Freepik hack, Weather Channel app privacy lawsuit settled, flaw in Google Drive and a university pays a ransom
Welcome to Cyber Security Today. It’s Monday August 24th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Freepik and Flaticon, websites that offer free and paid graphics, photos and icons, have suffered a security breach. Their parent company said hackers got away with email addresses of 8.3 million users, which could be used to send spam and phishing attacks. The scrambled passwords of millions were also copied. For most, those passwords are safe because the method of protecting them is good. However, for about 229,000 people the scrambling method was older and capable of being cracked. That group has to choose new passwords. They are also being urged to change their password for logging into other sites if they used the same password there.
You may not know, but IBM owns the Weather Channel mobile app. Like many apps, it asks users to share their location data so they can receive personalized weather forecasts. However, a lawsuit filed by the city of Los Angeles alleged that unknown to users the personal data collected was sold to other companies. Last week the Associated Press reported a settlement. The Weather Channel has changed how it tells users about the use of personal data and clearly lets users know they don’t have to provide access to their locations. Separately, IBM has also agreed to donate $1 million work of technology to Los Angeles County to help with COVID-19 contact tracing. In a statement, The Weather Company says it never agreed the claims against it had merit.
There are a number of services that allow computer users to share and update files without emailing them to each other. For those who use Gmail the feature is Google Drive. However, The Hacker News reports a flaw in Google Drive that can allow an attacker to spread malware. The problem is Google Drive doesn’t verify updated file versions. Ideally, you’d replace “Project1.doc” with “Project2.doc.” However, Google Drive allows a replacement file to be named with a different extension, like “Project3.exe.” An attacker who accesses a Gmail user’s account could use this weakness to infect the computers of anyone who shares the Google Drive with the victim. So until this is fixed be careful with files people send you on Google Drive.
The University of Utah has been forced to pay just over $457,000 to criminals behind a ransomware attack. The university said that on July 19th servers in the College of Social and Behavioral Science were encrypted, denying students and staff access to their data. The college’s servers were quickly isolated from the rest of the university, and 10 days later everyone in the institution was told to change their university access passwords. However, working with its insurance provider the university decided to pay the crooks. Insurance paid only a part of the ransom. The university says the incident has made it re-think security and move to a more centralized IT management. That includes making students, faculty and administrators use two-factor authentication with their logins.
Deciding to pay a ransom isn’t easy. Still, the head of a web security company says there are risks. Ilia Kolochenko, CEO of ImmuniWeb, notes hackers may not honour their promises to release copied or encrypted data. And partners of the hackers may also have their hands on copied data and will use it.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.