Broker Check
OCTOBER SAVVY CYBERSECURITY NOTES

OCTOBER SAVVY CYBERSECURITY NOTES

November 02, 2017

In this issue:

  • Equifax hack: Facts and myths
  • Emerging threat: BlueBorne vulnerability threatens billions of devices
  • Cybersecurity shorts: LinkedIn phishing scam, Hospital pumps vulnerable to attacks, and much more 
  • Software updates

Equifax hack: Facts and myths

Following this month’s Equifax breach affecting 143 million people, rumors began swirling around the details of the hack. It’s not only important to take action and freeze your credit at the credit reporting bureaus, but also to understand, amid all the media squall, what's true and what's false concerning this event.

You want to be sure the information you are sharing with clients and prospects is correct. Let’s take examine some of the "rumors" swirling about the Equifax hack.

  1. If you sign up for Equifax’s credit monitoring system you waive your right to sue.

 

Myth (now): When the hack was first announced, Equifax included some confusing fine print in the details of their credit monitoring system, TrustedID. The statement implied that consumers who opted into the free credit monitoring offered by Equifax were giving up any right to sue the company on their own or as part of a class action lawsuit.

 

At the time we first reported details of the breach, we too were under the impression that opting in to TrustedID gave you limited legal action. Since then, Equifax clarified the language and those enrolled in TrustedID still have legal rights. However, as we have previously explained, credit monitoring does not protect you from identity theft. Freezing your credit is the best option.

 

  1. Outdated software used by Equifax caused the breach.

Fact: Experts are now reporting that hackers were able to infiltrate Equifax’s system through a flaw in Apache Struts software. In March of 2017, Apache discovered a vulnerability in the program and released a patch the same day.

Hackers first gained access to Equifax's network in May, meaning that the company left the software unpatched for at least two months. At this point, Equifax has not made a statement on why the software was left outdated.

Take a lesson from Equifax and be sure to always update your software. Outdated software leaves you vulnerable to hacks and puts your security at risk. It’s best to update your software as soon as you are notified—better yet, set up auto-updates so you don’t have to worry about it.

  1. Signing up for Equifax’s credit monitoring will keep my identity safe.

Myth: Credit monitoring is not a comprehensive identity theft prevention method. These programs alert you after credit has been taken out in your name. If the credit wasn’t taken out by you—there’s still a mess to clean up.

Instead you should sign up for a credit/security freeze. This action locks down your credit file with PINs that only you know. No new credit can be issued unless the freeze is lifted at the bureaus.

You can learn more about the details of setting up a security freeze here.

  1. Over 200,000 credit cards were stolen in the hack.

Fact: In addition to the 143 million personal records, hackers were also able to download credit card data of 200,000 people. The data included credit card numbers, names, and expiration dates of consumers who had provided their credit card info to Equifax between November 2016 and July 2017.

Be sure to monitor your credit card statements for any strange charges. For the ultimate protection, sign up for automatic text or email alerts on your credit and bank cards. Doing so will set off a text or email message anytime a charge is made on your account.

The details on the Equifax hack are still developing, and we will likely learn more details in the coming months. Again, for now, be sure to protect yourself from this breach and future breaches with a security freeze.

Be sure to keep an eye out for potential scams following this hack. Phishing emails may be on the rise as hackers take advantage of people’s fears surrounding this news.

Emerging threat: BlueBorne vulnerability threatens billions of devices

Your Bluetooth-enabled device may be susceptible to being hacked thanks to vulnerabilities in various software. The threat, called BlueBorne, affects billions of devices that have Bluetooth capability.

The vulnerability allows hackers to take over your device, spy on what you are doing, and even install malware. Apple created a patch to defend its devices against the threat in 2016. Microsoft patched its software in July and Google is currently working on a solution. However, there are nearly two billion Android and Linux devices that are un-patchable.   

To be safe, always turn off your Bluetooth when you are not using it.

 

Cybersecurity shorts

Microsoft office phishing email scam threatens your company network. The messages tell the recipient that their Microsoft Office 365 Business account was suspended and asks them to sign in to reactivate the account. If they sign in,  hackers can then access the victim’s email and send fraudulent messages to others in the company.

AT&T routers contain flaws that put customers at risk. If you are the owner of an AT&T Arris router you may be susceptible to cyber attacks. The vulnerabilities allow hackers to gain full control of the router and thus your network. You can read more details here.

Four million Time Warner Cable records made accessible to the public due to unsecured Amazon servers.Kromtech Security Center found two Amazon Web Services S3 bucket repositories that were not protected by passwords. Those databases contained information such as usernames, transaction IDs, credentials, and more.

Phishing messages target Amazon customers who made purchases on Prime Day in July. The emails encourage consumers to write a review of the items they purchased in exchange for a $50 credit. If they click on the link, however, they are brought to a fake Amazon login page which is designed to steal credentials and possibly install malware.

Attention LinkedIn Premium users: Be on the lookout for phishing InMails.The messages contain a fraudulent Wells Fargo document. Clicking on the link to view the document leads to a fake Gmail login page that asks the user for their credentials. The scammers can then send more phishing emails from the victim’s account.

Senate Finance Committee questions Equifax on practices leading up to the breach. Senators Orrin Hatch and Ron Wyden want answers on when Equifax first reported the incident to law enforcement, why executives sold stock before the breach announcement, and additional information about the hack in general. In addition, Senator Wyden introduced a bill banning credit bureaus from charging consumers for a credit freeze.

U.S. government bans federal agencies from using Kaspersky software. The Department of Homeland Security made the decision based on concerns regarding the relationship between Kaspersky and Russian intelligence. Kaspersky has stated that it does not have such a relationship with any government. In response, the U.S. government is giving Kaspersky 90 days to prove that it is not a risk.

Smart IV pumps used in hospitals can be hacked. The pumps, which are used to release medication, fluids, anesthesia, and more, have flaws that could allow them to be compromised maliciously. The flaws were discovered in pumps, made by Smith Medical, by cybersecurity researcher Scott Gayou. The Department of Homeland Security has released an alert resulting from the research.

U.S. government improves two-factor authentication by offering USB keys for accounts with certain federal agencies. The USB keys are the “gold standard” in two-factor authentication because a hacker would need your password and your physical USB device to hack into your account. Unlike two-factor authentication using text message codes, nothing can be intercepted with the USB device.

200,000 websites potentially affected by malicious WordPress plugin. The plugin called “Display Widgets” allows others to publish any content on your website. WordPress users who have the plugin on their site should remove it immediately.

Software updates

Adobe: Adobe released an update for Flash Player this month correcting two critical flaws in the program. If you still need Adobe Flash, be sure you update so you are running v. 27.0.0.130. Be sure you update Flash in your browser as well. As we mentioned last month, Adobe is phasing Flash out and will stop supporting the program in coming years. If you do not use Flash, we recommend you uninstall the notoriously buggy program. You can learn more here.

Microsoft: Patch bundles closing over 80 security vulnerabilities in Microsoft products were released this month. Nearly 25 of the flaws are deemed critical and some are currently being exploited, so it is imperative that you update immediately if you have not done so already. Included in this update is a solution for the BlueBorne vulnerability discussed earlier. You can learn more here.