July 2016 Cyber Security Report
Vacation may be on everyone's mind but it's important to remember these cybersecurity tips when traveling.
• Think twice about what you post on social media. Hackers and thieves may be lurking online and waiting to attack your accounts while you are away. Knowing that you are out of town can also tip off home thieves. It may be best to share your fun photos after you return from your trip.
• If you need to connect, think about a VPN. If you need to get some work done or access sensitive accounts (such as your email or online banking account) while you are away, be sure you have a secure and private connection. A VPN (Virtual Private Network) creates a private, encrypted Internet connection for you on the go.
Read on to learn more about cybersecurity news from this month, including:
• The trouble with reusing passwords
• New skimmers at Walmart
• Sites to change your password at immediately
• And more
Wave of hacked accounts stems from password reuse
Websites, like Twitter, Carbonite, and GoToMyPC, have noticed an uptick in hacked accounts following last month's news of a 2012 LinkedIn breach. These sites, among others, say the hacked accounts are not from a breach of its networks but rather an effect of people reusing passwords from other hacked sites, such as LinkedIn.
This wave of password resets raises a serious cybersecurity problem. We have so many online accounts that it becomes impossible to remember a unique username and password combination for each, so we end up using the same password on countless accounts.
But, as we can see, that causes a problem. We make it easy for the hackers. If you use the same login and password combination for many sites, they can access many facets of your life by knowing one password.
Coming up with a password strategy that works for you is a personal decision. Here are a handful of good options for creating unique, memorable, and tough passwords.
The mnemonic method
One method we recommend is creating a mnemonic password. A mnemonic uses a phrase, song lyric, or poem. You take the first letter from a line you can remember, add some numbers and symbols, and you have a strong and memorable password.
For example, say you pick “Jack and Jill went up the hill to fetch a pail of water.” Take the first letters and get: JaJwuthtfapow. Now, add strength by using symbols in place of some letters: J&Jwu+h+f@pow. Lastly, sandwich the password with a memorable date (but not your birthdate): 09J&Jwu+h+f@pow17.
The goal setting method
Another way to create memorable passwords is by using your goals. Take a goal you want to accomplish in the near future and turn it into a password!
Let’s say you want to drink more water every day. You can make your password, Dr!nk>W@+er or Dr!nk8gl@$$e$. That’s a pretty tough password and it will remind you of your goal every time you type it.
The password manager method
The most efficient way to remember all your strong passwords is a password manager. This software will encrypt and store your passwords in a digital vault. You’ll lock your vault with one master password—the only one you need to remember.
Password managers will also help you generate strong passwords. Most have features that will automatically log you into your accounts as you visit various websites, creating a seamless online experience.
Most password managers have free or paid versions. The free versions are usually limited to only one device while the paid programs can be synced on multiple devices. The paid versions generally cost from $10 to $30 a month.
You should do research to see what password manager works best for you. Some popular programs include LastPass, Dashlane, 1Password, and KeePass.
Keep them unique
Whatever method you decide, just be sure to have unique passwords for any accounts that contain sensitive information. Reusing passwords make the hackers’ job easy and makes your information even more accessible.
Emerging Threat: Mobile phone account identity theft.
Scammers have found a new target: your mobile phone account. The number of mobile phone account hijacking victims has nearly doubled in recent years. In January 2016 alone, 2,658 people reported a case of cell phone account hijacking to the Federal Trade Commission (FTC).
The scam involves a person purchasing new mobile phones or tablets on your mobile phone carrier account. You are charged for the devices and the thieves either use the devices or quickly sell them to make money.
Lorrie Cranor, FTC Chief Technologist, found herself a victim of this scam earlier this month. After her cell phone stopped working, she investigated and was told that two new iPhones had been added to her account—and that her phone had been deactivated.
Her mobile carrier gave her little information on how the theft occurred. So, Cranor requested her account records from identitytheft.gov. She soon discovered that the thief used a fake ID with her own photo but Cranor’s name.
You can protect your account by adding a security PIN or password, which will make it more difficult for someone else to make changes to your personal information. Each mobile carrier is slightly different, but you can learn more about the process (and Cranor’s story) here.
Cybersecurity Shorts
Cybersecurity reports obtained by Reuters say the U.S. Federal Reserve detected over 50 breaches from 2011 to 2015, four of which were deemed acts of "espionage." The reports, redacted by officials before public release, did not mention any hackers by name. Security analysts believe that foreign governments are in a position to gain from obtaining inside Federal information. The National Incident Response Team found that no information had been disclosed, but the Federal Reserve continues to be under assault.
Thirty-two million Twitter logins on sale for ten bitcoins. Twitter does not believe its network was hacked, rather that users borrowed usernames and passwords from other breached accounts. It has not been confirmed if the list for sale is accurate at this time. You should, however, change your Twitter password and sign up for two-factor authentication.
Use GoToMyPC? You’ll want to change your password. Citrix, the company that runs GoToMyPC sent an alert to users that it has been targeted by a password attack. In order to access your account, you’ll have to first reset your password. GoToMyPC does have two-factor authentication available.
Three-fourths of organizations are not properly prepared for cyber-attacks, according to NTT Com Security's 2016 Global Threat Intelligence Report. Garry Sidaway, VP of security strategy and alliances for NTT Com Security blames the unpreparedness on "security fatigue"— defined as a combination of too many incidents, conflicting security advice, and fast-paced technological advances. The study also found a 140% increase in malware targeting the financial sector since 2014.
Financial services industry leads push for nationwide data security standards. The legislation would set standards for all industries and would require all businesses notify customers if systems are breached. The financial services industry argues that it has been held to that standard for fifteen years, and it's time other industries protect customers' data in the same way.
Lawmakers are concerned about a possible cyberattack on the Social Security Administration (SSA). In a recent test, an external auditor succeeded in extracting large amounts of information from the agency’s networks. While its acting administrator argues that the SSA is continually analyzing and testing its networks, these actions, according to the agency’s Inspector General, are not enough.
Skimmers hit Walmart self-checkout lanes. The skimmers found in Walmart stores in Virginia and Kentucky are known as "overlay skimmers." The devices are placed over the actual card reader and only take minutes to install. At quick glance, the skimming device looks just like a payment card reader. Consumers with EMV cards should dip their card rather than swipe whenever possible. However, according to the Mercator Advisory Group, only 60% of credit cards in the US have the EMV chip.
House passes a bill to help prevent tax identity theft. The Stolen Identity Refund Fraud Prevention Act of 2016 would: create an office within the IRS to help victims, stop the use of Social Security numbers on W-2 forms, and require that the US Treasury Department notify consumers of unauthorized use of their identity—among other things. The bill will be voted on by the Senate.
Reddit forces password reset for 100,000 users after an increase in hacked accounts. The company attributes the hacked accounts to recent data breaches on other platforms, such as LinkedIn. It believes users reused passwords for their Reddit accounts.
Sixty-five million Tumblr accounts found for sale online. The information is believed to be from a 2013 breach that exposed emails and passwords. The passwords were salted and hashed by Tumblr, making them nearly impossible to use. Salting and hashing passwords is a form of cryptography that better protects passwords. Hashing means your password is not stored in plain text, rather an algorithm is used to disguise your password. Salting randomizes those hashes, making brute force attack even more difficult. Tumblr users are encouraged to change their passwords regardless, and to look out for phishing emails in the near future.
Identity theft protection firms wrongfully alert customers to Dropbox breach. LifeLock and other ID theft protection firms sent notices to their customers that their Dropbox account had been hacked. In reality, the information was actually exposed through an old Tumblr breach. LifeLock said it received information of the breach from a third party. There is no evidence that Dropbox was hacked.
Fraudulent Bangladesh wire requests were originally rejected by the New York Federal Reserve, according to Reuters. The wire requests that resulted in an $81 million theft from the Bangladesh central bank's account were first rejected because of formatting issues. The requests were then resubmitted with correct formatting. The New York fed approved five of the requests and flagged the remaining 30 for review.
Mark Zuckerberg's Twitter and Pinterest accounts hacked. OurMine, a Saudi Arabian hacker group, found Zuckerberg's account information in the latest LinkedIn breach. Zuckerberg repeated his LinkedIn password—"dadada"—at the other social media sites. Tsk, tsk, tsk.
Average enterprise stores over 200 unencrypted password files in the cloud. A new report by Skyhigh Networks analyzed cloud data usage for over 600 companies and found that the average firm stores 204 files with the word "password" on Microsoft OneDrive. Security experts warn of the dangers in storing unencrypted files containing passwords either on your computer or in the cloud as they could be accessed. Using a password manager is a safer option.
University of Calgary pays $15,000 ransomware. More than 100 computers at the university were affected by the hack—all files were locked and encrypted. Since paying the ransom, the university has been working on decrypting the files with the key but it has been time-consuming and difficult. Police warn that the decryption keys do not always work.
Facebook chat logs could have been changed by hackers. A researcher at Check Point Software Technology discovered a flaw in the messaging app that would have made it possible for a hacker to modify or delete past messages. For example, they could change a link going to a YouTube video to a ransomware link. They could also incriminate users by changing details in conversations. The changes would have also been made on Facebook’s servers. Facebook has fixed the flaw.
Software Updates
Adobe: If you use Adobe Flash, stop reading this and update to version 22.0.0.192 immediately. This version closes over 30 security holes—one that is already being exploited. If you do not need Flash, you should uninstall or disable it. If you do, you can download the update here.
Microsoft: This month, Microsoft pushed 16 bundles closing nearly 50 security vulnerabilities in Internet Explorer, Edge, Microsoft Office, and more. A handful of the holes are labeled, “critical” and you should update immediately. You should be prompted to update your software but you can learn more here.