Verify the sites you download apps from, Facebook and Apple fight over an app and an Irish telco embarrassed after laptop theft.
Welcome to Cyber Security Today. It’s Friday August 24th. To hear the podcast, click on the arrow below:
Here’s another warning about downloading desktop or mobile apps. Bleeping Computer has been told by Kaspersky Labs that an Asian cryptocurrency platform was hacked after an employee downloaded an app from a legitimate-looking website. The site claimed to be a company that develops cryptocurrency trading software. But the app was fake and loaded with malware. What’s interesting is there is a Windows and a Mac version of the malware. Just as bad is that somehow the app included a valid digital security certificate, a piece of code that supposed to verify the authenticity of the software. With a legitimate certificate the software would get past security software scans. So it seems the gang behind this created a phony software company as well as phony software. Kaspersky believes the North Korean-based Lazarus Group is behind this scam. My guess is people interested in the hotly-popular crypto currency craze are likely to download anything dealing with digital money. They need to be careful. For the rest of us, an important lesson here is to beware of downloading or buying anything on the Internet unless you know the source. It costs nothing for an attacker to set up a neat looking web site. But looks can be deceiving.
Facebook has removed its Onavo Protect application from Apple’s App Store after Apple concluded the mobile app violated its guidelines on data collection. The Wall Street Journal said Onavo Protect allegedly didn’t comply with Apple’s new rules implemented in June restricting app developers from collecting data from user information and selling it to third parties. Onavo Protect is a virtual private network, or VPN. A VPN creates encrypted tunnels for private communications. But like any app it can also collects user data. Facebook says it has always been upfront about what Onavo does, saying it analyzes your use of websites you go to, apps you use and data to improve Facebook products and services. According to the Hacker News, those Apple users who have Onavo can still use it, but they won’t get updates. There’s also Onavo for Android. Between the Apple and Android versions there have been 33 million downloads of Onavo. This is a reminder to everyone downloading or buying software: Ask if it collects data, how much and what it’s used for.
Finally, it’s not uncommon for people to take work home or on the road on a laptop. When you do, it’s vital your laptop be password protected AND encrypted if it has sensitive data, like personal information on customers or company intellectual property. But the Irish telecom provider Eir was embarrassed this month to discover that an employee’s stolen laptop that had the right protection could be compromised. Why? It said a faulty security update downloaded the day before the theft decrypted the data on 37,000 customer files. Those files included customer name; email address; their account number and a contact phone number. Security reporter Graham Cluley, who wrote about this on a blog for Tripwire, says blaming the fault on a software update is baffling. Be that as it may, the lesson here for companies is rather than let staff put sensitive data on a laptop, keep the data in-house and make remote users login to a main server with really strong credentials like multi-factor authentication. Think about a fingerprint or iris scanner or a specialized USB key. But anything more than just a password and username.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.