Although it’s tempting, don’t use company computers for holiday shopping, another post office website package tracking flaw is found and more bad Android apps in the Google Play Store.
Welcome to CyberSecurity Today. It’s Friday November 23rd. To hear the podcast, click on the arrow below:
 |
 |
 |
Today is Black Friday, the beginning for some companies of at least a week of online product sales. Those tempting sales may continue through December, and in Canada and the U.K., climax with Boxing Day sales on December 26th. I’ve already passed on tips to consumers for smarter shopping online, but this is also a time to remind listeners that you shouldn’t be shopping on company-supplied computers or smart phones. There’s lots of fake retailing websites out there looking not only to steal your personal data as you pay online, but also to infect computers with malware. You don’t want to explain a shopping “oops” to your employer And company managers, this is also a good day to remind employees about your policy that forbids employees from using company-owned devices for personal reasons.
Earlier this month I wrote a news story on ITWorldCanada.com of a flaw on the Canadian post office website that allowed anyone to get personal information on other customers through a tracking package capability. Well, the U.S. post office has just fixed a similar tracking problem on its website. According to security reporter Brian Krebs, any user with an account who logged in could query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information. It could have been a great way to compile a list for distributing spam. Told of the problem, the post office fixed the flaw. These incidents are a warning to any company that sells products through a website: You’ve got to have tough access control to limit the ability of account holders to roam around your system. As one expert told Krebs, the U.S. post office flaw violated the first rule information security: Access control.
Attention Android users: Another group of infected games has been found and removed from the Google Play Store. Security vendor ESET said this week it found 13 apps that were supposed to let you play at driving a car or truck. Instead they download malware. As I’ve said before, your smart phone isn’t a place to be playing games. Add as few apps as possible and make sure you know where they’re coming from. Just because an app is in the Google or Apple store doesn’t mean it’s safe.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Alexa Flash Briefing. Thanks for listening.