Three data breaches, botnets used for credential stuffing attacks and a macOS update.
Welcome to Cyber Security Today. It’s Wednesday September 26th. To hear the podcast, click on the arrow below:
 |
 |
 |
Three data breaches to tell you about:
–Shein, an online fashion retailer, says some 6.4 million customers may have been affected by a data breach over the summer. Stolen data include email addresses and encrypted passwords. Depending on how the passwords were scrambled, the thieves may not be able to use them. Still, the company is telling customers to change their passwords to the site. Shein didn’t give details, only saying it was a sophisticated attack.
–Meanwhile NewsNow, a British site that aggregates news from a number of sources, was hacked. According to security writer Graham Cluley, the company emailed subscribers to say their encrypted passwords might have been copied. As a result it is urging people to change their passwords.
–Finally, someone at the United Nations apparently pressed the wrong keys and left open to the world a UN server running the Trello project management suite. As a result, passwords and other sensitive material were exposed. The researcher who discovered the boo-boo alerted the UN, but the organization took several weeks before finally accepting there was a problem. It isn’t known if anyone else stumbled upon the open information.
I’ve talked about botnets and what you should be doing to make sure your Internet connected devices — including routers, home surveillance cameras, TVs and digital recorders – aren’t abused by criminals. Botnets are huge chains of these devices whose combined computing power is used for nefarious purposes. Spreading malware is one. A new report from Akamai describes another: Using a botnet to automatically and repeatedly try log into companies to steal information or your money. They do it with millions of stolen passwords and usernames. They hope people like you have used a password on more than one site and can cash in – literally, if they can get into your bank account. Companies have defensive measures they can take, but the report says a lack of teamwork in the IT department can be an obstacle. Meanwhile you can help in several ways: Make sure your passwords are strong – and a password like a day of the week isn’t strong – change default passwords after you buy an Internet-connected device, and make sure you don’t re-use passwords. To keep control over all your passwords, use a password manager. And, if given the option, use multi-factor authentication for extra login protection.
A U.S. judge has handed a 14-year prison sentence to a man arrested in Latvia for helping hackers be more efficient. Ruslans Bondars designed and ran an online service which for a fee would scan attackers malware to see if it could evade anti-virus software. The service ran from about 2009 to 2016. One criminal customer used the service to test malware that was later used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States. The judge found that the service contributed to losses totaling over $20 billion.
Finally, Apple has released the latest version of its macOS operating system that includes security fixes. It’s version 10.14, dubbed Mohave, and you should make sure it’s on your iMacs and MacBooks.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.