Top vulnerabilities cyber crooks go after, Twitter and Google blunders and keep physical security in mind.
Welcome to Cyber Security Today. It’s Wednesday February 5th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast, click on the arrow below:
 |
 |
 |
Vulnerabilities in products from Microsoft and Adobe were the most targeted bugs by criminals last year. That’s according to a report from security vendor Recorded Future. (Registration required to get the report) The company compiled a list of the top holes in software that criminals try to exploit. Eight out of the top 10 problems related to Microsoft products, including Office and Windows. This makes sense because Microsoft products are so widely used. But four of those eight were bugs in the Internet Explorer browser, although it should be replaced by users with Microsoft’s newer Edge browser. However, many users and companies are still using Internet Explorer. The other two vulnerabilities in the Top 10 involved Adobe’s Flash Player, a long-time favorite of attackers. Risks from Flash should be reduced if not eliminated soon because Adobe will stop releasing it at the end of this year.
Security experts constantly remind people and companies of the need to install the newest security updates to software and hardware as soon as they’re released. It’s dangerous to keep old and unpatched versions of Microsoft Office and Windows.
Two social media privacy blunders to tell you about: Twitter lets users keep their profile information like email addresses or phone numbers private if they want. If they don’t, there’s a feature for new users that allows people who already know your phone number find you on Twitter. But this week the company admitted that someone or group was recently able to use a vulnerability to match user names to phone numbers. It isn’t clear how many phone numbers were vacuumed up. But Twitter says the scam involved created a large network of fake accounts. To give you an idea of the potential, a security researcher publicly reported in December they could match nearly 17 million usernames to phone numbers. That report is how Twitter realized there was a problem. The bug has since been plugged.
And in another of those ‘oopsy’ incidents, an unidentified problem at Google late last year allowed some users to see the videos other people had posted to their Google Photos, YouTube, Chrome and related services. Google began admitting the privacy violation and notifying people this week. Those affected had downloaded their own data for Google Photos between November 21st and 25th. But somehow, others downloading data during those days had their videos mixed up at the same time. That bug has since been plugged.
Your company’s IT team does a lot to defend the firm from cyber attacks, like updating and buying hardware and software. But management has to be alert to other threats as well. Recently the head of a British regional police cyber crime team warned criminal gangs there are infiltrating service firms that do after-hours work in buildings like cleaning, painting and decorating companies. They would have the opportunity to hack into computers while the business is empty. It’s a reminder that physical security — including locking data centres and computer closets, and training staff not to leave personal computers running when they leave — is vital.
Finally, a little technical news: If you have a Realtek sound card on your computer, make sure it has the latest driver. Last week the company issued a warning that a bug in the old driver could help an attacker. The vulnerability was discovered by a security company called SafeBreach. But that’s only part of the story. SafeBreach sent messages to Realtek starting on July 10th last year about the problem. It took until August 14th for Realtek to reply. Companies that make software need to have clear contacts to handle security complaints. Sure, anyone can make an allegation. But to be respected firms at least need to be able to quickly say ‘Thanks, we’ll look into it.’
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon