Mobile risks are increasing, QNAP NAS devices at risk, fraud prevention advice and more.
Welcome to Cyber Security Today. It’s Wednesday March, 16th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
With more people working out of the office mobile security risks to organizations are higher than ever. That’s one of the conclusions of Zimperium in its annual Global Mobile Threat Report (Registration required). It looks at data from Zimperium customers plus a survey of IT leaders. Forty-two per cent of respondents said that mobile devices and web applications had led to a security incident in the previous 12 months. Before COVID-19 only 40 per cent of organizations had a bring-your-own device policy, the report notes. That may be over 70 per cent now as firms adjust to support remote workers. But threat actors learned and are increasing attacks on mobile devices. This includes distributing malicious mobile apps. One was a phony Android system update. The report also notes that last year there were a record 17 mobile-specific zero-day exploits discovered. IT and security teams must continuously monitor their growing attack surface, says the report, balancing the user convenience with security.
In my podcast last Wednesday I reported on a major Linux kernel problem. It allows an attacker to overwrite supposedly read-only files. On Monday network-attached storage manufacturer QNAP said this vulnerability also affects a number of its devices. That includes devices running the QTS 5.0 and QuTS hero 5.0 operating systems. QNAP promises to release a security update soon and asks storage administrators to watch for it.
Developers using the OpenSSL software library for secure application communications should install the latest patch in their projects. According to an advisory issued by OpenSSL, a library function has a high severity bug. If an attacker creates a bad security certificate it can create an infinite loop that triggers a denial of service attack.
Here’s another example of why companies have to be upfront about data breaches: The U.S. Federal Trade Commission wants to hit the former owner of CafePress, an American custom T-Shirt and merchandise site, with a $500,000 fine for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach in 2019. The FTC alleges a hacker accessed millions of email addresses and passwords with weak encryption; millions of customers’ names, physical addresses, and answers to security questions; as well as more than 180,000 unencrypted Social Security numbers. The FTC alleges the company didn’t tell customers about the breach. Instead, it only told them to reset their passwords. The former and current owners have agreed to a settlement, which includes the current owner beefing up its data security. The public has 30 days to comment on the consent agreement before it becomes final.
A security vulnerability in the case management software used by courts in many American states is suspected of being the cause of a leak last month of thousands of confidential or restricted records. These records include information about juvenile-court defendants, and up to 260,000 confidential discipline records involving California lawyers. The discovery was made by the legal news site Law360. The leaked records appeared on a website called judyrecords.com. It gives anyone the ability to search for hundreds of millions of American court cases. As of Tuesday, when this podcast was recorded, the search function had been temporarily disabled for two weeks. The site said this was done “out of an abundance of caution while any possible case access issues are resolved.” It says an explanation of what happened will be posted by the end of the week.
Home users of Honeywell’s Resideo internet-connected security and thermostat devices were puzzled earlier this week when their systems were down for almost 24 hours without explanation. Finally, on Tuesday the company tweeted there were system performance issues. They were not due to any external persons accessing its systems, Honeywell said. All user data remains secure, it added. Still, there no explanation of what happened.
Finally, in some places around the world this is Fraud Prevention Month. According to the Canadian Anti-Fraud Centre, $379 million were lost to scams and fraud in 2021, which was an increase of 130 per cent compared to 2020. Security researchers at Trend Micro remind consumers that while companies do their best to stop being defrauded, consumers have a role, too. That means not falling for emails with offers that appear too good to be true. For example, offers for free COVID Omicron PCR tests, offers for gift cards, and unexpected messages for Amazon and Canada Post deliveries. Never call phone numbers, open attachments or links in emails or texts from unrecognized senders. And always go to the official website/application instead of using links from unknown sources. There are more resources at the Government of Canada’s Competition Bureau web site.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.