What's New: IT Security Newsletter March 2017

Can Password Managers Be Cracked?

A recent report from Germany-based TeamSIK (Security Is Key) has revealed vulnerabilities in password managers, including the popular LastPass, Dashlane, and 1Password. A key appeal to applications like these-in addition to providing one access point to all usernames and passwords-is the vault-like security that keeps hackers and other bad guys from snatching your passwords.

TeamSIK conducted a security analysis (that also included Mypasswords, Informaticore, Keeper, F-Secure Key, Hide Pictures Keep Safe Vault and Avast Passwords) that revealed that "despite their claims, password managers do not provide enough protection mechanisms for the stored passwords and credentials."

1Password and the other managers were informed of the vulnerabilities, which have now been patched. Even with this news, password managers are still generally a strong solution to keeping up with passwords and preventing users from sticking with password stinkers like "12345" and "password."

Banking Safely and Securely

We all have bank accounts. But when is the last time you stopped to think about the security of your accounts? Are you taking the right steps to protect your family from the dangers of cyber criminals who might try to hack into those accounts?

Here are several easy steps that you can incorporate into your banking habits and immediately begin protecting your assets:

  1. Gather all your banking information. Do you know all the banks and accounts that you have today? Do you have all the access information for these accounts, and if so, where is it kept?
  2. Focus on the most important accounts. These accounts should be the ones with the most sensitive data and financial information.
  3. Use strong passwords and set authentication controls to the highest levels. Take advantage of these settings. Too often individuals set the password to be easily guessed or security questions that are too simple to answer.
  4. Keep up to date on the latest security patches. Always keep your operating system and other software up to date so that you minimize the "holes" in your PC.
  5. Be careful of how and where you connect to the Internet to access accounts. A public computer or an internet hotspot are not the places to be accessing your bank accounts and managing transactions. Wait to do that at home or on a secure network.
  6. Have a personal recovery plan. What happens if something does go wrong? If an account does get hacked, have a plan that allows you to "continue with business as usual." Periodically back up your data with a cloud service or a different hard drive. Keep a paper copy of critical phone numbers and account numbers so that you can contact the company or bank and address the problem immediately (but keep that document in a safe place).

By putting these steps in place, your family and finances will be much safer.

Ransomware Phishing Scams

One of the most popular phishing scams today is the ransomware phishing scam, which is estimated to account for about half of today's phishing attacks. In this attack, you'll get a message from what you think is a trusted source (such as a major bank, government agency, a utility, or even Facebook or Google). That message claims that there is a problem with your computer, mobile device, or account, and then gives you a realistic-looking link to click to "fix the problem." Of course, that link actually downloads your files to the scammer and loads an encryption program onto your machine, which encrypts some or all of your files. You'll then get a message saying that unless you pay a fee from hundreds to thousands of dollars through Western Union©, a credit card, or Bitcoin, your files can't be unlocked. In many cases, even if you pay the ransom, you don't get the decryption key, so you've lost both your money and your data.

The best way to recognize and prevent falling victim to these scams is to check the sender' e-mail address. Real messages come from the actual website of the source, but these phishing scams all have some slight modification to the address. For example, rather than using "fbi.gov" or "google.com," the scammers will use "fbi.com" or "g00gle.com." If you see something like this in the message, it's a phishing scam and only deleting the message will stop it.

Lastly, make sure that you and your organization are actively backing up data onto storage devices that aren't part of your network. That way, even if you or someone in your organization does get caught by a ransomware scam, at least you can restore some or all of your data with minimal loss of productivity.

Teddy Bear Turned SpyCam

A seemingly cuddly teddy bear that allowed family members to connect to each other over long distances via wireless connection became a spycam for nefarious hackers instead. Cloudpets, which allow parents and their children to communicate through wirelessly recorded voice messages, can be seen in advertisements as the perfect toy to bring military children closer to their deployed parents.

Unfortunately, while these children's military parents were off protecting us, Spiral Toys, the makers of Cloudpets, failed to protect their customers by not taking measures to fortify their database containing these personal messages along with the personal information entered during the registration process.

The CloudPets database was attacked twice and also held for ransom. In fact, the database is said to be making rounds in the internet underground right now. Sources state that during its breach last year, the CloudPets database contained data on 821,396 registered users, 371,970 friend records (profile and email) and 2,182,337 voice messages. Email addresses, names, passwords, heartfelt messages, knowledge of who is away, possible deployment dates or returns, names of immediate and extended family members...the endless list of how pervasive this compromised toy is daunting. Moreover, the comprised data is still out in the hands of abusers.

Parents, Grandparents, other relatives, be sure to change your passwords across all applications and devices immediately, especially if you are using the same password for multiple log in screens.

Until IoT devices are regulated and developed with security protocols in place, they will remain a vulnerability, increasing our attack surfaces exponentially.


Section Photo