Huge e-commerce hack, US warns of IT products being targeted and let people report vulnerabilities
Welcome to Cyber Security Today. It’s Wednesday September 16th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Experts stress the importance of applying security patches and updating to the latest version of applications to avoid being hacked. Well, almost two thousand online stores learned that lesson the hard way over the weekend when they were victimized. They were using version 1 of Adobe’s Magento e-commerce platform, which expired at the end of June. According to a cybersecurity firm called Sansec the attackers used a common tactic: They inserted code on the sites that skimmed off credit card and other customer data as it was being entered. Sansec estimates that information of tens of thousands of customers was stolen from one of the compromised stores alone. The security company said the hackers were able to get into each site’s Magento administrator’s panel to download the malware. Experts say administrator accounts must be protected with strong login rules to prevent this from happening. It’s estimated 95,000 stores are still using the unsupported version of Magento.
Speaking of updates, the U. S. Cybersecurity and Infrastructure Security Agency says unpatched vulnerabilities in four products are regularly being exploited by hackers from China to infiltrate corporate and government networks. These bugs are in in the F5 Network’s Big IP Traffic Manager, Citrix’s Virtual Private Network appliances, Pulse Secure VPN Servers and Microsoft Exchange Server. Software patches for these vulnerabilities have already been issued but some organizations are still slow to apply them. Maintaining a rigorous patching cycle is the best defense against the most frequently used attacks, says the agency. Widespread implementation of robust configuration and patch management programs would greatly increase network security.
Finally, cybersecurity researchers regularly complain that many organizations don’t have a process for receiving security warnings. People who find vulnerabilities with websites, applications and unsecured data need a way to alert companies to these issues. Unfortunately many organizations limit the way they can be contacted. So often researchers have to leave messages with sales, customer or technical support staff, who aren’t instructed on dealing with cybersecurity warnings. That can mean weeks go by before the right person is found and the issue is dealt with. This week the U.K. National Cyber Security Centre urged organizations to be more proactive. To help them it also issued a Vulnerability Disclosure Toolkit to guide their work. Briefly, it urges every web site to have an email address or contact web form specifically for reporting security problems. To go along with that organizations should also have a clear policy for how employees must handle reports. Having a publicly-available reporting process shows customers your organization takes security seriously, the centre notes. It also reduces the odds your organization’s reputation will be damaged because a report is handled slowly.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.