Star Wars scams, unsafe child trackers, Honda car owner data exposed and last-minute security gifts.
Welcome to Cyber Security Today. It’s Friday December 20th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
The last installment of the Star Wars Skywalker saga opened yesterday and already scammers are taking advantage. Security vendor Kaspersky found over 30 fraudulent websites and social media profiles pretending to be official movie accounts. Some are trying to sell Star Wars-themed goods and free copies of the movie. What they are really doing is collecting credit card data, personal data and spreading malware. So don’t fall for links promising an early view of any upcoming film or TV show and make sure websites are legitimate by reading reviews. Finally, if you are going to download a video file, check the extension. It should end with .avi, .mkv or .mp4. It should never end with .exe. That’s an executable file, and will be malware.
In September I told you about a report warning of serious security problems in smartwatches and fobs for kids that allow parents to track where their children. Some models allow anyone to track users, not just parents. Well, yesterday another security company issued a more detailed report, arguing that as many as 47 million of these child, pet and car trackers lack proper security. The report from Pen Test Partners argues many manufacturers buy generic components that aren’t designed with security in mind. So the problem isn’t in just a few brands, it’s in hundreds of them. The particular problem is the device doesn’t confirm that the device owner is requesting the tracking data. This serious enough that two years ago Iceland banned one brand of child tracking watches, and Germany has banned several of them. The testers’ advice: Don’t buy trackers for kids, pets or cars. There’s a link to the full report in the text version of this podcast.
An American contract employee for the international manufacturing firm Siemens Corporation was sentenced this week to six months in jail plus two years of supervised release after pleading guilty in a U.S. court to damaging a company computer. The goal was to have the company keep giving him work. He would sabotage spreadsheets he’d been hired to create, so periodically they’d crash. Then Siemens would have to pay him to fix the problem.
Honda has admitted someone left a database with records of 26,000 North American vehicle owners open on the Internet due to a misconfiguration. Security researcher Bob Diachenko, who discovered the database, said there were customer names, email addresses, phone numbers mailing addresses and some vehicle information including its ID number. No financial or password information was there. Once notified Honda closed off public access. Diachenko believes the database was open to the public for over a week. What could a criminal do with such seemingly minimal information? Send phishing messages to people appearing to come from Honda to trick them into giving up sensitive information. Companies still aren’t getting the message to employees on how to safely store data.
Finally, there’s still time to do holiday cyber security shopping. Think about these gifts for yourself, a family member or a friend:
–A USB memory stick is an inexpensive stocking stuffer that can be used for backup storage. Sixteen-gigabit sticks from brand name manufacturers are cheap — and some come in packages of three. Just make sure they’re in a sealed package from a brand-name company. Memory sticks are also good for making a Windows recovery drive in case you have a problem. Search for “How to make a Windows Recovery Drive” to find out how to do it.
–USB sticks can go up to 256 Gigs, but that may not be enough to back up photos and videos. One choice is online or cloud storage. But if you want something in your home get a portable hard drive or flash storage of at least 1 Terabyte. These are the size of a small paperback and come with backup software. Right now in Canada a 4 TB backup drive from a brand-name maker costs $150.
–I talk a lot about using two-factor authentication in addition to having a username and password for logging into apps. But for some it’s a hassle to set up and get the extra login code. A USB security key is an alternative. You don’t need to receive a special code to log in. The key is the extra factor. You plug it into your computer or smart phone’s USB slot, then touch it with your finger to confirm identity. You keep it on a key chain. So even if someone steals your laptop or phone, they have to have the physical key to use it. One version is called a Yubikey, and there are several models. Prices start at $20. For more information search for Yubikey. Google makes the Titan Security Key.
–How about a subscription to a software password manager? Many are free, but a paid version has more features. This is more a gift for yourself because the features needed by each user can differ. But perhaps a family member you consult would appreciate one.
–Consider a subscription to a virtual private network app. VPNs help ensure privacy if you connect to Wi-Fi in public places like malls, hotels, arenas and airports. Again, some are free but paid versions have extra features. Just make sure the VPN is from a reputable company.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon