Canada one target in new spearphishing campaign, and watch your social media posts and Apple updates its privacy website
Welcome to Cyber Security Today. It’s Friday October 19th. To hear the podcast, click on the arrow below:
Canada, the U.S. and South Korea are the targets of a new wave of email-based cyber attacks, according to a report released this week at McAfee’s annual security conference. You should be on the lookout for mail with attached Microsoft Excel or Word documents, that actually have malware.
Targets discovered so far here include companies in the telecom, financial and agriculture industries. The malware gives the attackers full control of any system they compromise.
According to news reports a U.S. man is going to enter a guilty plea to hacking the email and social media accounts of celebrities four years ago. This a good time to remind listeners how he did it: By guessing the answers to their security questions using information on their social media accounts. If for example, a star mentions their dog’s name or the high school they went to on a Facebook page, he’d hope they were answers to security questions and get a password reset sent to him. And it worked. It’s another way social media can be your worst enemy. In addition, the man also phished passwords from celebrities by sending fraudulent emails pretending to be from Apple’s security team. Remember no company will ever email you about changing your password and include a link a the site. Instead of clicking on the link you should go to the web site yourself. And when choosing the answer to a security question on a website account, *never* tell the truth. That way no one can guess answers. Write down the phony answers for those sites, and keep them in a safe place. If you forget your password when you’re away from your home or office, don’t panic. You can probably wait a few hours. Whenever possible, use two-factor authentication, which means having a sensitive site – like your bank or email – send you a text or phone verification number when you log in.
Apple has updated its privacy website to reflect recent changes to the iOS 12 and Mac operating systems. For example, iOS 12 now flags when you try to re-use a password on more than one site or app. The site shows what Apple collects, why its collected, how it is used. It also shows how you can manage your privacy with Apple devices. However, while it does make sure Apple users have to consent to third party apps accessing your contact list, if you say yes those apps can access any personal information you’ve added for each contact in the notes section – not just names and email addresses. The same is true for contact lists on Android devices. That information could be sensitive. I asked Canadian privacy expert Ann Cavoukian whether Apple should allow third parties to access contact notes, and she said it’s one of those things users have to think carefully about when they allow any third party app to access your contact list.
Finally, do you have a Linksys E-series router, like the E1200 and E2500? There’s a vulnerability that could allow an attacker to take control of it. Linksys has released a firmware patch for these two models, which has to be installed. See your instruction manual or the Linksys web site on how to do it. And, if you use Google Chrome, the new version 70 is available with some security updates.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Alexa Flash Briefing. Thanks for listening.