- Obama's Cybersecurity Plan
- Savvy Cybersecurity Threat Spotlight #3: Skimming
- Emerging Threats
- Cybersecurity Shorts
- Software Updates
Welcome to the first 2015 edition of the Savvy Cybersecurity Newsletter. Expect more hacks in the coming year as the downside of exponential technology growth enables the bad guys to expand their attacks.
Obama's Cybersecurity Plan
President Obama addressed the growing cybersecurity threat in his State of the Union address last week. He urged Congress to pass cybersecurity legislation that would help protect American consumers and children from identity theft and cybersecurity issues. Obama warned, "If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
While Obama did not go into the specifics of his plan during his State of the Union speech, he did outline new legislation in speeches leading up to the address.
During his speech at the Federal Trade Commission, Obama proposed the Personal Data Notification and Protection Act. This federal law would force companies to notify customers of any security breach within 30 days of discovering the breach. Currently, state laws control how quickly a company notifies consumers but there is no national standard. This law would also crack down on cybercriminals by making it illegal to sell stolen personal and financial information overseas.
Obama also wants to protect students' privacy and data as more technology is introduced into the classroom. The proposed Student Digital Privacy Act would protect students' data from being sold to third parties from apps and programs used in school. This would ensure that students and teachers could use new technology (such as apps and software) without worrying about data being sold to companies for non-educational purposes.
The White House wants to encourage companies to share details of cyberattacks on their systems to help prepare and protect other companies from similar attacks. This voluntary program would ask companies that suffered an attack or breach to send information to the Department of Homeland Security's National Cybersecurity and Communications Integration Center. These companies would be rewarded with liability protection.
Some privacy and cybersecurity don't believe the new laws will improve cybersecurity in the US. While they believe that these proposals could help consumers after a data breach or cyberattack, experts would like to see the White House address how to stop these attacks before they happen. Nonetheless, many are happy that this cybersecurity conversation is happening.
Cybersecurity Threat Spotlight #3: Skimming
Do you inspect the ATM before inserting your card? How about gas pumps and ticket machines? If not, you should start taking a closer look.
"Skimming" is a popular fraud scheme in which a thief installs a device on an ATM or other machine that will copy your debit/credit card information when you insert your card. According to the Secret Service, about $1 billion is stolen every year through skimmers. The average skimming theft is $500-$800.
Skimming devices can be very small and hard to detect if you are not on the lookout.
While skimmers were originally found on standalone ATMs, fraudsters have progressed to putting them on ticket machines, such as those used to purchase train tickets or pay for parking. Skimmers have also been found on gas pumps and even some restaurant card payment readers.
There are steps you can take to limit your risk of being skimmed:
- Only use ATMs that you trust. ATMs at your bank are usually more closely watched than ATM machines at convenience stores or on the street corner.
- Inspect the ATM or card reader before entering your card. If the card reader seems flimsy or looks like it was altered —do not use the machine.
- Cover the keypad when entering your PIN. Many skimming devices also use a camera to record the PIN that you enter. By covering your hand, you can cover the camera from catching your PIN.
- Trust your gut. If something doesn't look or feel right—find another ATM.
To learn more about skimming, check out Brian Kreb's series on skimmers here.
An increase in smart-home devices this year leads cybersecurity experts to worry about potential hacks. The "Internet of Things" is worrisome because many of the devices being created do not have strong security and could easily be hacked. The hacking of medical devices, security systems, and cars could be incredibly dangerous. In addition, the companies that create these devices could sell data about your personal activities, health, and schedule to advertising agencies or other companies. Experts urge consumers to do their research before purchasing "smart-home" devices.
Phishers target Affordable Care Act, according to the United States Computer Emergency Readiness Team. The fake email appears to be from a US government agency and instructs recipients to follow a link and download a PDF document to learn more about their health care coverage. The link and document really install malware onto the user's computer. By hovering over the link, one can see that it doesn’t lead to the Affordable Care site but rather to a site in Turkey. If you receive an email like this, delete and do not click any links or downloads.
DHS issues cybersecurity alert for Microsoft's Windows Server 2003. Microsoft will be ending support for this server operating system in July 2015. Currently, there are over 12 million servers still using this operating system which will become a problem if they are not updated before July 14, 2015.
Better Business Bureau warns of Gmail scam. In this scam, phishers send an email appearing to be from Google alerting you that you've exceeded your email limit quota or that you have a deferred email. They instruct you to click on a link for more information which really downloads malware onto your computer. Remember EMAIL: Examine Messages and Inspect Links.
McAffe Labs predict top cybersecurity threats for 2015. The company believes there will be an increase in cyber warfare between nation-states this year. They also predict more attacks on Internet of Things devices, as they grow more popular. Other threats include: ransomware, mobile attacks, data privacy, and others.
Bank refuses to pay ransom—hackers release client data. Swiss bank, Banque Cantonale de Geneve was hacked by a group called Rex Mundi. The hackers demanded ten thousand euros and threatened to release the personal information on the banks 30,000 clients. The bank refused to pay the ransom and their clients' data was released online.
SEC may publish results of cybersecurity exam taken by financial firms. The agency issued an exam in 2014 to about 100 financial firms to gauge their level of cybersecurity knowledge and readiness. The exam also investigated whether these companies had experienced a breach or had malware on their systems. Releasing these results may pressure companies to improve cybersecurity.
US Central Command Twitter account hacked by a group that posted messages claiming to be from ISIS. The hackers also posted a list of generals and their addresses but the government has said the document is not confidential.
Cyberattack test planned for UK and US banks. Later this year, banks in New York and London will respond to a simulated cyberattack on their systems. This test will aim to measure the banks' preparedness for cyber threats. A "cyber-cell" will be established so both countries can work together to respond to the attack. Are you prepared to respond to an attack?
NSA broke into North Korea's network before Sony hack, according to a new government document. The document explains how the NSA placed malware on North Korean hackers' computers to track what they were doing. From this, US officials say they are able to connect the Sony Hack to North Korea.
LeapLab, a data broker, sold Social Security numbers, bank account numbers, and other identifying information to companies that had no need for the data. The company has now been sued by the Federal Trade Commission for making consumers more vulnerable to fraud. Ideal Financial Solutions, a company that purchased the data from LeapLab, was found to be making fraudulent withdrawals from consumers' bank accounts. They are also facing a lawsuit. The FTC's lawsuit shows that federal regulators are beginning to crack down on all parties involved in data collection and selling.
Use caution when re-gifting your digital devices. Before you give your old device to a new owner, make sure you completely remove any personal and financial data. To do so, you must permanently delete the data from the hard drive. Simply deleting files off the desktop is not enough. You may want to consult a computer expert to help you with this before handing over your device.
Potential data breach at Chick-fil-A locations around the country. The fast food restaurant is working with law enforcement to investigate the potential fraud. The majority of fraud seems to be from restaurants in Georgia, Maryland, Pennsylvania, Texas and Virginia.
Virtual kidnapping scam is on the rise in the New York City metro area. In this scam, a fraudster calls and claims that they have kidnapped a relative and demand a ransom payment. While they have not really kidnapped your loved one, they convince you to wire money to Puerto Rico for their release. If you receive a call like this you should contact the police before sharing any information.
An email account is one of the most dangerous accounts that can be hacked. If a hacker gets into your email, it becomes much easier for them to gain access to more of your accounts. If you are one of the million people who have a Gmail account, you should read up on how to make your email more secure. And even if you do not use Gmail, these tips can still apply to your email account provider.
New EMV, chip-encoded, credit cards will start being issued in the United States this year. While these types of credit cards are supposed to reduce fraud, the cards will not be used to their full potential in the US. EMV cards in Europe require consumers to enter a PIN when making a purchase. However, in the US, consumers will only be asked to provide their signature which is the same method used now. Because PINs will not be mandated, it is unlikely that EMV cards will solve the fraud problem.
Park 'N Fly and OneStopParking.com confirm data breach. Both companies discovered an issue with their online payment systems. Users' names, credit card numbers, addresses, card expiration dates, and CVV codes may be at risk.
Microsoft: Microsoft released eight updates for Windows software. One of the updates is critical. You can find more information about the holes and download the updates here.
Adobe: Adobe issued a patch to close nine security holes in Adobe Flash. Internet Explorer and Google Chrome should automatically download this update but you may need to restart your browser. You can also download the patch manually here.
Adobe also released a patch for Flash Player after a zero-day exploit was discovered. You can download it here.
Firefox: Firefox released a new version of its browser this month which adds various new features and closes holes. Firefox should update on its own when you restart the browser. You can find more information here.
Java: Oracle released a quarterly patch for Java this month which addresses 19 security holes—13 of which are severe. Security experts warn that if you do not need Java on your machine, you should uninstall the program. If you do, you should update immediately. The update can be found here.