New ransomware hits Canada, Google criticized and a PIN punched in credit bureau’s security
Welcome to Cyber Security Today. It’s Wednesday, Oct. 10th. To play the podcast click on the arrow below.
A new strain of ransomware first reported in August is now being seen in Canada. This week a Canadian privacy lawyer told me he’s learned four cases of what has been called the Ryuk strain of ransomware have been seen in the last month in organizations here in the health care field. How they were infected isn’t clear yet. In August the U.S. Department of Health and Human Services and Check Point Software issued alerts on this particular strain of ransomware. The way attacks have gone suggest the people behind it have researched their targets well, probably infiltrating networks before launching the ransomware, because they know where valuable data is. Organizations are advised to watch their security logs for suspicious behaviour and to make sure people with administrative privileges have to log in with complex passwords requiring multi-factor authentication.
Google is being criticized for not telling the public sooner about a vulnerability in its Google Plus social networking platform that could have let attackers gain access to personal information of a half million users. In its defence Google says it couldn’t find proof outsiders accessed the data; on the other hand, it admits it doesn’t have extensive log information to do a full search of the two years the vulnerability was present. However, Canadian privacy expert Ann Cavoukian told me this was effectively a data breach. The Wall Street Journal says it was told Google didn’t want to make the thing public because it feared bad publicity. Well, that’s what it got.
Finally, credit bureau Experian has been caught with a foolish flaw in its online PIN number recovery process that protects an individual’s credit record. If people want, they are issued a PIN number to ensure only authorized lenders can access the report. You can put a credit freeze on your account if you think it’s being improperly accessed. Use the PIN number to activate the account again. But if you forget your PIN, it needs to be reset. How? By going online and answering four questions, like what’s the model of your car. There are several listed choices; only one is correct. But one of the options is ‘none of the above.’ The flaw is if someone chooses ‘none of the above’ for all four questions, the automated software issues a new PIN number. A fraudster who figured this out could have had access and tampered with anyone’s credit report. Experian has fixed the flaw. Password and PIN reset systems drive security pros nuts. This is another example of why such systems have to be scrutinized carefully and toughened.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening.