News & Sports Websites 'vulnerable to attack'

Uploaded on 2017-07-03 in FREE TO VIEW, NEWS-Cybersecurity News

News and sports websites have some of the lowest levels of security adoption, a study has suggested.

A team of cyber-security experts looked at the security protocols used by the top 500 sites in various industries and online sectors. They found that fewer than 10% of news and sports websites used basic security protocols such as HTTPS and TLS. Even those that do are not always using the "latest or strongest protocols", one of the study's authors said.

"As time goes by, all encryption gets weaker because people find ways around it," Prof Alan Woodward, a cyber-security expert at the University of Surrey, told the BBC.

"We tested the University of Surrey's website using a site called Security Headers a couple of weeks ago and it got an A," he explained, "but it's only a C now."

Shopping and Gaming

The research, published in the Journal of Cyber Security Technology, shows that some sectors seem much more security-conscious than others.

The websites of computer and technology companies and financial organisations showed a much higher level of adoption than shopping and gaming sites, for example.

"In the financial sector, almost every one of the sites we looked at had encrypted links", Prof Woodward said, "but even in retail the adoption of the very latest standards is low."

A quarter of the shopping sites studied were using Transport Layer Security (TLS), which offers tools including digital certificates, remote passwords, and a choice of ciphers to encrypt traffic between a website and its visitors. But among news and sport websites fewer than 8% were found to be using the protocol. Among those that did, many failed to make use of some of the strongest tools available, such as HSTS, which automatically pushes users accessing an unsecured version of a website on to the encrypted version instead.

'Click on the padlock'

"It's like news and sport content providers don't value the security of their content," Prof Woodward said.

"They're leaving themselves vulnerable to attacks like cross-site scripting, where an attacker can pretend something's come from a website when it hasn't."

But Prof Woodward warned against putting too much faith in sites that appear to have the most up-to-date and comprehensive security protocols in place.

"People assume that because they're using TLS they're having a secure conversation, but there's no guarantee about who they're having that secure conversation with," he explained.

"Some of those spoof sites are using more up-to-date security than the genuine sites. You've got to click on that padlock and check who it is you're talking to."

BBC

You Might Also Read: 

Russian Hackers Posed as ISIS to Hack French TV Channel:

 

 

« Chinese Criminals Are Selling Your Apple Data
RBS Bank Warns Of Increased Cybercrime »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

NXO France

NXO France

NXO is an independent leader in the integration and management of digital workflows with services covering digital infrastructures, communications & collaboration, and security.

Dathena

Dathena

Dathena is a company developing data governance software based on machine learning algorithms.

Hellenic Accreditation System (ESYD)

Hellenic Accreditation System (ESYD)

ESYD is the national accreditation body for Greece. The directory of members provides details of organisations offering certification services for ISO 27001.

Data Terminator

Data Terminator

Data Terminator provide a comprehensive range of secure data destruction equipment and services are in compliance to US Department of Defense (DoD) and National Security Agency (NSA) standards.

Eaton

Eaton

Eaton provides comprehensive cybersecurity services for operational technology (OT) to help keep your operations and personnel safe.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

Navixia

Navixia

As a leading Swiss IT security specialist, Navixia offers a global and pragmatic approach to information security.

Riskaware

Riskaware

CyberAware, by Riskaware, provides business-critical cyber attack analysis and impact assessments using NIST standards aligned with NCSC guidance.

Phy-Cy.X Security Group

Phy-Cy.X Security Group

Phy-Cy.X specialize in the “Physics” of Information Security through both physical and cyber domains. We are not an IT company, we ARE an Information Security company.

Fusion Risk Management

Fusion Risk Management

Fusion Risk Management focuses on operational resilience encompassing business continuity, risk management, IT risk, and crisis and incident management.

ZINAD IT

ZINAD IT

ZINAD is an information security company offering state-of-the-art cybersecurity awareness products, solutions and services.

ANY.RUN

ANY.RUN

ANY.RUN is an interactive online malware analysis service created for dynamic as well as static research of multiple types of cyber threats.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.

GO Business

GO Business

GO Business are a specialised B2B team within GO that caters to the communication needs of the local business community in Malta.

Defend-OT

Defend-OT

Defend-OT is a Belgium-based cybersecurity firm specializing in OT environments.