A zero-day Microsoft vulnerability was also reported by an individual called 'SandboxEscaper', which I expect Microsoft will patch as part of their monthly patch cycle in June. And a past Microsoft vulnerability, CVE-2019-0604, which has a security update available, has been reported as being actively exploited by hackers.
There were also critical security vulnerabilities and patch releases for Adobe, Drupal, Cisco devices, WhatsApp and Intel processors. The WhatsApp vulnerability (CVE-2019-3568) grabbed the mains stream news headlines. Impacting both iPhone and Android versions of the encrypted mobile messaging app, an Israeli firm called NSO, coded and sold a toolkit which exploited the vulnerability to various government agencies. The NSO toolkit, called Pegasus, granted access a smartphone's call logs, text messages, and could covertly enable and record the camera and microphone. New and fixed versions of WhatsApp are available on AppStore, so update.
Political and UK media controversy surrounding the Huawei security risk went into overdrive in May after Google announced it would be placing restrictions on Chineses telecoms giant accessing its Android operating system. For the further details see my separate post about The UK Government Huawei Dilemma and the Brexit Factor and Huawei section towards the end of this post.
May was a 'fairly quiet' month for data breach disclosures. There were no media reports about UK pub chain 'Greene King', after they emailed customers of their gift card website, to tell them their website had been hacked and that their personal data had been compromised. I covered this breach in a blog post after being contacted by concerned Greene King voucher customers. It seems that TalkTalk did not inform at least 4,500 customers that their personal information was stolen as part of the 2015 TalkTalk data breach. BBC consumer show Watchdog investigated and found the personal details of approximately 4,500 customers available online after a Google search. The Equifax data breach recovery has surpassed $1 billion in costs after it lost 148 million customer records in a 2017 security breach.
The UK army is to get a new UK Based Cyber Operations Centre, to help the army conduct offensive cyber operations against 'enemies', following a £22 million investment by the defence secretary Penny Mordaunt. She said "it is time to pay more than lip service to cyber. We know all about the dangers. Whether the attacks come from Russia, China or North Korea. Whether they come from hacktivists, criminals or extremists. Whether its malware or fake news. Cyber can bring down our national infrastructure and undermine our democracy." The army's cyber operation centre will be up and running next year and should help to plug a 'grey area' between the British security intelligence services and the military.
Action Fraud and the Financial Conduct Authority (FCA) said UK victims lost £27 million to cryptocurrency and foreign exchange investment scams last year, triple the number of the previous year.
The 2019 Verizon Data Breach Investigations Report was released, a key report in understanding what cyber threat actors have been up to and what they are likely to target next.
- The Price of Loyalty, almost half of UK Office Workers are willing to sell Company's Information
- UK Pub Chain 'Greene King' Gift Card Website Hacked
- The UK Government Huawei Dilemma and the Brexit Factor
- WhatsApp, Microsoft and Intel Chip Vulnerabilities
- ZombieLoad: Researchers discover New Hardware Vulnerability in Modern Intel Processors
- Zavvi Champions League Final Competition Winner Email Blunder
- 2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways
- Top Tips On Cyber Security for SMEs
- TalkTalk Data Breach Customer Details Found Online
- Digital Minister Margot James: IoT Devices with Default Passwords could be Banned
- EternalBlue believed to be behind Crippling Baltimore Attack
- First American Financial website leaked 885 million documents
- TeamViewer reportedly hit by Chinese Hackers in 2016
- Army to get new £22m Cyber Centre to Combat Digital Threats
- GozNym Cyber-Crime Gang which stole Millions Busted
- Europol announces Takedown of Wall Street Market and Valhalla Dark Web Markets
- Another Three Billion Fake Facebook Profiles Culled
- £27m lost in Cryptocurrency ‘Scammers’ Paradise’
- Equifax Data Breach Recovery Costs Pass $1 billion
- License Plate Reader Firm Breached, Data Leaked
- Hacker steals Canva Data belonging to 139M users
- North Face apologises over Wikipedia 'hack'
- Microsoft Patches 79 Vulnerabilities, including 22 Critical for Windows, IE\Edge, OWA, .NET, Chakra and SharePoint
- Almost One Million Vulnerable to BlueKeep Vulnerability (CVE-2019-0708)
- Adobe Releases Fixes at least 84 Vulnerabilities in Acrobat and Acrobat Reader
- Intel ZombieLoad side-channel Processor Vulnerability
- Windows 10 Zero-Day Vulnerability released, Microsoft Patch not yet Available
- WhatsApp Patches flaw Allowing easy Installation of Pegasus Spyware
- WordPress Slick Popup plugin could leave a backdoor open to Hackers
- Cisco Critical Vulnerability in Switch Software and 41 other Flaws
- Cisco Patches Critical Vulnerability in Cisco Elastic Services Controller
- Drupal Core Patches Moderately Critical Vulnerability
- Mozilla patches Two Critical flaws with Firefox 67
- Slack Patches Flaw that could allow Attackers to Hijack Downloaded Documents
- Bypass Vulnerability discovered in MacOS X GateKeeper
- Mirai variant uses 13 Exploits to compromise IoT
- Department of Commerce Announces the Addition of Huawei Technologies Co. Ltd to the Entity List
- Huawei's use of Android restricted by Google
- Google will work with Huawei for the next 90 days after US eases restrictions
- What happens to my Huawei smartphones and tablets now
- ARM memo tells staff to stop working with China’s tech giant
- China warns of investment blow to the UK over 5G ban
- Trump declares a national emergency over IT threats
- Trump says Huawei could be part of trade deal
- Huawei: Which countries are blocking its 5G technology?
- Huawei 'to go the extra mile' to reassure world on 5G spying
- Is Huawei in retreat?
- Huawei says billions of customers could be harmed by US sanctions
- Mike Pompeo warns the UK over Huawei 'security risks'
- Huawei's microchip vulnerability explained
- Vodafone Found Hidden Backdoors in Huawei Equipment
- Microsoft researchers find NSA-style backdoor in Huawei laptop
- Huawei the Company and the Security Risks Explained
- Theresa May has questions to answer over the Huawei scandal
- Sacked defence secretary denies security council leak on Huawei decision
- Vodafone denies Huawei Italy security risk
- How Chinese Spies Got the NSA’s Hacking Tools, and Used Them for Attacks
- APT10 Campaign Debuts Two New Loaders for Distributing PlugX and Quasar RATs
- MegaCortex Ransomware Attacks Spike
- Nansh0u Cryptomining Malware hits 50,000 Servers
- HawkEye Malware Campaign Upticks on Business Users
- 2019 Verizon Data Breach Investigations Report released
- Apricorn Survey: Encryption on the Rise Due to GDPR
- Ponemon Institute Study found, there has been a dramatic increase in IoT-related Data Breaches
- Report finds Ransomware Recovery Firms Simply Paying Attackers
- Blancco Report reveals 42% of Used Drives sold on eBay are holding Sensitive Data
- Digital Shadows Photon Research “Too Much Information” Report: 2.3 billion files exposed across online file storage
Is your family feeling more vulnerable online lately? If so, you aren’t alone. The recent WhatsApp bug and social media breaches recently have app users thinking twice about security.
Hackers behind the recent WhatsApp malware attack, it’s reported, could record conversations, steal private messages, grab photos and location data, and turn on a device’s camera and microphone. (Is anyone else feeling like you just got caught in the middle an episode of Homeland?)
There’s not much you and your family can do about an attack like this except to stay on top of the news, be sure to share knowledge and react promptly, and discuss device security in your home as much as possible.
How much does your family love its apps? Here’s some insight:
- Facebook Messenger 3.408 billion downloads
- WhatsApp 2.979 billion downloads
- Instagram 1.843 billion downloads
- Skype 1.039 billion downloads
- Twitter 833.858 million downloads
- Candy Crush 805.826 million downloads
- Snapchat 782.837 million downloads
So, should you require your family to delete its favorite apps? Not even. A certain degree of vulnerability comes with the territory of a digital culture.
However, what you can and should do to ease that sense of vulnerability is to adopt proactive safety habits — and teach your kids — to layer up safeguards wherever possible.
Tips to Help Your Family Avoid Being Hacked
Don’t be complacent. Talk to your kids about digital responsibility and to treat each app like a potential doorway that could expose your family’s data. Take the time to sit down and teach kids how to lock down privacy settings and the importance of keeping device software updated. Counsel them not to accept data breaches as a regular part of digital life and how to fight back against online criminals with a security mindset.
Power up your passwords. Teach your kids to use unique, complex passwords for all of their apps and to use multi-factor authentication when it’s offered.
Auto update all apps. App developers regularly issue updates to fix security vulnerabilities. You can turn on auto updates in your device’s Settings.
Add extra security. If you can add a robust, easy-to-install layer of security to protect your family’s devices, why not? McAfee mobile solutions are available for both iOS and Android and will help safeguard devices from cyber threats.
Avoid suspicious links. Hackers send malicious links through text, messenger, email, pop-ups, or within the context of an ongoing conversation. Teach your kids to be aware of these tricks and not to click suspicious links or download unfamiliar content.
Share responsibly. When you use chat apps like WhatsApp or Facebook Messenger, it’s easy to forget that an outsider can access your conversation. Remind your children that nothing is private — even messaging apps that feel as if a conversation is private. Hackers are looking for personal information (birthday, address, hometown, or names of family members and pets) to crack your passwords, steal your identity, or gain access to other accounts.
What to Do If You Get Hacked
If one of your apps is compromised, act quickly to minimize the fallout. If you’ve been hacked, you may notice your device running slowly, a drain on your data, strange apps on your home screen, and evidence of calls, texts or emails you did not send.
Social media accounts. For Facebook and other social accounts, change your password immediately and alert your contacts that your account was compromised.
Review your purchase history. Check to see if there are any new apps or games installed that you didn’t authorize. You may have to cancel the credit card associated with your Google Play or iTunes account.
Revoke app access, delete old apps. Sometimes it’s not a person but a malicious app you may have downloaded that is wreaking havoc on your device. Encourage your kids to go through their apps and delete suspicious ones as well as apps they don’t use.
Bugs and breaches are part of our digital culture, but we don’t have to resign ourselves to being targets. By sharing knowledge and teaching kids to put on a security mindset, together, you can stay one step ahead of a cybercrook’s digital traps.
The post Breaches and Bugs: How Secure are Your Family’s Favorite Apps? appeared first on McAfee Blogs.
The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.
From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.
Should you be concerned?
WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.
So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone. Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.
How to Prevent
Update the WhatsApp app.
- Open the Apple AppStore App
- Search for WhatsApp Messenger
- Tap 'Update' and the latest version of WhatsApp will be installed
- App Version 2.19.51 and above fixes the vulnerability
- Open Google Play Store
- Tap the menu in the top left corner
- Go to “My Apps & Games”
- Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
- App Version 2.19.134 and above fixes the vulnerability
How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability
Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay.
To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.
- New Meltdown: Researchers discover New Hardware Vulnerability in Modern Intel Processors
- Vulnerability CVEs
Over the years kids have succeeded in staying one step ahead of parents on the digital front. Remember the golden days of social? Teens owned Facebook until every parent, auntie, and grandparent on the planet showed up. So, teens migrated to Instagram, Twitter, and Snapchat hoping to carve out a private patch of land for their tribe. And, according to a report in The Atlantic, the latest app these digital nomads have claimed as a covert hangout surprisingly is Google Docs.
Yes — Google Docs — that boring looking online tool many of us parents use at work to collaborate on projects. Google Docs is perfect when you think about it. The app can be accessed on a tablet, laptop, or as a phone app. It allows multiple users to edit a document at the same time — kind of like an online party or the ultimate private group chat.
To interact, kids can use the chat function or even highlight words or phrases and use a comment bubble to chat. Because teachers use the application in the classroom, kids are using Google Docs to chat during class without getting busted or dupe parents at home into thinking they are doing their homework.
Another big perk: Schools have firewalls that block social networking sites during school hours, but Google Docs is officially cleared for school use.
As with any app, what begins as a covert, harmlessly chat channel between friends, can get malicious quickly as more and more people are invited into a shared document to talk.
Kids can easily share videos, memes, and hurtful, joking, or inappropriate content within a Google Doc. They can gang up on other kids and bully others just as they do on any other social network. Similar to the way images disappear on Snapchat in 24 hours or on Instagram stories, the “resolve” button on Google Docs chat function, allows kids to instantly delete a chat thread if a teacher or parent heads their way or hovers too closely.
Because Google Docs live on the cloud, there’s no need to download or install a piece of software to use or access it. Any device connected to the Internet can access a Google Doc, which means kids can also use it as a digital diary without a digital trail and hide potentially harmful behaviors from parents.
10 Ways to Coach Your Kids Around Digital Safety
- Know where they go. Just as you’d ask where your child where he or she is going offline, be aware of their digital destinations online. Check on them during homework hours to be sure they aren’t chatting away their learning time.
- Check for other apps. If you’ve grounded your child from his or her smartphone for any reason, and they claim they have online homework to do, check their laptops and tablets for chat apps like Kik, WhatsApp, hidden vault apps, and of course, as we now know, Google Docs (see right for the icon).
- Remember, it’s forever. Even if an image or video is “resolved” on Google Docs, deleted on Instagram or Twitter, or “vanishes” on Snapchat, the great equalizer is the screenshot. Anyone can take one, and anyone can use it to bully, extort, or shame another person anytime they decide. Remind kids of the responsibility they have with any content they share anywhere online — privacy does not exist.
- Sharing is caring. If your child is on Google Docs and you have a hunch, they aren’t doing homework, ask them to share their document with you so you can monitor their work. Just hit the big blue “share” button and insert your email address and you will have immediate access to the homework document.
- Keep in touch with teachers. If your child’s grades begin to slip, he or she could be distracted at school. Ask about what apps are used in the classroom and alert the teacher if you think your child might be distracted be it with technology or anything else.
- Parental controls. Hey, we’re busy because we’re parents. Enlist some help in monitoring your child’s online activity with parental control software. This will help you block risky sites, limit excessive app use, and give you a report of where your kids spend most of their time online.
- Look for red flags. Everyone needs and desires privacy even your teen. The tough part is discerning when a teen is being private or trying to hide risky behavior. A few red flags to look for include defensiveness when asked about an app or chat activity, turning off a device screen when you come around, and getting angry when you ask to see their screen. Another sign of unhealthy app use is an increase in data use and fatigue at school from lack of sleep.
- Connect with other parents. Here’s the snag in the whole plan: The rules that apply to homework and devices at your house, may not apply at other people’s homes where kids often study. Bullying or inappropriate online behaviors often take place under other people’s roofs. So get intentional. Keep in touch with other parents. Find common ground on digital values before letting kids go offsite for homework time.
- Talk, talk, talk. Your best defense in keeping your kids safe online — be it using apps or other sites — is a strong offense. Talk with your kids often about what they like to do online, what their friends do, and address digital issues immediately.
- Be flexible. Parental monitoring is going to look different in every family. Every child is different in maturity, and every parent-child relationship varies greatly. Find a monitoring solution that works for your family. Coming down too hard on your kids could drive them into deeper secrecy while taking a hands-off approach could put them in danger. Try different methods until you find one that fits your family.
Remember: You won’t be able to keep your finger on everything your child is up to online, but you can still have a considerable influence by staying in the know on digital trends and best online safety practices.
The post Social Underground: Kids Using Google Docs as New Digital Hangout appeared first on McAfee Blogs.