Don’t be blue on Valentine’s Day, SIM-swapping gang broken, US can search devices without a warrant at its border and more.
Welcome to Cyber Security Today. It’s Friday February 12. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
With Valentine’s Day on Sunday the Canadian Anti-Fraud Centre is reminding internet users to beware of online romance scams. Last year Canadians lost more than $18 million to people who befriended an unknown person on a dating site or by email. They fell for requests for loans, money to travel, for a medical emergency, family assistance, a business venture or for an investment in cryptocurrency. And it’s not just dating site pitches. Check Point Software says last month it spotted over 400 malicious Valentine’s Day-themed email campaigns offering deals on gifts like jewelry. A survey by cybersecurity vendor Tessian found one-third of respondents admitted falling for a romance scam. Remember, never send money or a gift to someone you haven’t met in person. Be wary of someone who you’ve been corresponding with that you haven’t met who says they love you — especially if they have excuses to not meet you in person.
Ten men have been arrested in Europe and accused of being part of a gang that was able to take over the smartphones of well-known people in the United States and the U.K. They did it by SIM-swapping, which is convincing wireless carriers to swap the SIM cards in victims’ phones to handsets they control. Usually crooks do this by using counterfeit ID in person or online. After getting access to the celebrities’ accounts they changed passwords to apps and bank accounts, then stole or bought over $100 million in cryptocurrency. They went after high-profile people including famous internet influencers, sport stars or musicians and their families. The best way you can avoid your SIM card being taken over is by having a PIN number on your cellphone carrier account. If a crook doesn’t know the PIN number the carrier shouldn’t change your phone.
Some Canadians are still traveling to the U.S. despite the pandemic. If you do, note this: A U.S. appeal court panel ruled this week that American border agents don’t need a warrant for a “basic” search of smartphones and laptops of people entering the country. If they have a reasonable suspicion of a crime they can do an “advanced” search. It’s not likely you’ll be asked to turn over your device, but if you’re traveling to any country think about deleting unnecessary things. Think about whether you need all your contacts, and all of the data that’s usually on your devices. Or have an almost empty phone and laptop just for traveling.
Microsoft’s monthly Patch Tuesday was only a few days ago but the company has been forced to release an emergency patch to fix one of its patches. It causes an older version of Windows 10 for desktops and servers to crash when connecting to certain Wi-Fi networks. If that happens to you go to Windows Update and install the latest patch. Hopefully that will solve the problem.
Last week I told you about a hack of data from the Washington State auditor’s office. It was blamed on a vulnerability of a file transfer application called FTA made by Accellion. There have been a number of recent hacks blamed on an alleged FTA fault. According to the ZDNet news service Accellion has now decided to retire FTA.
Some of the biggest names in technology including Microsoft, Uber, Yelp and Shopify should have the best cyber security. But a researcher named Alex Birsan says he tricked systems of these and 31 other companies into automatically downloading software code that could have been malicious. In a blog this week Birsan explained the tests were to show a hacker could take advantage of the fact that companies sometimes aren’t careful when posting the software code they’re drafting on the GitHub software development site. Very briefly, the projects have internal names within their code. Birsan was able to find those names and then create near copies of them for his fake code. The slight differences were enough to fool 35 companies into automatically uploading his packages of code. Had a crook done this it could have caused real damage to a company’s code. Because most of these companies have bug bounty programs that pay cash for people to find vulnerabilities in their applications Birsan has collected about $130,000 for his efforts — and taught companies a lesson. Many of them have either fixed this vulnerability or are working on mitigating it. I’ve simplified this, so if you want the full details see this link to his blog.
Finally, don’t forget that this afternoon my Week In Review edition podcast will be available. I’ll be talking to Terry Cutler of Montreal’s Cyology Labs about lessons learned from the attack on a water treatment plant in Florida. Listen to it later, or on the weekend.
That’s it for today. Links to details about these stories can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.