An email service crippled when data on servers deleted, Dunkin’ Donuts hacked again and a desktop cyber security simulator for training.
Welcome to Cyber Security Today. It’s Wednesday February 13th. To hear the podcast click on the arrow below:
 |
 |
 |
Users of a secure email service called VFEmail are back online after a catastrophic attack on the system Monday destroyed all customer mail and backups stored in the U.S. What they have now is a new mailbox. However, as of Tuesday only those using the paid service have full use of services. Free users were warned they could receive email but should try to send mail. And those with their own email client were warned not try to connect to their new mailbox. If they do, they’ll lose all of that mail as well. The company is trying to recover the lost email. For more details see this link.
Dunkin’ Donuts’ rewards card program has been hacked again, the second time in three months. According to ZDNet, the way it was compromised — again — was through what’s called a credentials stuffing attack. That is, using a huge list of stolen usernames and passwords from other data breaches in a high speed automated way to find one combination that gets a thief logged in. In this case that led to the theft of the entire company database of rewards card owners — including their email addresses and passwords. A rewards card program itself usually doesn’t have much personal information. However, the usernames and passwords can be valuable to criminals for other credentials stuffing attacks. So no matter how unimportant a web site you register at, don’t re-use passwords at other sites.
Speaking of hacking, TechCrunch reports subscribers to the OKCupid dating site claim their accounts have been hacked, and their usernames and passwords changed. The company says its database hasn’t been breached. The suspicion is individuals have had their access compromised. The usual way would be by an attacker guessing a password or using a credentials stuffing attack. It’s another example of why you should always use a unique password for every site you have to register on. And use a password manager to keep all those passwords under control.
Ever wonder why there isn’t more federal cyber security legislation in the United States? Politico.com has a possible explanation in its piece this week on the Senate Homeland Security and Governmental Affairs Committee, chaired by Republican Ron Johnson. The article notes a think tank estimates 15 bills that were passed by the House of Representatives in the last Congress went nowhere when they came to the committee. The article is entitled ‘Where cybersecurity legislation goes to die,’
Do you have a Chromebook? That’s a light laptop that runs Google’s Chrome OS operating system. Well, there’s an update waiting for you that fixes some security vulnerabilities. Your laptop should update automatically, but check to be sure.
And as yesterday was Microsoft’s monthly Patch Tuesday, there are security updates available from it as well.
Finally, the computer networks in governments, companies and homes are called information technology, or IT, networks. But there are also operational networks which control machines in factories, municipal water treatment centres and pipelines. These networks are increasingly becoming Internet-enabled so they can be centrally controlled more easily. But if they aren’t protected they can also be hacked. To help train security researchers to understand the potential vulnerabilities, this week Cisco Systems released a desktop-sized motorized oilfield pumpjack simulator they can work on. The pumpjack is connected to a box with two small circuit boards that simulate the kind of system controller found in a company. In turn the controller is connected to a smartphone whose screen can be used as regulator. It can also used to wirelessly hack the controller, increase the speed of the pump and break it. Cisco suggests it be used to learn how to protect such a device from an Internet attack. You can find details about the device at Cisco’s Talos Intelligence blog.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon