FEBRUARY SAVVY CYBERSECURITY NOTES

March 04, 2018
Share |

In this issue:

  • What to know about the Spectre and Meltdown vulnerabilities
  • Emerging threats
  • Cybersecurity shorts
  • Software updates

What to know about the Spectre and Meltdown vulnerabilities

Every year, we face new major cybersecurity incidents that seem more broadly damaging than those in the past. This year has started off no differently, with the discovery of the Spectre and Meltdown vulnerabilities, which affect nearly every type of device made in 1995 or later.

Meltdown and Spectre are hardware vulnerabilities that were discovered in nearly every processor, the main hardware in devices such as computers and smartphones. The flaws allow hackers to access your device’s memory, including your passwords stored in a manager or browser, emails, photos, browsing history, private documents saved on your device, and more.

The flaws were shared with technology industries before being shared with the public to give the companies a chance to create patches for the vulnerabilities.

It is very likely that your devices are affected by these flaws. Thus, it is imperative that you update all of your devices quickly and regularly as more patches become available. It is also important to update your browsers, operating system, and software programs. Below is a list of patch details for some popular devices and operating systems.

  • Apple: Apple users should be running iOS 11.2.2 on iPhones and iPads to protect themselves against the vulnerabilities. Mac users should be using macOS 10.13.2 and AppleTV should be running tvOS 11.2. If you use Safari, be sure it has been updated to version 11.0.2. Your devices should prompt you to update automatically, but you can learn more about the update here.
  • Google/Android: Android users should update their devices using the Android 2018-01-05 Security Patch Level. If Google Chrome is your preferred browser, be sure to update to version 64 but note that more updates may become available later. Chomebooks should all be updated to version 63, which started being pushed out in December of 2017. You can get more details on other Google products and patches here.
  • Microsoft/Windows: Windows has pushed updates following the Spectre and Meltdown vulnerabilities but was forced to shut down the updates temporarily as they caused issues on some devices. Older Windows devices may experience slower performance after applying the patch. You can check if a patch is available your device here. Your device should prompt you to update automatically.
  • Linux: Linux released an update for devices back in December 2017. You can access the update here.

Emerging Threats

New tax bill may increase tax fraud this year. Experts warn that the combination of new laws, IRS budget cuts, and data breaches gives way for hackers to commit tax identity theft. For example, the Equifax breach in 2017 exposed the Social Security numbers of 143 million people, which can be used to file fraudulent tax returns. The IRS has also already warned about phishing emails appearing to come from the IRS and ask for personal tax information. The best advice for avoiding tax fraud is to file your taxes as early as possible.

Social Security numbers of infants pop up for sale on the dark web. Children have always been targets of identity thieves, as they have untouched credit. Now researchers have found the Social Security numbers and dates of birth of infants selling for about $300 in bitcoin. It’s recommended that you check with the credit bureaus on your child’s personal information to make sure they have not become a victim of this scheme.

Cybersecurity Shorts

EMV cards have decreased credit card fraud in the last three years. The new cards were introduced in 2015 and are equipped with chip technology that makes it difficult for cards to be duplicated. The technology has caused counterfeit card fraud to drop 66% between June 2015 and June 2017. While the cards have made progress for in-store purchases, the technology cannot stop online-purchase fraud.

Medicaid recipients in Florida may have had personal information exposed after an employee fell victim to a phishing attack.Nearly 30,000 individuals may have had their names, ID numbers, Social Security numbers, addresses, health information, and more exposed in the breach. The agency says there has been no proof that the information has been misused yet. 

You’ll have a more secure Wi-Fi option by the end of 2018. The Wi-Fi Alliance is developing a new security protocol, WPA3 that will have better password protection and stronger encryption among other updates. The new protocol will replace WPA2 as the most secure option.

New ads promoting identity theft services hit TVs. You may have seen the frightening commercials from Experian and LifeLock promoting their credit monitoring services, including dark web searches. The programs being advertised, however, are expensive and not the best protection method available. The programs simply alert you when your credit file has been accessed, but you still have to clean up the mess. Freezing your credit is much more cost-effective and offers stronger protection for your credit file.

Internet of Things (IoT) devices can make life easier but are often easily compromised. As these devices fill our homes, security expert Brian Krebs offers some guidelines on how to keep your devices and network safe. For example, Krebs recommends changing the default username and password that comes pre-loaded on the device. Read the rest of his recommendations here.

Employee mistakes account for nearly half of all cybersecurity incidents. A new survey from Kaspersky Labs found that the vast majority of employees do not understand their company’s cybersecurity policies and a quarter reported that their company did not even have a cybersecurity framework. Improving cybersecurity training for all employees is the first step in protecting your business from a cybersecurity incident.

Only one in ten Google users have activated two-factor authentication on their accounts.Two-factor authentication is one of the best steps you can take to protect your online accounts. The security feature requires that a one-time code be sent to your phone when logging into your account online after you enter your username and password. This inhibits anyone who may have your password from gaining access to your account. Despite the benefits, many are still not using this technology. Google has not made two-factor authentication the default setting, as it is afraid it will drive customers away.

Up to 40,000 OnePlus users may have had their information exposed in a data breach.The company reports that its system was hacked and credit card data was stolen from its payment page. The breach is believed to have occurred from November 2017 through January 11, 2018. The intrusion is believed to have occurred due to a phishing email.

Software Updates

Adobe: As usual, Adobe issued an update for Flash Player this month bringing the latest version to 28.0.0.137. You should be prompted to update the software automatically but be sure to update your browsers as well. You can read more about the update here.

Microsoft: Microsoft released over a dozen security updates this month closing vulnerabilities in Microsoft Office and the Windows operating systems related to the Spectre meltdown. Again, your device should update automatically but you can learn more here.