Hundreds of millions of Twitter users’ phone numbers and email addresses are now free, and check the integrity of your IT supply chain.
Welcome to Cyber Security Today. It’s Monday, April 5. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Fraudsters who call potential victims to spread scams have a new source of phone numbers: A free list of over 530 million phone numbers of Twitter subscribers. Until now the list was apparently available only to those willing to pay for it. But according to the news site The Record, someone has posted the list for free on a cybercrime forum. It includes names, profile names, email addresses and profile information subscribers might have added for over 3 million Canadian and 32 million American Twitter subscribers.
The story quotes Twitter as saying it publicly acknowledged the data was stolen in 2019, and the vulnerability was fixed then.
The worry is that with the data now being given away for free, hackers who couldn’t afford to pay for a list of email addresses and phone numbers now have more ways of contacting potential victims.
Experts at security vendor NordVPN remind people of several ways to spot online scams: Don’t trust the display name on a telephone screen, or the sender’s name on an email. Pay attention to the real email address and phone number of a sender. Hover your mouse over a link to in an email to see the real destination of a link. If it doesn’t look legitimate, don’t click. If you weren’t expecting an email or a text, don’t click on the attachment.
Attention IT administrators with Fortinet security devices on your networks: The U.S. Cybersecurity and Infrastructure Security Agency has issued a warning that threat actors are actively looking for unpatched devices to infiltrate organizations. The agency has recently seen attackers scanning devices connected to ports 4443, 8443 and 10443 for Foritnet devices running the FortiOS operating system. In particular they’re looking for unpatched devices running vulnerabilities fixed in 2018, 2019 and 2020. Make sure these network devices are patched, and for added protection make sure access to these devices can only be gained through multifactor authentication.
A warning has also gone out to users of the QNAP network-attached storage devices. A company called SAM Seamless Network has discovered vulnerabilities in the firmware. Patches have been issued so make sure you’re running the latest version. QNAP says a fix for legacy versions of the devices is coming.
You may recall last month was Fraud Prevention Month. The deity who invents these things has also declared April is National Supply Chain Integrity Month. Frankly, every day is a day to make sure your IT supply chain is secure. The supply chain is products and suppliers your organization uses to operate. It includes anything that connects to the corporate IT network: Cloud providers like Google, Amazon and Salesforce, online monitors of your company like managed security service providers and heating and airconditioning firms, and firms that connect to your warehouse and invoice system. The recent attack on SolarWinds’ Orion network monitoring platform is a perfect example of a supply chain attack: The hackers created a hole in Orion to get at government departments and corporations that use the software. This month is a time to make sure you know who your suppliers are and take action to lower the risks they can be a way to get into your firm. And if your firm is a provider of services make sure its security is top-notch.
Finally, you may recall a remote attack on a Florida water treatment plant in February, when someone played around online with controls. Last week a Kansas man was indicted for tampering with a public water facility’s computer system in that state. It is alleged he shut down the mechanism that helps clean and disinfect the water system. If convicted he faces a maximum sentence of 20 years.
That’s it for today. Links to details about these stories are in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.