Beware of coronavirus email scams, Instagram password worries, threats to Ashley Madison users and more
Welcome to Cyber Security Today. It’s Monday February 3rd. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
 |
 |
 |
Hackers often use news headlines as a hook to spread malware. They find a hot topic, craft an email with an eye-catching subject line and insert a malicious attachment. That attachment infects a computer if it’s opened. Fears about the spread of the coronavirus is the latest event to be exploited. Beware of email with documents that supposedly have information about protecting yourself from the virus, even if the sender appears to be a health centre. IBM and security firm Kaspersky have seen evidence of these campaigns.
Instagram users who also subscribe to Social Captain, a site that helps people grow their Instagram followers, should consider changing their passwords. This comes after Social Captain admitted making a configuration mistake that exposed the passwords of its Instagram users. The news site TechCrunch was tipped off to the boo-boo last week. To use Social Captain a user has to enter their Instagram username and password. But Social Captain wasn’t storing the passwords safely with encryption. If someone knew how they could see other user profiles. The chief executive of Social Captain said its website problem lasted for several weeks, but has now been fixed. However, Instagram says Social Captain breached its terms of service by improperly storing passwords.
Five years ago someone stole millions of user profiles from the Canadian-based dating site Ashley Madison. After a quiet period a criminal is trying — again — to extort money from those users. Ashley Madison promotes itself as a website where people who want to cheat on their spouses can meet, but of course no one verifies members marital status and people can use phony names. Still, people use their real names and registered their credit cards. A week ago a company called Vade Secure detected a new targeted email campaign against current or former Ashley Madison users, primarily aimed at users in the United States, Australia, and India. It demands about $1,000 in the form of bitcoin or “everyone who knows you” will be sent a copy of your Ashley Madison profile. As proof, the email says the sender has evidence of the user’s postings on Ashley Madison.
Trello is a popular project management and collaboration application used by companies to co-ordinate work being done by employees. The default setting is ‘private’, so Internet snoopers can’t see what the company is doing or read messages that might have sensitive personal information. But a researcher at security firm Sophos warns many companies are allowing their Trello boards to be set to ‘public.’ where anyone can see them. Why is this bad? Earlier this month a British newspaper reported that a company had left a file with performance ratings of 900 managers posted to a Trello board that was open on the Internet. It likely a misconfiguration problem, but embarrassing to the company. Following up on this Sophos did some hunting on the Internet and found many other companies with open Trello boards with sensitive information that should never be out. The lesson for is IT administrators not only do they have to scan their company’s networks for malware, they have to regularly scan software being used by staff — everything from Trello to Amazon storage — to make sure it hasn’t been misconfigured.
Finally, hackers love collecting email addresses, which they use to send out spam and malware. They get most of their addresses from data thefts or scraping email addresses from web sites. But sometimes companies make it easy for them by making mistakes. Here’s two recent examples: Smart speaker manufacturer Sonos has recently been sending mass emails to customers with explanations about its software update policy. There’s a way to do that safely by putting a list of email addresses in the Bcc field, which stand for Blind Copy. That way each recipient only sees their email address. But last week one staffer sent an email to 450 people with the email addresses in the CC field, which stand for copy all. Everyone who got that message could see the entire list of addresses the email went to. Earlier this month a New Jersey medical clinic admitted it did the same with an email to just over 8,000 people last fall explaining new administrative procedures. In addition to being a privacy violation, mistakes like these can be capitalized by criminals. Companies need to train staff sending out mass email to do things more slowly.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.