels of security adoption, a study has suggested.

A team of cyber-security experts looked at the security protocols used by the top 500 sites in various industries and online sectors. They found that fewer than 10% of news and sports websites used basic security protocols such as HTTPS and TLS. Even those that do are not always using the "latest or strongest protocols", one of the study's authors said.

"As time goes by, all encryption gets weaker because people find ways around it," Prof Alan Woodward, a cyber-security expert at the University of Surrey, told the BBC.

"We tested the University of Surrey's website using a site called Security Headers a couple of weeks ago and it got an A," he explained, "but it's only a C now."

Shopping and Gaming

The research, published in the Journal of Cyber Security Technology, shows that some sectors seem much more security-conscious than others.

The websites of computer and technology companies and financial organisations showed a much higher level of adoption than shopping and gaming sites, for example.

"In the financial sector, almost every one of the sites we looked at had encrypted links", Prof Woodward said, "but even in retail the adoption of the very latest standards is low."

A quarter of the shopping sites studied were using Transport Layer Security (TLS), which offers tools including digital certificates, remote passwords, and a choice of ciphers to encrypt traffic between a website and its visitors. But among news and sport websites fewer than 8% were found to be using the protocol. Among those that did, many failed to make use of some of the strongest tools available, such as HSTS, which automatically pushes users accessing an unsecured version of a website on to the encrypted version instead.

'Click on the padlock'

"It's like news and sport content providers don't value the security of their content," Prof Woodward said.

"They're leaving themselves vulnerable to attacks like cross-site scripting, where an attacker can pretend something's come from a website when it hasn't."

But Prof Woodward warned against putting too much faith in sites that appear to have the most up-to-date and comprehensive security protocols in place.

"People assume that because they're using TLS they're having a secure conversation, but there's no guarantee about who they're having that secure conversation with," he explained.

"Some of those spoof sites are using more up-to-date security than the genuine sites. You've got to click on that padlock and check who it is you're talking to."

BBC

You Might Also Read: 

Russian Hackers Posed as ISIS to Hack French TV Channel:

 

 

« Chinese Criminals Are Selling Your Apple Data
RBS Bank Warns Of Increased Cybercrime »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MaxMind

MaxMind

MaxMind is an industry-leading provider of IP intelligence and online fraud detection tools.

VdS

VdS

VdS is an independent safety and security testing institution. Cybersecurity services include standards, audit/assessment and certification for SMEs.

K2 Integrity

K2 Integrity

K2 Integrity is a preeminent risk, compliance, investigations, and monitoring firm - built by industry leaders to safeguard our clients’ operations, reputations, and economic security.

Coro Cybersecurity

Coro Cybersecurity

Coro (formerly Coronet) empowers organizations to protect against malware, ransomware, phishing, and botnets - across devices, users, and cloud applications.

miniOrange

miniOrange

miniOrange is a cloud and on-premise based identity and access management (IAM) solution provider.

Apozy

Apozy

Apozy replaces a secure web gateway to nullify phishing, malware and impersonation attacks.

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

Datacentrix

Datacentrix

Datacentrix provides end-to-end cybersecurity services for the operational technology (OT) and IT environments to monitor, assess and defend our customers' information assets.

SECFORCE

SECFORCE

SECFORCE is a leading information security consultancy specialising in bespoke penetration testing and red team engagements.

Sylint

Sylint

Sylint is an internationally recognized cyber security and digital data forensics firm with extensive experience discretely addressing some of today’s biggest cyber breaches.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

Robo Shadow

Robo Shadow

Robo Shadow are trying to bridge the gap between the top tier organisations that can afford everything and everyone else who has to “Make it up as they go along” when it comes to Cyber.

ASRC Federal

ASRC Federal

ASRC Federal’s mission is to help federal civilian, intelligence and defense agencies achieve successful outcomes and elevate their mission performance.

2021.AI

2021.AI

2021.AI serves the growing business need for full oversight and management of applied AI.

Lightpoint Global

Lightpoint Global

Lightpoint Global is a bespoke software development company. We also provide a spectrum of services such as IT consulting, business analysis, QA and testing, and DevOps services.