TikTok’s multi-factor authentication problem, install these updates from Cisco and Microsoft, and Airbnb hosts get a surprise.
Welcome to Cyber Security Today. It’s Monday September 28th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
I regularly mention that organizations should add two-factor or multi-factor authentication for extra protection for customers and employees. However, it has to be done right. The TikTok video sharing social networking service apparently did it wrong. The ZDNet news service reports that the security feature was enabled only for those using the mobile app. If a hacker knows someone else’s username and password they can log into TikTok from its website and not be asked for the extra code needed for safety. TikTok says it will fix that problem soon. In the meantime if you’re a TikTok user, to avoid your account being hacked make sure you use a strong and unique password for the service and not one also used for another website.
Airbnb appears to have suffered one of those ‘oopsy’ moments. Somehow last week people registered as residence hosts began seeing private inboxes of other property hosts unrelated to their accounts. Airbnb says a technical issue was the problem and was resolved within three hours. During that time, however, hosts had the ability see names, codes needed to access a property and booking earnings of other hosts.
Cisco Systems is alerting network administrators using routers and switches that runs its IOS and IOS XE operating systems to install the latest security updates. These will patch a bunch of bugs. However, two problems may need to be mitigated by disabling a feature until a fix is installed.
More on security updates: Last week Microsoft warned IT administrators of the importance of installing the latest security update for Windows Server. That’s because a critical vulnerability has been found that could be exploited by hackers. That update has been available since August. Well, it only took a few days after word got out about this vulnerability for attackers to take advantage of it. So, if you are responsible for Windows Server in your organization and haven’t installed the August security update, you’re begging for trouble.
Finally, network and security administrators whose firms use Fortinet’s Fortigate VPN solution should note that the device could be infiltrated by a hacker using a security certificate from another Fortigate device. A security certificate is a special piece of security code that verifies a web address as legit. This discovery comes from a researcher, according to The Hacker News. Fortinet says it warns IT staff when the product is being set up that they should buy a certificate for their organization’s domain and not use the generic certificate that comes with the device.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays.