Welcome to Cyber Security Today, the Week in Review edition for Friday November 27th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
With me today is Dinah Davis, vice-president of research and development at managed cybersecurity provider Arctic Wolf. We’ll talk in a few minutes about security-related holiday gifts. But first a look at the some of the big news in the past seven days:
Three men in Nigeria who police believe are members of a criminal gang behind a number of email scams have been arrested in Lagos. The Interpol police co-operative said this week the gang allegedly developed phishing links, domains and mass email campaigns trying to trick employees of organizations into opening malicious attachments pretending to be purchase orders, product inquiries and COVID-19 research information. The goal was to infect systems and steal passwords and data. The investigation was done with the help of Singapore-based threat intelligence firm Group-IB. It says the gang could have compromised at least 500,000 government and private sector firms in more than 150 countries since 2017. In addition to the three arrested other gang members are being sought.
Security researchers discovered a recent ransomware attack that took only eight hours from an organization being hacked to the malware being deployed. It isn’t clear how, but the attackers got hold of an administrator’s username and password to start the incident. And a major IT services company based in France called Sopra Steria said a ransomware attack last month could cost it up to $50 million in recovery costs. Much of that may be covered by insurance. No customer data was copied. According to the Bleeping Computer news service the company has 46,000 employees in 25 countries. Attackers launched the ransomware within days of getting into the system.
IT administrators whose firms use the MobileIron mobile management system are being warned to install the latest security patches to the system. Updates have been available since June, but Britain’s cyber security centre says hackers have recently successfully gotten into firms that haven’t patched yet.
A security researcher from Belgium says employees need to be reminded that sending passwords through email is a corporate no-no. This comes after he discovered someone had done that at an unnamed company. The employee had uploaded a password-protected file to a cloud server for a colleague to see. But emailing the password to the intended recipient defeats the intention of security.
Finally, a couple of big companies got whacked with big financial penalties this week. The Home Depot agreed to pay $17.5 million to 46 U.S. states for a huge 2014 data breach. Hackers got into the company through a partner firm, then managed to get into the point of sale system to copy details of over 50 million credit and debit cards. And South Korea fined Facebook about $5 million for sharing data of at least 3.3 million users and their friends in that country without their consent through third-party apps. The Personal Information Commission also said it would file criminal charges.
My guest analyst this week is Dinah Davis of Arctic Wolf. We decided to talk today about security-related holiday gifts. Between Christmas, Chanukah and other holidays you may be looking for gift ideas.
–For your friends and family, I think the number one thing you could get them is a subscription to a password manager. We know that one of the biggest ways people get hacked is because they reuse passwords. And if you don’t have strong passwords they also get breached. A password manager would help them generate new passwords for every site and stores them so they don’t have to be remembered. People have on average between 90 and 150 different logins. So to try and remember all of those as unique passwords is essentially impossible. (For reviews on password managers see PCMag.com or TomsGuide.com)
–A great stocking stuffer is a [laptop] webcam cover. If you really want to make sure no one can see you, then you cover up that webcam right now. There’s something you should be very careful about here: Most Macbooks are extremely thin and the webcam is actually in the screen itself. So you want to make sure you’re getting an ultra-thin one. You can also get them for your phone. (Webcam covers can come in bundles of three or more and can start at around $7 a package)
— An RFID blocking wallet. Credit cards have wireless tap and pay capability, using a technology called NFC and RFID waves to make that payment. People can come up close to you and try and get your credit card to tap on some tool that they have and unbeknownst to you, you’re paying for various things you’re not getting. RFID wallets block the capture of signals. There’s lots of them — you can get beautiful wallets from high-end companies, and relatively cheap ones off of Amazon. If you’re looking to get out a [regular] wallet for somebody anyway, look for one with this feature. (RFID wallets come in a wide range of styles and prices, including ones that are also cellphone covers.)
–A USB authentication key for those using two-factor authentication. The key, which has a fingerprint reader and plugs into a USB port, serves to authenticate the user instead of getting a six-digit code over insecure SMX text messages. Keys can also plug into a cellphone through the USB-C port. This is great for somebody who really wants to ensure that they’re very secure, especially with more sensitive accounts like a bank account. (Popular keys are the YubiKey and Google Titan key. Prices start at $45)
–A USB condom, and that is not a joke. It’s an extra piece that you plug onto the end of your USB cord that you then plug into your computer or into a charging wall. It limits the capability of the cord to power only. It won’t let any data go through. This keeps your laptop, tablet or phone safe from getting any malware. This is fantastic for people who travel a lot, or use coffee shops a lot to charge devices.( Also called a USB data blocker. For more information see this article. Usually found on Amazon. Be careful where you buy. A bad one of these could guarantee malware gets in. One popular brand is SyncStop and costs US$13, another is the PortaPow.)
— A portable USB backup hard drive. This will be really appreciated by someone who either doesn’t backup their data or is running out of space on their existing drive. The drive shouldn’t be plugged in all the time which will make it less likely to be infected by malware. Look for brand names like Seagate and Western Digital. Prices now are around $70 for a 2TB drive.
— USB memory sticks are great small gifts. They come in several sizes, but I suggest at least 32GB. Buy them in blister packages and not from a bowl by the cash register. Anyone can tamper with an open memory stick. Packaged drives are less likely to have been tampered with. ($10 and up. Look for deals with two or three in a package)
—Books for IT/infosec managers and software developers. Two new books are
You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions by Ira Winkler, president of awareness training firm Secure Mentem. To be published early in December, it tells how to minimize business losses associated with user failings, to proactively plan to prevent and mitigate data breaches and to optimize security spending. Available in paperback or Kindle.
Alice and Bob learn Application Security, by British Columbia based Tanya Janca, who runs an application security training company called We Hack Purple. The book covers basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures.
–IT World Canada chief content officer Jim Love highly recommends How to Measure Anything in Cybersecurity Risk by Douglas Hubbard. It isn’t new, but as cyber security managers know, measuring everything is key to making effective decisions. So this book will be welcome.
–A subscription to a virtual private network (VPN) service. Ideal for someone who travels a lot, or often uses public Wi-Fi in restaurants, malls, hotels and airports. A VPN is an encrypted tunnel that prevents someone from intercepting your communications on public Wi-Fi. Public Wi-Fi is not a good place to check your company mail or do online banking. (One year VPN plans range in price but there are many Black Friday specials)