Broker Check
March Savvy Cybersecurity Notes

March Savvy Cybersecurity Notes

April 17, 2017

In this issue:

  • CIA's Vault 7 and How to Hack-Proof Your Devices
  • Emerging threats: FASFA tool brought offline after criminal activity, ransomware hitting Macs, and more
  • Cybersecurity shorts: Russians charged in Yahoo breach, 99% of Android users are vulnerable to security attacks, and more
  • Software updates

CIA's Vault 7 and How to Hack Proof Your Devices

WikiLeaks released thousands of confidential CIA documents exposing the methods used in the agency's global covert hacking program. Dubbed  "Vault 7," the documents expose tools used by the CIA to hack a wide range of devices connected to the Internet, including but not limited to Apple's iPhone, Google's Android devices, and Samsung TVs.

While the documents do not contain the computer code needed to actually hack the devices, they do give details on what vulnerabilities can be exploited. For example, a Samsung Smart TV can be turned on remotely and used as a microphone to record a conversation in the room. The CIA also has tools to hack into your smartphone and uncover your location, text messages, and to turn on the camera and microphone.

Many security experts stress that they do not believe these tools are used for surveillance on the mass public, but they can certainly be used on targeted individuals. Nevertheless, this leak is a strong reminder that we must protect our devices because anything connected to the Internet can be hacked. Following are some best practices.

Smartphone and tablet protection

The most important action smartphone and tablet owners can take is keeping the operating system (OS) on the device up-to-date. These updates close known security vulnerabilities that CIA tools or hackers can use to gain access to your device. 

Android smartphone and tablet users are also encouraged to invest in an antivirus program for their device. Android devices are increasingly targeted with malware attacks. Some highly rated Android antivirus apps include Avast Antivirus and Security, AVG AntiVirus Security, Sophos Free Antivirus and Security, and Avira Antivirus Security.  Of course, be sure to download apps only from your official app store, Google Play.

If you use an iPhone or iPad, you do not need to install additional antivirus programs. In fact, Apple began pulling antivirus apps from the App Store in recent years. According to Apple, running an updated version of iOS is enough to protect your device.

And no matter what device you are using, be sure to keep all your apps up-to-date. Like an outdated operating system, outdated apps leave holes that can be exploited by outsiders.

Safeguard your computer

The same rules of thumb apply to your personal and work computers. These devices should be running antivirus software and the most current version of the appropriate operating system.

When using your computer, you also need to be on the lookout for phishing attacks. Phishing is a method used by hackers to trick you into downloading malware or exposing personal information. These attacks usually come via email.

There is a way you can protect yourself from these attacks, the Savvy Cybersecurity EMAIL Rule. EMAIL stands for, Examine Message and Inspect Links. This rule encourages you to take a closer look at the sender and any links in the email. Examine Message requires that you hover your mouse over the email address in the "from" field. When you do so, a box will appear that shows the true email address of the sender. Hackers have a way to spoof the first address that appears, but you can unmask their attack with this trick.

The second half of the rule, Inspect Links, uses the same hover trick but with any hyperlink or URL in the message of the email. Like the "from" line, links can be spoofed and the login button that you think is leading to the Apple website is really leading you to a hacker. Again, when you hover your mouse you will reveal the true destination. If something looks off, do not click.

Protect your router and other connected devices

Anything that is connected to the Internet can be hacked. The first step in protecting connected devices in your home is to lock down your router. To do so, change the default username and password to something unique. Next, make sure you set the encryption to WPA or WPA-2—WEP is no longer a secure option. Lastly, ensure that your router is running the latest version of its firmware (software). You can do all of these actions by logging on to your router's IP address. Check your router's website or handbook for help.

Securing your home Wi-Fi will help protect any device connected to that network, including your smartphone or smart TV. But in addition, you'll want to take other precautions to protect these devices. Again, if the item came with a default username and password, those both should be changed. Most importantly, keep the software on all devices up-to-date as well.

For more tips on how to safeguard your devices and identity, check out Hack-Proof Your Life Now!

Emerging Threats

New ransomware targets Mac users, smashing the myth that Apple computers cannot be affected by malware. Experts say the ransomware is hiding in fake pirated software including patchers for Adobe Premiere Pro and Microsoft Office. When users go to install these pirated programs, the ransomware hits and the data is encrypted. The ransom note gives those infected 24 hours to get $510 for the payment. However, experts warn that even if you pay, your files will not be decrypted. Instead, make sure you have a backup of your data and don’t download pirated software.

iTunes movie receipt may be a phishing message. Apple users in Canada have reported receiving email receipts from Apple for movie rentals that they did not purchase. The emails have a link at the bottom that claims users can get a refund. The link, however, brings them to a page that asks for their personal information—including their Social Insurance Number. Remember, when in doubt—don’t click.

Online tool that helps students fill out FASFA forms is taken offline by the IRS due to criminal activity. The IRS tool allowed students applying for federal student aid to download information from their or their parent's tax returns to make filling out the forms easier. After noticing criminal activity, the IRS pulled the tool, though it  hopes to get  it back online this month. In the meantime, students can still file a FASFA, but must enter tax information by hand. Some college financial aid departments worry that this problem will result in students not filling out all forms and missing out on aid.

Cybersecurity Shorts

U.S. Justice Department charges Russians for the 2014 Yahoo breach. The hack affected 500 million accounts. The Justice Department claims that the information was given to the Russian government, which used it to focus on foreign officials, business executives, and journalists. The information was also used by hackers to send spam and steal credit card information. Four men have been charged with 47 criminal counts.

33 million people exposed in database breach owned by Dun and Bradstreet. The database contains 100,000 records from the Department of Defense, 90,000 from the UPS, and tens of thousands from AT&T, IBM, Walmart, and more. Dun and Bradstreet confirmed that the data was six months old and that it was not breached from their network.

CloudBleed leak exposes passwords and other sensitive data from popular sites including Uber and FitBit. The leak occurred due to a code vulnerability in the web company, CloudFlare which hosts two million websites. Experts recommend updating passwords on any sites affected by the breach. 

150,000 websites were knocked offline after a code typo at Amazon Web Services. The outage affected popular websites such as Netflix, Spotify, and Buzzfeed after an engineer mistyped a command. Servers were out for four hours, but all sites were eventually brought back online.

Your iPhone lock screen may not be as secure as you think. After finding an iPhone in the bathroom, a woman wanted to return the phone to its owner. The phone was locked, but she was able to activate Siri and ask questions. She was able to find out the woman’s name, her address, and where her car was parked. She was able to contact the woman and informed her of what happened. She then suggested changing her settings to disable Siri when the phone is locked. You can do so, too, through Settings, Touch ID & Passcode.

Only 1% of Android users are running the most up-to-date operating system, according to Google figures. Bitdefender looked into smartphone users and their software habits and found that 79% of Apple users had updated their operating system. The paltry number of up-to-date Android users is concerning, as Android phones are targeted by malware more often than iPhones. No matter what device you use, you must update your software to protect your data from hackers.

Your Android device may have come with free malware. Check Point researchers found multiple malware strains on almost 40 Android devices owned by a telecommunications company and a technology company. Some of the phones even had ransomware pre-installed. You can see a list of the devices here.

Sensitive Air Force documents were briefly accessible online without a password, according to security firm MacKeeper. The security firm discovered a lieutenant's hard-drive backup online and then notified the Air Force. The documents did not appear to be classified, but they did contain Social Security numbers of 4,000 members, as well as contact information for their spouses. Another spreadsheet included allegations of wrong doings. The documents have since been removed.

Stolen iPhone leads to phishing attacks. Brian Krebs reported on a story from one of his readers, Edu Rabin of Brazil. Rabin’s wife was robbed, and the thieves took off with her iPhone. Rabin tried to track the phone via Find my iPhone and sent a message to the phone offering to buy the phone back. The next day he got a text that appeared to be from Apple saying the phone was recovered and to follow a link to get the phone back. But the text message was a phishing attempt to get the Apple ID and password.

Nearly 90% of millennials reuse their passwords, according to a recent survey by Keeper. And that's not the only bad password habit the study uncovered. 81% of people over the age of 31 also reuse passwords and only 64% say they do not share passwords with others. Nearly three-fourths of those surveyed store their passwords on a piece of paper. For those, a password manager is a good option to consider.

Payment card terminal company Verifone investigates possible breach, according to security expert Brian Krebs. In late January, Verifone forced all employees to reset their company passwords. They were also told they could not install software on any devices due to an IT investigation. A spokesperson from Verifone told Krebs that there was "evidence in January 2017 of an intrusion in a 'limited portion' of its internal network, but that the breach never impacted its payment service network." They later said that two dozen gas stations were targeted in the cyberattack.

Healthcare industry continues to be targeted by cybercriminals. So far in 2017, there have been 50 breaches of unsecured health records that affected over 400,000 individuals. Specifically, the industry is being hit with ransomware attacks. Multiple hospitals have been infected and forced to pay a ransom to get important patient files back. A Health and Human Services (HHS) task force also found that many organizations are running outdated software.

Software Updates

Adobe: This month, Adobe released updates for its Flash Player and Shockwave Player. Both programs are notoriously buggy and you should consider uninstalling them completely if you do not need them. If you do use the programs, be sure you update immediately. You should be running Flash v. Be sure to update in your browsers as well. Shockwave users should be running v.

Microsoft: Eighteen patch bundles were released by Microsoft this month impacting Windows file-sharing service, Internet Explorer, Microsoft Edge, and others. Many of the vulnerabilities are already being exploited so be sure to update. Your system should prompt you to do so automatically but you can read more about the updates here.

WordPress: If you use WordPress, be sure you are running Version 4.7.3. The web hosting service released an update closing six different security holes. To update go to Dashboard and Update. You can also opt-in to automatic updates. You can read more about the patch here.