Advice on protecting encrypted laptops, insecure mobile apps found and guilty pleas from a hacker
Welcome to Cyber Security Today. It’s Friday September 14th. To hear the podcast, click on the arrow below:
Encrypting your laptop’s hard drive is a good decision to protect the device against theft, particularly if you have to leave the laptop for a few minutes. Some versions of Windows come with encryption software called Bitlocker, while Mac laptops have FileVault. There are third party software solutions as well. But security researchers at F-Secure say depending on what you do if you leave your laptop unattended, Windows and Mac laptops are still vulnerable because data may not be flushed out of memory chips. That makes encrypted devices vulnerable to what is called a cold boot attack. So your first protection is never let your laptop out of your sight. If you do have to leave it, don’t put the laptop into sleep mode. Either shut it down or put it into hibernate mode. If you use Bitlocker, turn on the feature requiring you to enter a Bitlocker PIN number when you power up or restore your computer. Apple also recommends users set a firmware password in addition to a regular login password.
This week Microsoft released its monthly Patch Tuesday fixes. If you haven’t got security updates automatically turned on, now’s the time to manually get those patches. One reason is Microsoft has fixed a bug in the Edge browser that allows web site addresses to be spoofed, sending you to a phony Web page. The same vulnerability exists for Apple’s Safari browser. However, it apparently won’t be patched until iOS 12 is released. The bug doesn’t affect the Chrome or Firefox browsers.
There’s more evidence mobile software developers aren’t doing a good enough job in making their applications secure. A scan by the American Consumer Institute Center for Citizen Research of 330 of the top apps in the Google Play store found 32 per cent of them had vulnerabilities, some of them serious. Among the ones that had problems were apps from Trip Advisor, Wells Fargo and the Bank of America. Many apps are regularly updated, so when the center re-tested the apps several weeks later, many had been patched. Still, some hadn’t including Vivid Seats, used to buy and sell event tickets. The lesson is clear: In the rush to get mobile apps out the door many companies are sloppy.
Finally, in the legal world, Peter Yuryevich Levashov, a 38-year-old Russian citizen accused of operating the Kelihos botnet, pleaded guilty Wednesday in the U.S. to computer crime, fraud, conspiracy and identity theft charges. Earlier this year he was arrested in Spain and extradited to the U.S. According to Security Week, his sentencing has been scheduled for a year from now, and he will remain in custody until then. It’s uncommon for sentencing to be put off that long. Maybe it’s a sign Levashov is working with police to dismantle other cybercrime operations.
And a Romanian court ruled that hacker Marcel Lazar Lehel, known as Guccifer will be extradited to the U.S. to serve a four-year and four-month jail sentence after he finishes his seven-year sentence in Romania. He broke into 100 email accounts, including those of former Secretary of State Colin Powell and at least one member of the Bush family. He pleaded guilty in 2016.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.