Why a good password isn’t good enough, COVID vaccine documents altered in a hack and intimate photos found unprotected.
Welcome to Cyber Security Today. It’s Wednesday January 20th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Another successful password attack to tell you about. It was against the OpenWRT Project. This is a group that offers a free Linux-based operating system for wireless routers, smartphones and other embedded systems. On Saturday a hacker broke into the account of an administrator of the project’s forum. That’s where software developers exchange ideas. The hacker was able to download a copy of the forum’s user list, which includes email addresses and the users’ forum names, although these may not be their real names. In a security notice the project says the victimized administrator had a good password. But they didn’t use two-factor authentication as extra protection against compromise. The hacker didn’t get user passwords. But knowing email addresses will be enough to launch phishing email against them with malicious attachments. And some of those in the forum may work for IT companies, which could be compromised if a forum member clicks on a link. As a result the forum is advising all users to change their passwords.
The lesson here is everyone should use two-factor authentication as an extra step to protect logins, especially administrators. No site is too small to be hacked.
Last week I reported that a regulator called the European Medicines Agency had been hacked and information on the Pfizer COVID-19 vaccine was stolen. Here’s an update: Some of the data has been published on the Internet by the attackers. Not only that, some of the correspondence between people was altered in a way that could undermine trust in vaccines. In a statement the EMA makes it clear authorizations of vaccines are granted only when the evidence shows convincingly that the benefits of a serum are greater than the risks.
Police regularly warn people not to post intimate photos of themselves on social media, or text or email them to friends. You never know where they’ll end up. The latest example comes from researchers at vpnMentor, who discovered 32 gigabytes of poorly protected data including nude images apparently from the discontinued app called Fleek. Fleek, sometimes called Mojo, billed itself as an uncensored alternative to Snapchat. It allowed people to post x-rated photos of themselves. Like Snapchat the images on Fleek were supposed to be automatically deleted after a short time. But the researchers found a huge pile of images that had been copied and stored on an unprotected Amazon Web Services bucket. Probably it was put there by the former app’s developers. Why? Possibly to create a chat room where men would pay to have access to the images. Were other people able to find and copy this stash of images? Are they trying to match photos with people for blackmail? We don’t know.
Meanwhile the international police co-operative known as Interpol warns that dating apps are being used by criminals to spread investment scams. It works like this: A person using a dating app makes a friend. Once an online relationship is established the so-called friend starts sharing investment tips. They then encourage the victim to download a trading app and open an account to buy various financial products. The goal, the victim is told, is to work their way up to Gold or VIP status on the trading app. Then suddenly the victim is locked out of their account. Their money is gone. So is their so-called friend. Always be skeptical when people online suggest how to spend your money.
Finally, Google has released a new version of its Chrome browser. You should now be on version 88. There’s also a new version of the Brave browser.
That’s it for today. Links to details about today’s stories can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.