Security advice for students, two open databases full of personal information found and six bad Android apps discovered.
Welcome to Cyber Security Today. It’s Friday September 4th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Students are heading back to school this month, but because of COVID a lot of them will still be learning online — either full or part-time. Dave Masson, director of enterprise security at Darktrace, reminds students that crooks are still trying to take advantage of people’s fears about the pandemic, sending emails with offers to sell pandemic-related supplies like masks. What they really want with these and other pitches is to steal passwords. In an interview he urged students and parents to take basic precautions with their home computer systems to prevent being taken advantage of. That includes making sure the default password on home internet and WiFi routers are replaced with secure passwords. In some cases — for example, a parent working from home on sensitive material — it might be safe to have separate Internet providers for youngsters and adults. Just as important is to ensure everyone in the family uses a password manager and strong and different passwords for every site they log into. Finally, it may be necessary for students to use a virtual private network for added privacy when logging into a school network. They should check first with their school board because a VPN may interfere with video conferencing. But certainly a VPN should be used when connecting devices to public WiFi networks in malls and restaurants.
Another clumsy employee apparently left a huge pile of personal records left open on Amazon storage. The news site CyberNews discovered the unsecured database of 23 million Americans held by an online marketing company called View Media. This data included peoples’ names, addresses, email addresses and phone numbers to be used for marketing campaigns by customers. There were also business documents. Companies use Amazon compute and storage services to run their businesses or for extra computing and storage power. Either way, data stored has to be strongly password-protected. It isn’t known if this open database had been found and copied by criminals and then used for spam and identity theft.
More serious is word that a U.S. cellphone carried called Assist Wireless left tens of thousands of customer documents open on the Internet. Found by a security researcher and reported to the TechCrunch news site, the documents included images of drivers’ licences, passports and Social Security cards. Customers would have submitted them to sign up for services. Assist Wireless provides free government-subsidized cellphones to low-income Americans. The carrier told the news service the problem was with a plug-in to its IT system for optimizing images. By default the plugin backs up images in a separate folder. But this backup folder was open for anyone to see if they knew how because it wasn’t secured.
Another plugin problem has been discovered. Again it affects the WordPress content management platform that a number of web sites use to put things online like news and blogs. A security company called Wordfence warned this week of a vulnerability in a plugin called File Manager for WordPress. It could allow a hacker to infiltrate a WordPress site and wreak havoc. This plugin has been installed in over 700,000 sites, so administrators should install it fast.
A 26-year old Colorado man was sentenced this week to 11 years in prison for being a moderator of the AlphaBay online criminal marketplace. It sold stolen identity information, credit card numbers, guns, drugs and other illegal material. As a moderator Brian Herrell settled disputes between buyers and sellers. He also watched for attempts to defraud marketplace users. In 2017 a Canadian living in Thailand and believed to be the founder and overall administrator of the marketplace was arrested. Not long after he was found dead in his cell. Police said he committed suicide.
Researchers at security company Pradeo are urging Android users to delete six apps discovered to have malware. These apps trick users into paying for unwanted premium services. These apps are called Safety AppLock, Convenient Scanner 2, Push Message-Texting &SMS, Emoji Wallpaper, Separate Doc Scanner and Fingertip GameBox. This is a reminder to those loving mobile apps: Just because an app is in a reputable store doesn’t mean it’s safe. Some bad ones slip through. As always, read reviews carefully. It helps to get an opinion from someone you know who has already downloaded an app.
Finally, because Monday is the Labour Day holiday in Canada and the U.S., my next podcast will be on Tuesday. Until then, have a great long weekend.
Remember links to details about many stories can be found in the text version of each podcast at ITWorldCanada.com. Subscribe to this podcast on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon