April 27, 2016
In this issue:
- The Importance of Updating Your Software—Always
- $2.3 Billion Lost to CEO Email Scams in Recent Years
- Emerging Threat: Windows Users—Uninstall QuickTime Now
- Cybersecurity Shorts: Malware hitting banks, millions of voters' information exposed, a hack at a New York state dam, and more
- Software Updates
Keep reading to learn more about:
- What you must do right now if you use QuickTime
- The malicious software stealing millions from banks
- A hack at a New York state dam
- And more
The Importance of Updating Your Software—Always
Software updates—the notifications that most computer users dread. Forty percent of adults don't update their software when prompted—and that means a lot of users are at risk.
Why don't we update?
There are many reasons people give for not wanting to update software on their devices. A study by Skype, Symantec, and TomTom found that three-quarters of users did not understand the benefits of the update. Almost half worried about the security of their computer and 27% said updates take too long.
But having out-of-date software is a huge security risk. It leaves your devices and system open to countless attacks from cybercriminals. Updating your software is Savvy Cybersecurity Principle #3.
Why do we need to update?
Developers push out software updates when they close a security hole or vulnerability in the current version of a program. These security holes can leave you vulnerable to a range of issues—from malware to spying to ransomware.
For example, an open vulnerability could allow hackers to execute a drive-by-download attack. A drive-by attack occurs when a cybercriminal creates malicious code that exploits a security hole in a program such as Adobe Flash, Microsoft Silverlight, or a browser plug-in. Users are exposed to the code through malicious advertisements or links on a website. If they are running outdated software, the malicious code can infiltrate their system through that hole.
A drive-by-download attack could result in your machine downloading malware that records everything you do. This sort of malware can lead to identity theft and financial fraud.
What can we do?
To start, we need to embrace the software update. Updates don't just make aesthetic changes to our programs but introduce valuable security improvements. Many programs have made it easier to stay up-to-date. Programs such as Adobe Acrobat, Microsoft Windows, Firefox, and others allow you to choose "auto-update" so new updates are downloaded and installed as soon as they are available.
Software developers have also tried to make updates less intrusive. In the past, people put off updating a program because they were in the middle of something important and did not want to restart their computer or browser. Now, for many programs, you can download the update now and schedule the installation for later so your computer can restart in the middle of the night, instead of in the middle of that important email. And when you update your browser, your tabs will all still be there when you relaunch the browser.
You also need to be sure to update software on all devices. Smartphones and tablets carry security vulnerabilities too. Be sure your apps and operating system are up-to-date.
Make updating your software a part of your weekly schedule. Every Wednesday night sit down and make sure you don't have any outstanding updates. It will help you become more comfortable with the update and will protect your devices against the hackers.
$2.3 Billion Lost to CEO Email Scams in Recent Years
Early this month, the FBI released an alert warning of a significant increase in CEO fraud emails. CEO fraud email scam, also known as Business Email Compromise (BEC) scam is a spear phishing scheme targeted at businesses. In these attacks, the phishers send targeted emails to employees that appear to come from their CEO. The emails ask the employee to wire some amount of money to an account.
According to the FBI, this scheme has resulted in $2.3 billion being lost by businesses from October 2013 to February 2016. They have received over 17,000 complaints from businesses in every state and over 70 countries.
This scheme is so successful because the emails don't get caught in the spam filter. Since the phishers senda single email to one specific employee rather than a mass email, they normally make it to the target's inbox. The emails are often more specific, too, and include personal information or match the tone the genuine sender would normally use.
While the average loss from this scheme is between $25,000 and $75,000, some companies have lost millions.
To protect yourself and your business, implement two-step verification for your email. More importantly, you should adopt two-step verification for wire transfer requests. In other words, if an employee receives a wire request via email, they must confirm that request in person or over the phone. This should be done with any third-party vendors as well.
All employees should know the dangers of phishing and be on the lookout for malicious messages. Teach your colleagues the E.M.A.I.L. acronym. It stands for "Examine Message And Inspect Links." It can help prevent a phishing attack from doing damage in your personal or business life.
Emerging Threat
Windows users: Uninstall QuickTime now. The Department of Homeland Security's United States Computer Emergency Readiness Team issued an alert recommending that Windows users uninstall QuickTime from their computers. The alert was issued after Trend Micro found two critical vulnerabilities in Apple's video player. The vulnerabilities would allow hackers to install malware on your machine if you visited an infected website. Apple is phasing out QuickTime so they will not be fixing the holes. Windows users should uninstall QuickTime immediately. Mac users are not affected.
Cybersecurity Shorts
Malicious software steals $4 million from bank customers in U.S. and Canada. The malware, GozNym, is planted in phishing emails sent out to bank customers. If clicked, the links install malware on the computer and records keystrokes and even take screenshots when the victim signs on to their online banking account. The malware has targeted over 20 banks and has resulted in millions being lost in April alone.
Fifty-four percent of people trust their data with tech companies more than the federal government, according to a survey by The App Association. Only 21% trusted federal agencies more. The poll also found that seven in ten people believe hacking is increasing. The majority of those polled are concerned about their personal data.
Chinese nationalist pleads guilty to hacking U.S. defense contractors. Su Bin worked in China in the aviation industry and stole data on U.S. military fighter jets. He emailed hackers telling them which companies to target. Once the companies were hacked, Su Bin would tell them what files to steal. His sentencing is scheduled for July.
Iranian group hacks New York dam. According to reports, a group associated with the Iranian government targeted almost 50 U.S. financial institutions and a dam outside of New York City from 2011 to 2013. Targeted institutions included The New York Stock Exchange, JPMorgan Chase & Co, AT&T, Bank of America and others. The affected dam was the Bowman Avenue Dam in Rye, New York. The dam was shut down at the time, which prevented any serious consequences from the hack. The U.S. has officially indicted seven Iranians for the hack.
Affordable Care Act website was targeted by cybercriminals over 300 times in 18 months. None of the attempted attacks resulted in any sensitive information being released, according to a government report. However, the report did find that the Center for Medicare and Medicaid did not regularly patch security holes affecting the network.
FBI paidthird-party hackers to crack San Bernardino shooter's iPhone. It was previously reported that the FBI worked with Israeli security firm Cellebrite to hack the phone, but it appears now that they contracted professional hackers for the job. One of the hackers considers himself "a gray hat" which means he sells software flaws to government agencies or private firms to create surveillance tools. The security industry is pushing the government to reveal the flaws to Apple.
Verizon Enterprise Solutions hit with data breach. The B2B unit of Verizon is known for the comprehensive data breach report it produces each year. Now, however, the unit is dealing with a breach of its own affecting over 1 million customers. According to security expert Brian Krebs, the information is being sold online for $100,000. Verizon Enterprise customers should be on the lookout for phishing attacks.
Database holding information on 191 million voters found on Internetby computer security researcher, Chris Vickery. He said the database contained names, addresses, party affiliations, birthdates, emails, and more on voters in all U.S. states. Vickery is working with federal authorities to find the database owner so it can be removed from the Internet.
Hackers may have had access to U.S. government computer systems for years. The FBI released an alertwarning that a hacking group, APT6 has been spying and stealing documents from various government networks since 2011. It is unknown what information has been compromised at this time.
President Obama forms the Commission on Enhancing National Cybersecurity. This new group is part of the $19 million cybersecurity plan Obama put forth earlier this month. Commission members includethe CEOs of MasterCard and IBM, a Microsoft Research VP, Uber's Chief Security Officer, and others. The goal of the commission is to improve the cybersecurity in government agencies as well as the private sector.
Apple plans to lock down iCloud. Currently, Apple holds the encryption key for all users with an iCloud account. Now, Apple wants to shift the encryption key to each individual user to manage. This move comes after the request from the FBI for Apple to unlock the iPhone of one of the San Bernardino shooters. If Apple does not hold the encryption key for iCloud accounts, they will not be able to supply federal authorities with any data stored in the cloud. If users forget their passwords, however, Apple would not be able to give them access to their accounts.
Record number of zero-day flaws used in 2015, according to a report by Symantec. Last year, hackers exploited 54 zero-day vulnerabilities, 30 more than in 2014. Zero-day vulnerabilities are software flaws that have not yet been patched by manufacturers. Exploiting these vulnerabilities allows hackers to potentially access your network, install malware, and much more.
Lookout Mac users: More fake Adobe Flash updates are being released. Security experts warn of an influx in fake Adobe Flash update notifications targeting Mac computers. If you get a notification to update Adobe Flash, don't click. Visit their website and download the update from there instead.
U.S. government agencies rank last in cybersecurity. SecurityScorecard, a security risk startup, analyzed the cybersecurity practices of 17 private industries and 600 U.S. government agencies. U.S. federal, state, and local agencies came in last place. Federal agencies performed the worst in network security, including installing patches for outdated software. NASA performed the worst among the government agencies.
EMV cards lessen counterfeit fraud by 18%, according to Visa. The survey found that major merchants who have fully adopted EMV technology have seen a decrease in counterfeit card fraud, while those who are not accepting chip-enabled cards have seen an 11% increase in fraudulent transactions. The credit card company is releasing a software upgrade which will make chip transactions faster and hopefully encourage more people to use the technology.
Trump Hotels face second data breach in one year. Multiple banks have noticed a pattern of fraud stemming from Trump Hotel properties. The company is investigating the claims. If Trump Hotels was indeed breached again, it would be the second breach since July.
Payroll firm sees spike in employee tax fraud due to login practices. Greenshades, a software company that helps other companies with their payroll, allowed payroll administrators to access employee data using only the employee's date of birth and Social Security number. Hackers caught on and began using stolen DOB and SSN to access employee's W-2 information to file fake tax returns. Greenshades has posted a fraud alert on their website but claims it was not a data breach since the hackers used "valid login credentials."
New ransomware scheme uses your address to get you to click. The scam claims the email recipient owes money to UK businesses and uses the recipient's personal address. The email includes an invoice attachment which downloads the ransomware. It is currently unknown how the scammers collected the mailing addresses. While this scam has not spread outside of the UK yet, it’s a good reminder to think before you click and always back up your data.
Listen to a recorded IRS scam phone call.NPR recently shared a recording collected by Pindrop Security of a real IRS scam phone call. Pindrop Security shares dummy phone numbers in online raffles and other scams to get their numbers on scammers' lists. The call begins with the scammer telling the Pindrop researcher that she miscalculated her taxes and she owes money. He threatens to seize her property and send her to prison. You can listen to the phone call in its entirety here.
Facebook gets one step closer to no passwords. Facebook held its major developer conference this month, F8, and announced new breaks in technology including their Account Kit. This new app would essentially eliminate the need for passwords on third party apps connected to Facebook. For example, if a developer wants to allow users to sign up via Facebook the user would no longer need to enter their username and password. Rather, the user will get a text message code or email to verify and login.
Software Updates
Microsoft: Microsoft released a patch for the hyped Badlock bug this month. Badlock was discovered weeks ago and the patch made big news but the vulnerability turned out to be a mid-level security issue. The bug would have affected most computers running Windows or Linux and allowed others to access the Active Directory which gives permissions to users. The fix for Badlock was included in a patch for over 30 other holes. The other issues are in Internet Explorer and Microsoft Graphics Component. You can learn more about the update here.
Adobe: Adobe released an update for Flash Player which closes over 20 security holes including a zero-day vulnerability which is already being exploited. If you are still using Adobe Flash, be sure to update immediately. You can learn more here.
Apple: iPhone and iPad users should update their software to iOS 9.3.1. Devices running older software are vulnerable to an attack that sets the device's time back and renders the phone unusable. You can learn more about the update here.