Twitter criticized by regulator, NSA ranks vulnerabilities, cybercrooks pretend to be good guys and more.
Welcome to Cyber Security Today. It’s Wednesday October 21st. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Remember the big Twitter hack last July? That’s when attackers took over the accounts of celebrities and promoted a “double your bitcoin” scam. Well, New York State’s financial regulator has criticized Twitter for poor security in letting the attackers get away with it. There were no special tricks used by the attackers, the report said. A few employees fell for a phone call from someone pretending to be from Twitter’s IT department, and that led to the infiltration. Just as bad, Twitter didn’t have a chief information security officer for seven months before the hack. That sends a message cybersecurity wasn’t a top priority, the report said.
I’ve often talked of the importance of having two-factor authentication to strengthen employee logins. Well, Twitter had it. But hackers got around that by tricking staff into logging into lookalike company sites. Then when they added their two-factor codes, the hackers copied them. The lesson here is some staff who can access sensitive things should use a special USB key for their two-factor codes for better protection instead of numbers.
It’s not easy for IT departments to prioritize which software patches that they should install. Updates are issued almost daily from companies around the world. The U.S. National Security Agency wants to help. On Tuesday it issued a list of the 25 most commonly used vulnerabilities exploited by Chinese state-sponsored cyber attackers. Most either exploit holes allowing hackers to remotely get into computer networks, or to attack web services. The list includes holes in products from Pulse Secure, F5 Networks, Citrix, Microsoft, Adobe, Oracle, Cisco Systems and others. The NSA says U.S. government systems and companies that sell to the Defence department should see this list as a priority. Other companies should, too. There’s a link to the list here.
Everybody wants to be a Good Guy, including cybercriminals. After bad publicity two years ago, some ransomware gangs swore they don’t target hospitals, only evil capitalist companies. Last week one went further, saying it has started donating some of the money it has forced victims to pay to two charities. “Let’s make the world a better place,” the Darkside gang apparently said on its website. Well, one of the charities that got the equivalent of $10,000 in bitcoin, a non-profit for sponsoring children in extreme poverty, isn’t fooled. If the donation comes from a hacker, it told the BBC, we won’t keep it. As the ZDNet news service pointed out, it’s illegal in most countries to receive funds obtained by crime.
This being Cyber Security Awareness Month it’s a good time to think about whether the cyber training offered at work and in schools is worthwhile. So a management consulting firm called Oliver Wyman created a scoring system to rate countries’ cyber risk literacy. It’s based on public motivation to practice good cybersecurity, government policies to improve cyber literacy, education systems, how well businesses raise employees’ cyber skills and the degree to which digital access and skills are shared across the population. The best country is Switzerland, followed closely by Singapore, the United Kingdom, Australia and the Netherlands. Canada ranks sixth, the U.S., 10th. South Africa is last out of 50 countries rated, just after China.
Finally, there’s a report that a ransomware group called Nefilim has begun publishing stolen data that appears to come from Luxottica, a company that makes eyeglass frames like RayBan and owns a number of eyeglass retailers around the world like LensCrafters. According to Security Affairs, an Italian researcher discovered the documents, which are said to be corporate financial files. Nefilim is one of the ransomware groups that steals and encrypts data, and threatens to publicly release the files unless victim organizations pay up.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.