Tax service in eastern Virginia

phone icon757.926.5353

Cybersecurity Update: July 2016


Cybersecurity Update: July 2016


It’s important to remember that with new technology come new threats. In the past few weeks a new Nintendo app, Pokémon Go, has swept the nation. Kids, millennials, and adults are all walking the streets to catch different Pokémon.

While the game has been praised for its ability to get users out and walking (you must move around in order to find and catch these virtual creatures) there’s also been a privacy backlash regarding the early version of the app.

A researcher found that iOS users who signed up to play via their Google account gave the game and its developer access to their entire Google life. That includes their emails, Google documents, search history, map location, and more.

The app has since been updated to restrict these permissions. But the story highlights the importance of taking a look at the security aspect of any new l fad.

Smaller financial institutions more likely to be hacked

Hacks at financial institutions with less than $35 million in annual revenue have increased nearly 30% in the first half of 2016. A new study by specialty insurance company Beazley discovered that 81% of breaches in the financial industry occurred at smaller banks and credit unions, up from 54% in the previous year.

These smaller institutions typically have less security than larger banks, making them easier targets for hackers to spread malware and ransomware. In fact, 43% of financial services breaches studied by Beazley were caused by malware.

In one instance, a bank was hit with malware which stayed hidden on their internal system for six months. The malicious software allowed hackers to create fake accounts and withdraw money. Up to 30,000 individuals may have had their names, credit card numbers, and Social Security numbers exposed.

Twenty-seven percent of breaches at these institutions stemmed from “unintended disclosure,” often an employee mistake. For example, one firm fell for a spear-phishing attack where scammers sent fraudulent wire transfer requests, resulting in a transfer of money and exposed information of up to 3,000 customers.

But the financial services industry is not the only one in danger—data breaches in general are on the rise. In the first half of 2016, Beazley saw 955 data breaches, up from 611 breaches in the first six months of 2015. The number of ransomware attacks reported to Beazley has already doubled compared to last year, with 86 since January. The total number of ransomware attacks in all of 2015 was 43.

The healthcare industry, higher education organizations, and retail continue to be hit hard as well. The majority of healthcare breaches stem from mistakes, which highlights the need for better employee education and data management. Universities and retail environments are most likely to be hacked via malware.

Emerging threats

Child ID kits designed to help protect your child may actually be causing harm, according to the Identity Theft Resource Center and the National Center for Missing and Exploited Children. These kits, which contain a photo, fingerprints, DNA samples, medical reports, and more, are designed to help law enforcement in the case of a missing child. But that amount of sensitive data could lead to child identity theft if the kits fall into the wrong hands. The agencies warn that some of these kits are scams and urge parents and guardians to do extensive research before deciding on a company.

Hacker creates fake passport to break into Facebook account. Facebook user Aaron Thompson had two-step login set up on his Facebook account, but a hacker still found his way in. The hacker emailed Facebook support pretending to be Thompson and said he was locked out of his account and did not have access to his mobile phone. He asked Facebook to turn off login approval. Facebook asked the hacker to send a photo of his ID to confirm his identity. The hacker then created a fake passport and was able to access the account.

Cybersecurity shorts

Sixty percent of Republican National Convention (RNC) attendees sign on to dangerous free Wi-Fi. Avast Software set up an experiment at the RNC creating several different free Wi-Fi networks with names like “Trump free Wifi” and “Google Starbucks.” In one day, over one thousand attendees connected to one of the networks, allowing Avast to access files and activity on their devices. Five percent of attendees used the Wi-Fi to play Pokémon Go, while others accessed dating apps Tinder and Grindr.

Federal Deposit Insurance Corporation covered up Chinese hack, according to a House of Representative’s Science, Space and Technology Committee report. Investigators found that Chinese spies accessed over ten computers and servers at the FDIC, including the computer of the FDIC chairman. The report also discovered that the agency tried to hide the hack and employees were told not to communicate about it via email so the conversation would not become government record.

Hacker leaks Democratic National Committee (DNC) strategy. Documents shared by the hacker, Guccifer 2.0 reveal the DNC’s $800,000 budget and strategy for countering the Republican National Convention. A donor sheet containing names, addresses, phone numbers, dollar amounts, and email addresses of over 17,000 people was also leaked.

Hooked on Pokémon Go? Check your privacy settings. Researcher Adam Reeve discovered that iOS users logging into the game via Google were giving the game developer, Niantic, full access to their Google account. This means the app could access your received emails, send emails from your account, view and edit Google Drive docs, access your search history, and more. Pokémon Go has since been updated to revoke this access. Be sure to update your app immediately or edit your settings to limit Niantic’s access.

President Obama raises concerns about how information is shared throughout the government. According to the president, the U.S. needs to be more careful about how sensitive information is transmitted to keep it safe from foreign hackers. Obama recommends better training of all government employees at every level.

Counterfeit cards on the decline thanks to EMV switch. Auriemma Consulting Group found an 18% decrease in counterfeit card activity in the first quarter of 2016. Experts believe this trend is partially due to new EMV cards. The computer chips inside these cards make it impossible to duplicate. Since the switch, however, other forms of fraud—such as identity theft and fraudulent applications—have increased.

Over 1,000 Wendy’s affected by point-of-sale malware. The fast-food chain originally reported that only 300 locations were impacted by the breach that began in 2015. It now says that over 1,000 locations had data stolen through a third-party service that had access to its cash registers. One credit union has already filed a lawsuit against Wendy’s, and more are likely to come. The National Association of Federal Credit Unions says the volume of fraud from this breach could exceed that of the Target breach.

Cybersecurity takes a back seat in election cycle, according to Bloomberg BNA. While voters are concerned about online security, they often think the topic is too complex and leave it to the government to deal with. But neither Republican nominee Donald Trump nor Democratic nominee Hillary Clinton are spending much time talking about cybersecurity on its own. Rather, the topic usually appears in conversations about national and economic security. Clinton has recently released a fact sheet on her cybersecurity platform while Trump has not.

Cybercrime numbers surpass traditional crime in the United Kingdom. A new report from the nation’s National Cybercrime Agency found that 36% of all crime was categorized as cyber-enabled fraud and computer misuse made up 17%. According to a report done by the U.K. Office of National Statistics, 2.11 million people in the U.K. were victims of cybercrime in 2015 with over 2.46 million reporting cyber incidents.

Over one-third of identity theft victims have no idea how their information was stolen, says IdentityForce. In other words, most victims don’t know what actions they should take to close their cybersecurity vulnerability. Victims could have exposed themselves via phishing email and still don’t know to how to spot a fraudulent message. Or they may still be using public Wi-Fi. Locking down your cybersecurity can prevent a compromised identity.

Library of Congress faces four-day cyberattack. Experts believe the library was hit with a distributed denial of service attack (DDOS), where hackers push a large amount of traffic to a website at one time to take it offline. During the four-day period, some websites were unavailable. The agency is now up and running.

Facebook rolls out new feature to halt account impersonation. The tool will alert you if someone creates an account using your name and picture. You can then verify whether or not you are being impersonated. The social media giant is also improving its options for reporting inappropriate photos. Now, users who report a picture will also be provided with resources such as legal options and support groups.

New Android operating system aims to fight ransomware. The OS (named Nougat) will not allow programs to change users’ passwords as previous operating systems did. By stopping this process, malware strains would not be able to reset the device’s password and lock the user out.

Twitter CEO Jack Dorsey has account hacked by group OurMine. The group, also responsible for hacking Mark Zuckerberg, hacked Dorsey’s Twitter and tweeted from the account. It’s possible they discovered Dorsey’s password in one of the latest breaches, such as LinkedIn.

New service aims to track your Social Security number. Civic, a new free service will track your Social Security number and send a push notification to your phone if it is used. Right now it is unclear how well the service will work, as it must use third parties to obtain information. There’s also concern that Civic will become a target for hackers due to the sensitive information it is holding. If you freeze your credit file, you don’t have to worry about tracking your Social Security number at all.

CiCi’s Pizza suffers payment card breach at over 130 locations. According to the restaurant chain, malware was found on point-of-sales systems at different restaurant locations. The company says most frauds occurred in 2016, but some locations were affected in 2015.

Software Updates

Adobe: A patch to close over 50 security vulnerabilities in Adobe Flash Player and Adobe Reader was released this month. Many of the vulnerabilities are critical and you should update right away. You can learn more and download the Flash player update here. You should update Adobe Reader to be running v.15.017.20050.

Microsoft: A critical security flaw active since 2007 was finally patched by Microsoft. The flaw was found in all versions of Windows since Windows Vista and would have allowed hackers to remotely run software on other computers via networked printers. The update was included in the latest Microsoft Security update. Microsoft also released 11 patches this month for Internet Explorer, Edge and Microsoft Office. Six are considered critical.