In this issue:
- The low-down on Kaspersky
- Equifax updates
- Emerging threats: KRACK Wi-Fi vulnerability and Apple phishing scheme
- Cybersecurity shorts: Deloitte cyberattack, the end of Social Security numbers, and more
- Software updates
The low-down on Kaspersky
Russia-based antivirus firm Kaspersky Lab made the news rounds this month as stories emerged regarding the company's possible ties to the Russian government.
One story from The Wall Street Journal exposed a 2015 incident where NSA documents were stolen by Russian hackers from a contractor's home computer. The stolen documents contained details on how the U.S. spies on other countries' computer networks. Officials believe the information was accessed by the Russian hackers through a weakness in the Kaspersky software being run on the contractor's computer.
Later, more details on the hack came from The New York Times, which reported that Israeli intelligence discovered the Kaspersky connection. While spying on the Russians, they discovered that Russia was using Kaspersky software as a search engine of sorts to look for code names of American intelligence agencies.
Kaspersky has denied providing any information on U.S. government details to the Russian government. The U.S. government, however, has banned federal agencies from using Kaspersky software.
Following these stories, stores such as Best Buy, Staples, and Office Depot offered to remove Kaspersky from PCs for free and replace it with McAfee LiveSafe. They have also stopped selling the software.
While some details are still unclear, we recommend that Kaspersky users look into other antivirus software programs for the time being.
Since last month's announcement of the massive Equifax breach, many new details have emerged. Here we break down some of the biggest updates and developments.
Equifax increases the number of possibly impacted consumers to 145.5 million. This is an increase of 2.5 million over Equifax's original announcement. The investigation, completed by Mandiant, did not find that other databases were accessed, but rather the original count did not include these potentially impacted consumers. Equifax has also announced that the number of U.K. consumers impacted has risen to 693,665 from the 400,000 originally reported.
Equifax email notifications get flagged as phishing messages. The credit reporting agency sent emails to consumers saying they could complete their enrollment in free credit monitoring through TrustedID. The emails came from an email address as trustedid.com. The link in the email, however, used a new domain: trustedidpremier.com, which set off phishing alarms.
Equifax website hacked again—infects visitors with adware. For a few hours on October 11, Equifax website visitors were shown a fake Adobe Flash update that installed malicious adware when clicked. The malicious software was so new that only three antivirus programs alerted users that it was a virus. The site was disabled after the discovery.
Less than 1% of consumers have signed up for a credit freeze following the Equifax breach, according to CreditSesame. The credit site analyzed four million TransUnion credit reports to get the data. Freezing your credit is the best form of protection against this breach and others—yet the vast majority has not done so. Be sure to freeze your credit at the big three bureaus (Equifax, Experian, and TransUnion) as soon as possible.
Equifax CEO blames breach on an employee who did not patch outdated software. During a testimony with the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, CEO Richard Smith said the software vulnerability was discussed but there was a breakdown in communication regarding the application of the patch.
KRACK Wi-Fi vulnerability
A new, serious Wi-Fi vulnerability was announced this month that affects nearly all wireless networks. The attack, being called KRACK, allows hackers to perform wireless network identity theft via a flaw in WPA2 Wi-Fi settings. In order to protect yourself be sure to update all of your devices when patches are released. As of now, Windows is the only company with a finalized patch. When an update is released for your router, you will need to update the firmware as well. See our Savvy Cybersecurity alert for more information.
Realistic but fake Apple ID attack makes the rounds
A new scheme targeting Apple ID passwords is nearly impossible to detect. The phishing attack comes in the form of a pop-up asking for your Apple ID password. The pop-up, however, looks exactly like the real screen Apple uses to ask for your password. You can protect yourself from falling for this attack by clicking the Home button when anything pops up asking for your credentials. If the box disappears, it was a phishing attack. If not, it is from Apple.
Experian's poor security lets anyone access your credit freeze PIN. According to security expert Brian Krebs, Experian allows users to obtain their credit freeze PIN online by answering four knowledge-based authentication questions (Such as "Please select the city that you have previously resided in.") and providing information such as name, date of birth, and Social Security number. After completion, the PIN is emailed to whatever email address you submit. Krebs reports that when he tried to obtain his PIN, he was told to submit the request via mail which is much more secure. More than a dozen of his readers, however, say they were able to obtain their PIN online through the unsecure method.
Yahoo breach affected all Yahoo users—3 billion accounts, rather than the 1 billion originally reported. The breach—which occurred in 2013—was originally disclosed last year. At that time it was believed that personal information on 1 billion users was compromised. Now Yahoo has announced that all 3 billion users were affected—including everyone with a Yahoo email or those who have registered for Yahoo services such as fantasy football or Flickr.
"Big four" accounting firm Deloitte hit by cyberattack.The firm says that all company email was hacked through unauthorized access to an administrator's account. Deloitte says that six clients have been notified that their information was impacted so far. Also accessed were usernames, passwords, health information, and more. The attack was discovered in March but hackers may have gained access as early as October 2016.
IRS chooses Equifax to help with tax fraud prevention in a no-bid contract following major data breach. In an attempt to battle tax identity theft, the IRS will pay Equifax $7.25 million to verify taxpayer identities. Since the announcement, lawmakers have expressed their concern with the IRS awarding Equifax this role after its breach exposed information on 145 million Americans. After pushback and the Equifax website hack, the IRS has decided to temporarily suspend this contract.
Russia compromises NATO soldiers' smartphones according to a report in the Wall Street Journal. Many NATO soldiers have reported strange happenings on their personal cellphones, like the lost mode being activated. U.S. Army Lt. Col. Christopher L'Heureux said his phone went into lost mode and he was alerted that someone was trying to access his iPhone. An Apple map popped up showing Moscow as the location of the hack. Other soldiers report their Facebook accounts have been hacked.
White House chief of staff John Kelly used compromised cell phone for months.A report from Politico discovered that Kelly's personal phone had not been working properly since December of 2016 and may have been compromised. The issues, however, were only reported last month. Officials say that most communication was done through Kelly's government-issued phone, but some work was done using his personal device.
Sonic Drive-In investigates possible data breach of payment card data. Multiple financial institutions reported a pattern of fraud on cards used at Sonic. Brian Krebs believes the cards could have been part of a database called Joker's Stash that sells payment cards on the black market. As of now, Sonic is investigating the breach.
SEC looks for cybersecurity help following security breach in 2016. The breach allowed hackers to access documents filed by publicly traded companies last year. This information may have been used for improper trading for profit. Following news of the hack, SEC head Jay Clayton told a Senate panel that a new cybersecurity unit is being created and more personnel will be hired to help.
Whole Foods suffers data breachaffecting customers who used in-store taprooms and restaurants. The supermarket chain believes its point-of-sale systems in these locations were compromised by hackers. At this time, it is not believed that card readers at check-out counters were affected. The breach is currently under investigation.
White House looks to replace Social Security numbers as the main way of confirming identities following the Equifax breach. White House cybersecurity coordinator Rob Joyce says the administration is working on ways to replace the current standard of using Social Security numbers for everything. Instead, some have suggested using physical tokens that would work like the new EMV credit cards. The number is protected with a PIN that one would need to share the number. Others look to biometric solutions such as scanned irises.
Hyatt hotel guests may have had payment card data stolen if they visited certain properties between March 18, 2017 and July 2, 2017. The hotel chain is investigating unauthorized access to payment card data of cards used at the front desk of some hotels. This is the second payment card breach of Hyatt properties in the last two years.
Android: Google released updates for Android devices this month that are considered high or critical. You can see more about the updates here.
Microsoft: Microsoft released updates this month closing over 60 security vulnerabilities in various software including Windows and Office. Nearly half of the security holes are considered critical and one is already being exploited. If you have not done so already, be sure to update your Microsoft devices. You can read more about the updates here.