Database with 5 billion records left open, Rogers warns Canadians of data exposure and FBI warns of financial help scam.
Welcome to Cyber Security Today. It’s Monday March 23rd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast click on the arrow below:
 |
 |
 |
You don’t expect cybersecurity companies to be sloppy. But, people can make mistakes. And someone apparently made a whopper at a British-based security company. This firm has been compiling a list of data breaches dating back eight years with 5 billion records including passwords and email addresses. But last week researcher Bob Diachenko found the database while searching the internet because it wasn’t protected. So out in the open were passwords, although some were scrambled. However many others were not. Security experts said there was enough information for hackers to launch targeted phishing attacks at people. Hopefully, by now all of the victims over the years have been notified and changed their passwords. For listeners who are technical, this was an Elasticsearch database, commonly used by companies to search data they hold. Managers have to make staff understand that if a database is open to the Internet it can, and will, be compromised.
Speaking of open databases, Canadian carrier Rogers Communications has started notifying customers that one of the companies it deals with left a database open with addresses, phone numbers and email addresses. No credit card, banking or password information was exposed. However, those email addresses could be used for phishing attacks. And some of those phone numbers were cellphone numbers, so Rogers is preventing those from being switched to another carrier without authorization. You may recall me talking about SIM card swapping fraud last week.
On Friday I warned about a coronavirus email scam aimed at Canadians trying to take advantage of an announcement of help from Prime Minister Justin Trudeau. The FBI says there’s a similar scam going on in the U.S. The message is asks recipients to verify their personal information so they can receive an economic stimulus check from the government. What’s really going on is a crook stealing personal information. Remember, governments will not send unsolicited emails asking for your personal information to send you money. With governments promising financial help during the pandemic crisis expect more email scams like this. People looking for government help need to resist the hope these are legitimate messages.
With more people working from home cyber attackers can be expected to ramp up phishing and other ways of getting at corporate data using all sorts of tricks. More than ever be careful with email or text messages that appear to come from your IT department or company officials asking you to click on links for personal information, passwords or to transfer money. Have a phone number to officials you can call if something is suspicious. Do not use the phone number in a suspicious email. Remember, the email of a senior official may be hacked so a suspicious message can be from a legitimate account.
Finally, administrators of websites using the Drupal content management system should make sure they are running the latest versions of the application. Patches have been issued to plug serious vulnerabilities. And Google is in the process of rolling out updates to the Chrome browser.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon
