Data Privacy Week advice, terrible patching statistics and more
Welcome to Cyber Security Today. It’s Wednesday, January 25th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
This is Data Privacy Week. My stories with advice for businesses are posted on ITWorldCanada.com. For individuals wanting to improve their privacy online, here’s a few tips: Say as little about yourself on social media as possible. No one online needs to know your birthday, or that you bought a new house, new car or jewelry. When you register for an internet service or buy anything online, find out how much personal data is collected. Is it really necessary for the transaction? What will the website do with your personal data? When you get a mobile app for your smartphone, before installing pay attention to what it accesses. Does it need to access your contact list, the phone’s camera or microphone? When you go to some websites they offer ads. Can you opt out of the ads? You should be told when website data-collecting cookies are being used and given the choice of not allowing them. Finally, privacy is related to your cybersecurity practices. So create safe passwords. Use a different password on every site. Use a password manager to keep track of them. And keep the operating systems of your computers and smart phones up to date by installing the latest patches. Don’t forget to patch your home WiFi router. For more information go to StaySafeOnline.org and the Office of the Privacy Commissioner of Canada.
Encrypted backups made by users of GoTo Central, GoTo Pro, Hamachi and RemotelyAnywhere were stolen by a hacker in an incident last November, GoTo has admitted. Worse, the hacker got an encryption key for some of the encrypted backups. The scrambled backups were stolen from a third-party cloud storage service used by GoTo. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multifactor authentication settings, as well as some product settings and licensing information. In addition, while GoTo Rescue and GoToMyPC encrypted databases were not copied, multifactor settings of a small subset of their customers were. GoTo is resetting the passwords of affected users and reauthorize multifactor authentication settings where applicable.
Hackers love exploiting unpatched vulnerabilities. One reason is companies are slow to install fixes. How slow? According to Orange Cyberdefense, a division of the European cellular provider called Orange, only 20 per cent of its customers are installing security patches in 30 days or less after fixes are released. Even some critical vulnerabilities aren’t fixed until six months after a patch is issued. And some vulnerabilities aren’t discovered or patched at all. The report, given to The Hacker News, doesn’t explain why it can take so long for some holes to be dealt with.
Two vulnerabilities in Samsung’s Galaxy App Store have been discovered by researchers at NCC Group. One could have allowed a hacker to automatically install a malicious app on a device without the owner’s knowledge. This problem only affects devices running Android 12 or lower. The other problem could have allowed an app store user to go to an attacker-controlled domain. Samsung has released a new version of the Galaxy App Store. All Samsung mobile devices users should open the app store on their devices and, if prompted, download the latest version of the store.
Attention users of the Dashlane, Bitwarden and Safari browser password managers. Make sure you’re running the latest versions. Google says it has discovered a vulnerability allowing usernames and passwords to be automatically filled into untrusted web pages without the user having to enter their master password and launch the password manager.
Finally, users of the WordPress education plugin called LearnPress are being warned to update to the latest version. This comes after researchers at Patchstack discovered several critical vulnerabilities. This plugin allows WordPress customers to create and sell courses online. The fix was published in December but many users may not have heard.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.