Job scam alert, don’t get fleeced, keep track of certificates and another Windows update.
Welcome to Cyber Security Today. It’s Friday August 21st. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Earlier in the week I reported a cybercriminal is sending out targeted email job offers, hoping to steal passwords and personal information. Here’s a similar scam: On Thursday the FBI and the U.S. Cybersecurity and Infrastructure Security Agency warned that a gang in North Korea is doing some hacking involving job offers. It’s setting up fake job postings from well-known defence contractors to lure job hunters into clicking on links. Those links end up installing malware that lets the hackers spy on infected computers. As always it’s up to you to use caution when opening email attachments or responding to job offers that are too good to be true.
No one likes getting fleeced when buying a product. Unfortunately, some mobile apps in the Google Play store are still able to fleece people who download them. In June Google toughened its policies app developers have to follow so users are shown the true terms and costs of subscription-based apps. However, in a report this week security vendor Sophos said some apps in the Google store are still engaging in deceptive marketing. Some show billing details and terms in tiny print. For example, Sophos says, one says ‘3 Days Free, Then $89.99 a week’ in type so small it looks like just a light horizontal line. Some have a button saying ‘Try for Free,’ before showing the complete billing details, or give users a way to find out billing details before starting their subscription. So you may not know for how long or how much you’re on the hook for. Some apps with free trial versions may subscribe you unknowingly to other apps.
The lesson is to be careful what you download from app stores. Be careful with apps that offer free trials. If you have trouble finding out the cost of an app, that’s a bad sign.
Attention IT administrators with Cisco Systems infrastructure: If you’re running ENCS 5400-W Series or CSP 5000-W Series appliances, make sure the latest updates are installed They fix critical vulnerabilities.
Here’s another call-out to IT administrators: Certain applications and web pages need a software certificate to verify communications with other websites or users. Periodically these certificates have to be renewed. If they’re not renewed your website won’t work. That’s apparently what happened to the streaming music service Spotify on Thursday morning when it went down for an hour. Someone in almost every organization has to keep an eye on certificate expiry dates. The practical way of doing it is through a certificate lifecycle management program.
Finally, most of you know that Microsoft bundles a bunch of security patches for Windows and other products for release on the second Tuesday of every month. Sometimes it also issues emergency fixes when things can’t wait. Yesterday was one of those days. So those of you using Windows 8.1 or Windows Server 2012 Release 2 should run Windows Update and make sure you’ve got the latest versions.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon