Another huge file of stolen credentials for sale on the dark web, new stats show how bad breaches were in 2018 and a phony U.S. military web site spotted.
Welcome to Cyber Security Today. It’s Friday February 15th. To hear the podcast, click on the arrow below:
Another huge cache of stolen usernames and passwords is being sold on the dark web. According to the news site The Register, earlier this week some 617 million online account details stolen from 16 hacked websites went on sale. The price: Around $20,000 in bitcoin. The good news is at least some of the passwords from sample accounts that were looked at by The Register are encrypted, so they would have to be cracked to be useful. Depending on the method used, the encryption may be easy to break. On the other hand people’s email addresses and some personal details may not have been protected. Victimized sites include Dubsmash, a mobile app that helps subscribers make music videos; MyFitnessPal; and MyHeritage. Some of the sites have already admitted they’ve been hacked, like MyFitnessPal. Most of the records were allegedly stolen last year.
By the way, if you want to know how bad last year was for data breaches, there were 6,515 publicly reported breaches around the world in 2018. That’s according to a report this week from a security vendor called Risk Based Security. A total of five billion records were exposed. And that’s only publicly-reported breaches.
Here’s something else to think about: While organizations are most likely to be hacked by someone outside the firm — as opposed to an employee — mistakes made by staff such as misconfiguring servers, data handling mistakes and other errors exposed far more data than malicious actors were able to steal by themselves.
By far the United States suffered the most breaches, with over 2,300. The United Kingdom was second, with 144 and Canada was third with 112. However, the top three countries in terms of the number of records stolen were the U.S., India and China.
Organizations and individuals who use certain Linux distributions are being warned to update their systems after the discovery of a vulnerability. According to The Hacker News it could allow someone with local access to a server to take it over. Versions of Linux that need updating are Ubuntu, Debian, OpenSUSE, Arch Linux, Solus and Fedora.
Just a reminder that this week Microsoft issued its monthly security patches. If you have Windows 10 updates should be automated, but check Windows Update to be sure.
One way attackers get your username and password is by setting up a fake website for you to log into. Someone did it to the U.S. Department of Defense, setting up a phony page for its Transition Assistance Program. Sharp-eyed people might have noticed the fake website ended in .com, instead of .mil. It isn’t known how many people fell for the scam before it was spotted this week.
Finally, the latest version of the Firefox browser for iPhones and iPads adds a new feature to the Private Browsing mode. When in this mode neither your browsing history nor cookies are saved on the device. The new feature allows users to stay in Private Browsing mode all the time. You can switch to normal browsing mode with the tap of a finger. Remember this Private Browsing mode doesn’t make you anonymous on the Web. Firefox for iOS version 15 is available on iTunes.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon