Commentary and resources to keep you safe & secure in today's interconnected world.
In this issue:
- "Wormable" Microsoft Flaw: What you need to do
- Cybersecurity shorts
- Software updates
As always, a lot happened in the cybersecurity world this month. Read on to learn more about:
- Why Microsoft users need to update their devices immediately
- A scam targeting businesses that has nearly doubled in the last year
- Why hospitals are growing more concerned about connected devices
- And much more
"Wormable" Microsoft Flaw: What you need to do
Microsoft has announced a major security flaw in its Windows software that rivals the WannaCry worm that infected thousands of devices in 2017. Microsoft warns that this vulnerability is especially dangerous because it requires no user interaction. In other words, once one device is infected it can quickly spread to another vulnerable computer on its own. While there is no evidence that the flaw has been exploited at this time, Microsoft believes that it is "highly likely" that it will be.
This new vulnerability is a part of the "remote desktop services" used by devices running Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows XP, and Windows 2003. Windows 8 and 10 users are not affected. However, many Microsoft users are running older versions of Windows and need to take action immediately.
How to update your devices
If your device is running Microsoft 7, Windows Server 2008 R2, or Windows Server 2008 and you have enabled automatic updates, your device will update automatically. You can ensure your device is running the most up-to-date software by going to the Update and Security page of the Control Panel or Windows Settings. If you do not have auto update enabled, you can also update your device in these settings.
This vulnerability is so serious that Microsoft has released updates for Windows XP and Windows 2003—operating systems that it stopped supporting years ago. If you are still using a device with Windows XP or Windows 2003 you can download the update here. It is strongly recommended that you upgrade to a more recent operating system. These older programs do not receive regular updates from Microsoft, leaving your device vulnerable at all times.
How to protect yourself going forward
The major area where cybersecurity experts and regular computer users differ is on running up-to-date software. Nine out of ten experts will tell you a key to keeping your devices secure is updating them as soon as possible. However, most consumers put off updating their devices and programs.
To make the process more streamlined, you should enable auto updates on all programs that allow it. To set your Windows device to update automatically follow the instructions below.
Windows 10 Devices
To set your Windows 10 device to download and install updates automatically, first click on the start button. From there select the gear icon to open Windows Settings. Then select Update & Security and choose Advanced Options under Windows Update. Under Update Options turn on Automatically download updates. When choosing this option, you don't have to worry about your computer automatically restarting when you are in the middle of something; your device will alert you before the restart occurs. Or you can choose a time for restarts to occur in the Update Options settings.
Windows 8 and 7 Devices
To set your Windows 8 or 7 device to update automatically, first go to start and open the Control Panel. Select System and Security and then Windows Update from that page. Then, click Change settings and choose Install updates automatically from the drop-down menu.
While you are setting auto updates for your Windows devices, you should review the update settings on other programs installed on your device as well. For example, if you use any Adobe programs they can be set to download updates automatically. Most Internet browsers will automatically alert you when updates are available so you can install them right away.
Keeping your devices completely up to date is one of the most beneficial cybersecurity actions you can take. That applies to the operating system, applications, programs, and browsers on your computer, smartphone, and tablets. Turning on auto updates allows you to rest assured that your devices are protected from security flaws.
This tax season may be over, but the IRS is currently behind on introducing new security measures that will help protect taxpayers. According to the Treasury Inspector General for Tax Administration, electronic authentication controls are missing on many of the programs on the IRS website used by the public for tax-related purposes. These controls allow the website to confirm that people logging into the site are who they say they are. The IRS is currently using controls based on a 2013 framework and were given one year to update, but the agency has failed to meet that goal. The IRS's timeline plans for the implementation to be complete in 2023.
Business Email Compromise (BEC) scam losses doubled in 2018, according to the FBI. The agency's annual Internet Crime Report states that the FBI received over 350,000 BEC scam complaints totaling in losses exceeding $2.7 billion in 2018. In the prior year, the scam costs businesses around $675 million. BEC scams have changed over the years. The FBI has reported an increase in BEC scams asking for payment in the form of gift cards, rather than wire transfer.
Facebook could be charged up to $5 billion by the Federal Trade Commission following an investigation into the company regarding the Cambridge Analytica scandal. The investigation is to determine whether Facebook violated a 2011 agreement made with the FTC promising to gain explicit consent before sharing user data. The FTC has not announced the fine amount yet but Facebook has put $3 billion in reserve.
Hospitals take a stand against unsecure medical devices. As hospitals have become a growing target for cybercriminals, administrators are testing medical devices for cybersecurity vulnerabilities more often and with more scrutiny. Those devices that are not up to standard are being rejected by many hospitals, causing a strain between them and the device manufacturers. Many bids now require that specific cybersecurity questions are addressed in the bid process.
WhatsApp breach allowed spyware to be installed on iPhones and Android devices allegedly from Israel's NSO Group. In the past, the NSO Group has created software used by governments to collect data and information by hacking into smartphones. When learning of the security issues, WhatsApp worked quickly to close the hole. Currently, it is unknown how many devices were infected with the spyware but the company believes the number could be in the dozens. Most people targeted have been lawyers or others who work in sensitive industries. If you are a WhatsApp user, be sure to update the App immediately.
Microsoft may drop password expiration policy that requires many users to change their password every few weeks or months. The policy was first implemented to protect users if their password was stolen. However, Microsoft now calls the policy "an ancient and obsolete mitigation of very low value." Many studies have shown that forcing users to change passwords actually results in less secure passwords.
Hackers breach Citycomp, an internet infrastructure firm that holds data on some of the world's largest companies such as Oracle, Volkswagen, and Porsche. The hackers are now blackmailing the company and posting some of the data from the affected companies online. They have demanded a ransom to protect the rest of the data.
Russian hacker stole $1.5 million through tax fraud scheme. Anton Bogdanov and others targeted the computers of U.S. tax-preparers, gaining access through a flaw in a remote access program used by many accountants. The hackers would allegedly change information on tax returns and direct the refunds to debit cards under their own names.
Credit card data stolen from online stores is becoming increasingly popular among hackers, according to security expert Brian Krebs. Card data stolen from online retailers is used by cybercrooks to make other online purchases. In the past, hackers preferred card data stolen from in-store purchases, which allowed them to create fraudulent clone cards. Experts believe the switch has to do with EMV technology. With these new cards, hackers can no longer create clone cards that work, but they can make online purchases with the data.
Google will introduce auto-delete control for users' location history and web activity. These features allow Google to recommend driving routes or other recommendations like nearby restaurants or stores, but many security experts warn of its dangers. Currently, you can totally turn off location and activity tracking through your Google Account. Now Google will provide other options allowing you to have all data deleted at 3- or 18-month periods.
Over 200 colleges and university bookstores were targeted by a cybercrime group called Mirrorthief. The group compromised PrismRBS, an e-commerce platform used by many college bookstores to collect payment information of students shopping at the stores. The number of affected stores is unknown, but PrismRBS immediately took steps to stop the attack.
Adobe: Another month and another round of updates for Adobe Flash and Acrobat/Reader. The security vulnerability in Flash is considered critical and should be updated as soon as possible. As a reminder, if you do not need Flash you should delete the application. Adobe will stop supporting it in 2020. The Acrobat/Reader update closes over 80 security issues. You can get more information on the updates here.
Microsoft: In addition to the very important updates discussed at the beginning of this newsletter, Microsoft has released additional updates this month for all operating systems. The updates close over 75 security issues, with many of them classified as critical. You can learn more about the updates here.