Canada Post password alert, sextortion, Samsung phone fingerprint trouble and more.
Welcome to Cyber Security Today. It’s Friday October 18th, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
Security experts urge people not to use the same password on more than one site. That’s because when hackers steal passwords and usernames from one place they try them somewhere else hoping to get lucky. Well, this week the Canadian post office began resetting the passwords of all online accounts –probably thousands of them — after realizing a thief got access to customer information in 2017. Canada Post says its systems weren’t hacked. So it figures the usernames and passwords the hacker used were likely stolen in other data breaches. Online accounts allow Canada Post users to forward their mail to another address, request vacation holds, pay postal bills online and other things. The post office notice doesn’t say what information hackers got in addition to names and addresses. It’s another example of why you can’t re-use passwords. Instead use a password manager to keep track of your passwords.
I’ve told you before about botnets, which are chains of thousands of computing devices which spread malware around world. Well, according to security company CheckPoint Software, one of the oldest botnets is now spewing out sextortion email. The hackers find a stolen password and match it to someone’s email address. Then the botnet generates a message that says “Hi, I know one of your passwords is this,” and claims their computer is now infected and has captured compromising images of you. Pay up or the images will be released. The password makes the victim think the threat is legitimate. Don’t fall for this threat. The password could have been something you used a while ago and changed after being warned of a data breach. You may not have a camera on your desktop computer. If you have a laptop, you may have covered the camera. Or just think — has your computer ever been anywhere in your house where it could take a compromising picture of your? Threats like this are fake. Ignore them.
There’s controversy over the security of the fingerprint reader on the Samsung Galaxy S10 smartphone. It started earlier this week when a British news site ran a story about a woman who discovered anyone’s fingerprint could unlock her handset. Apparently the problem is the transparent cover on the device interferes with the reader. So here’s the lowdown, according to security reporter Graham Cluley: This particular device uses an ultrasonic scanner to read a fingerprint. Other devices use different technology. It seems that certain screen protectors mess up Samsung S10 technology. But also note that there have been other reports that the ultrasonic reader can be fooled in other ways. So here’s two pieces of advice for those who have Galaxy S10 smartphones: Use only screen protectors approved by the manufacturer. And, if you’re really worried, turn the fingerprint reader off and only use a password. According to one news report Samsung is working on a software patch.
You all know that malware can be hidden inside documents that are attached to email. But infections can also be hidden in JPG images. Click on the image to see it, and you get hit. Now a report out this week notes malware has been seen in WAV audio files. If you try to play the file, you’re hit. Security company BlackBerry Cylance said it’s seen two versions of this. One installs a piece of code that starts using the victim’s computer to mine for cryptocurrency, the other opens a backdoor so an attacker can secretly get into the computer. If you’re a victim you may not know it: Sometimes the sound file will play music perfectly. Other times it plays only static, which is a tip-off something’s wrong. For consumers this is another reason to be wary of any email or text with attachments from people you don’t know or you aren’t expecting. Companies have to give the same warning to employees. They also have to keep a sharp eye out for suspicious activity on their networks and in application or website code.
Finally, employees at two more companies have apparently been clumsy with data left online in Amazon’s AWS data storage service. The companies are job recruitment firms Authentic Jobs, based in the U.S., and Sonic Jobs, based in Britain. Over 200,000 resumes with names, addresses, phone numbers and other personal information were left unprotected. Amazon AWS storage comes configured to be used as private, so an employee has to change a setting to make data publicly exposed. As I’ve said before, companies have to do a better job of making sure employees understand how to configure data stored in the cloud. If they don’t understand, cloud storage should be forbidden.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.