Avoid this phony Samsung app, update Microsoft Office, not-so-smart door locks, and a router manufacturer disciplined
Welcome to Cyber Security Today. It’s Friday July 5th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com.
It’s the start of the U.S. Independence Day long weekend. For those of you enjoying a day off, thanks for listening. For the rest of you who usually listen on the way to or at work, thanks you as well — and here’s the news:
Attention owners of Samsung smart phones: Don’t get suckered into using an Android update app found in the Google Play Store. Called “Updates for Samsung,” this scam lures you into paying $34.99 to download updates. What you really get, according to the CSIS Security Group, are a lot of ads — and you’ve given a stranger your credit card. About 10 million people have downloaded this app for some reason. The only safe way to get Android updates is through the Settings application on your device. Go to “About phone” and then “Software Update.” If your device is so old you can’t get Android updates anymore, it’s time to buy a new one.
Attackers don’t always look for new holes in software when trying to crack computers. Old vulnerabilities that are unpatched are just as good. A reminder of that came this week when the U.S. military’s Cyber Command issued an alert that hackers are still trying to exploit a vulnerability in Microsoft Office that was discovered two years ago. If you or your company hasn’t patched Microsoft Office in a while, you’re open to being hacked.
Smart home and office technology isn’t always smart. If manufacturers take shortcuts, Wi-Fi connected door locks, surveillance cameras and the like can reduce security, not increase it. The latest example was outlined this week by two security researchers who were able to crack a front door lock made by a company called Zipato by getting to its wireless hub. Now, the hub had some security protections, including a scrambled password. However, the way those protections were implemented wasn’t good enough. To its credit, when told of the vulnerabilities Zipato fixed them, and new firmware is available for users to download. The company has also discontinued the vulnerable hub. The lesson for manufacturers of Internet-connected devices is that product security is complex and has to be carefully thought out and implemented.
What might happen if they don’t do it right? Regulators might come knocking. For example, this week D-Link, which makes routers and Internet-connected surveillance cameras, was forced to promise to follow a comprehensive software security program after being sued by the U.S. Federal Trade Commission. It was part of a settlement of a 2017 complaint that the company failed to secure products from well-known vulnerabilities. In marketing materials D-Link said its products included advanced network security. In reality devices could be easily hacked. The settlement also obliges D-Link to get independent third-party assessments of its security program every two years for the next decade. And if you have a vulnerable D-Link device? The company has to push software fixes out and send clear how-to-install instructions to owners.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.