Broker Check
APRIL SAVVY CYBERSECURITY NOTES

APRIL SAVVY CYBERSECURITY NOTES

April 01, 2019
Share |

In this issue:

  • What you need to know about the Apple FaceTime flaw
  • Savvy Cybersecurity quick links
  • Cybersecurity shorts
  • Software updates

What you need to know about the Apple FaceTime flaw

A 14-year-old discovered a major flaw in Apple's video chat software last month. Grant Thompson went to FaceTime his friend and discovered that he could eavesdrop on his friend's call before he even answered. The flaw was a part of the newer feature; Group FaceTime which allows multiple Apple users to video conference at one time. When a second person was added to the call, the original caller could capture the video and audio of the first person before they answered.

After Grant discovered the eavesdropping issue, his mother immediately tried to notify Apple via Apple Support, email, fax, and social media with no response.  A week passed before a developer reported the same flaw which sent Apple rushing to create a fix while disabling Group FaceTime.

Apple immediately faced criticism for the security flaw itself and the slow response time. The American Civil Liberties Union released a statement warning users that the bug "carried serious potential privacy implications." Other security experts explained that this flaw should have been caught by Apple before the software went live, considering how easy it was to manipulate.

What Apple users should do

If you are an iPhone or iPad user, Apple has released a software update that closes the Group FaceTime flaw. iOS 12.1.4  was released a week after the initial discovery and fixes that flaw along with other issues discovered in a security audit.

Your device should prompt you to update automatically. However, if you want to manually check for the update you should open the Settings app on your device, then select General, and then Software Update.

The importance of up-to-date devices

It is important to stay on top of software updates for all of your programs and devices. More often than not, these updates are released to address critical security issues. Not updating your software leaves you vulnerable to viruses and malware attacks. Whenever possible, you should enable auto-updates for your programs and devices. This ensures that you will be getting the latest updates as soon as they are released. 

Cybersecurity shorts

Popular app, TikTok fined by the Federal Trade Commission for allegedly violating federal child privacy law. The app allows users to create and share lip syncing videos and is very popular among children. The FTC has fined TikTok $5.7 billion alleging it collected data illegally about children under age 13. The company must also take down all videos of children under 13. New users will need to verify their age and those under 13 will have access to a "limited, separate app." 

Equifax accused of neglect by Senate following 2017 data breach. The Senate Homeland Security and Governmental Affairs Committee released a report on the breach, which affected over 145 million Americans. The committee found that Equifax's neglect towards cybersecurity contributed to the breach. The report also stated, "an internal Equifax audit discovered software measures were not adequately designed to ensure Equifax systems and securely configured and patched in a timely manner." The committee believes that Equifax could have taken basic steps to prevent the breach.

Data breach at the Federal Emergency Management Agency (FEMA) exposes information on 2 million people.The agency was transferring information on those impacted by hurricanes Harvey, Irma, and Maria as well as the California wildfires when the breach occurred. FEMA has worked with the contractor that received the information in order to remove the unnecessary data, such as banking information and addresses.

Equifax CEO admits to falling victim to identity theft three times in the past 10 years.During a Senate hearing, U.S. Representative Katie Porter from California asked Equifax CEO Mark Begor to share his Social Security Number, birth date, and address to make a point about privacy concerns. Begor shared that he himself has been an identity theft victim along with 60 million Americans. It is unknown if Begor's identity theft has stemmed from the Equifax breach.

Department of Homeland Security issues cybersecurity warning for Medtronic heart defibrillators. The Cybersecurity and Infrastructure Security Agency assigned the flaw a 9.3 severity out of 10. The flaw would allow hackers to change the settings within the device when they are within a certain range. As of this writing, the company is not aware of any devices that have been attacked and is working on an update. Users are encouraged to speak to their doctors.

Equifax allows users to unfreeze credit file online without PIN. The credit bureau recently launched a new MyEquifax portal which allows users to make profiles online to manage their credit files. Unfortunately, this new portal makes it very easy to lift a credit freeze without providing the PIN determined when the freeze was placed. Brian Krebs, a security researcher and writer, went through the process himself and discovered he could easily make an account and lift his credit freeze without his PIN. You can read more about his experience here.

VPN service Citrix hacked by international cyber criminals. The service, used mostly in the corporate world, believes that hackers have "accessed and downloaded business documents." The FBI is currently investigating but believes hackers got into the system via a weak password. As of now, it is not thought that the hackers compromised any Citrix service or product.

Facebook stored millions of user passwords in plain text,according to security expert Brian Krebs. The database held approximately 200 million to 600 million Facebook users' passwords beginning in 2012 in an easy-to-search, plain-text database. These passwords were stored on internal servers and were searchable by employees. It is not currently believed that employees misused this information. Facebook has said it will contact users whose passwords were stored in this manner. It may be a good idea to change your Facebook password now regardless.

Want to know about all of the biggest data breaches in one cool graphic?Check out this interactive project by Bloomberg that lists all the major hacks and details of those hacks in one place. From the Yahoo breach to Marriott, Bloomberg gathered data on over 200 breaches that exposed at least 1 million records.

Canadians have become more relaxed about identity theft even though it is on the rise according to research done by Equifax. The credit bureau found that 59% reported checking their credit card statement—down 6% from 2017. While nearly 45% updated software on their computer two years ago, now only 35% report doing so. Over 80% of those surveyed said they believed identity theft was becoming more prevalent, but it seems like they are taking less action.

Cybersecurity concerns grow as more advisors look to messaging apps. Instant messaging and texting are growing in popularity among advisors and clients; however, these new technologies raise compliance and security issues. In response, many companies are working to develop messaging tools such as MyRepChat by Independent Financial Partners. This program will allow advisors to text clients with a separate number and all messages will be archived.

Software updates

Apple: Apple released patches closing over 50 security flaws this month. These updates affect many Apple devices such as the Apple Watch, iTunes, Apple TV, macOS, and WebKit. Your devices should prompt you to update automatically, but you can always check your settings to confirm that you are running the most updated software. You can read more about the updates here.

Microsoft: Microsoft released updates for over 60 security vulnerabilities this month. At least two patches fix zero-day vulnerabilities which could allow hackers to install malware on your devices. One flaw works with the Google Chrome browser so be sure to update that as well. You can read more about the update here.