Security News – WK4 May 2016

The great Linkedin hack

A hacker called “Peace” recently tried to sell a password database of ~ 117 million Linkedin login details that come as a the result of a 2012 breach on the professional relationship social media site.

In a blog post published on May 18, LinkedIn CISO Cory Scott wrote, “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.”

All affected passwords are being reset, Scott wrote, and all those impacted will be notified. “We have no indication that this is as a result of a new security breach,” he added.

There is a high possibility that users who have not changed their password since that time will have been compromised. Even worse, the common practice of password reuse on other sites could result in hackers having access to those sites as well.

MySpace, Tumblr and Fling are other sites that were caught up in the same hack and are vulnerable too. If anyone has a MySpace ( new ) or LinkedIn account, now is the time to both change your password and enable 2-factor authentication.

As unwieldy as it sounds, using distinct and unique passwords for each site is the way to go. This is a huge burden to users with accounts on many sites, but a password manager ( like KeePass ) can assist greatly in improving security and automating the  chore of logging into sites.

Teamviewer becomes a remote pawn

The last month has seen a marked increase in Teamviewer attacks, either due to a breach in TV’s own systems or due to the above password reuse issue. The exact cause is not known yet but the problem is accelerating with more victims coming to the fore each day. Malware actors are logging into Teamviewer-accessible systems, dumping browser credential databases ( another reason to use a password manager instead of the browser’s password system ) and using these credentials ( yes people are saving their banking login details using their browser password manager ) to access financial systems, transfer money and cause all sorts of chaos.

One option is to not leave TV running on systems but rather to activate it as required. Not efficient or easy to use, but certainly much safer.

Squatting

Can you spell? Well that may be the difference between getting to the correct site or not. And being safe.

A class of threat called typosquatting, is making use of sites with addresses that are similar ( but not the same ) to well-known sites, to host malware. Eg. let’ s say you wanted to go to www.ibm.com but actually typed in www.bmi.com. You don’t notice the mistake and get sent on to a site that looks like www.ibm.com but is not. In addition, this mistaken site now hosts malware that infects your machine.

This issue is more common than one would like to think and malware authors are starting to put up a lot of sites with domain names that are similar to mainstream and popular sites. It’s not just important to monitor the SSL certificates of websites but also the address itself – this is especially true for transaction sites like online banking, eCommerce and the like. Be wary …

WordPress plugins, again …

WordPress is the most-used blogging platform in the world and has become very popular with website designers as well. WordPress has been a favourite target for hackers, but the developers are fairly proactive and for the most part, WP itself is kept secure. The same can not be said for WP’s impressive 3rd party plugin library where anyone can store and offer plugins.

These are regular recipients of hacks, including popular and well-maintained plugins. Recently, the WP Mobile Detector plugin has been compromised by a vulnerability that is being actively exploited to distribute porn-related spamming scripts. The plugin has been removed from the official WP plugin directory  but there are probably many site owners out there that are still vulnerable. There is no update for this issue yet so the only option is to disable the plugin.

Healthcare and your ( digital ) health

The breaching of healthcare systems is becoming an almost daily occurrence. This makes it even more concerning when healthcare companies ( eg. Discovery ) want to automatically provide your health status to 3rd parties via systems like Discovery HealthID. Like financial information, health details are some of the most private data that a private individual possesses. One cannot discount the benefits of 3rd parties having accessing to life-saving critical data about you especially in emergencies, but how is this data handled and secured outside of those emergencies?

I’m only using Discovery as an example here – they state in their T&C’s:

I understand that once Discovery Health has shared my information with authorised medical practitioners, Discovery Health has no further control over this information and they will not be accountable for its safeguarding. I also understand that the authorised medical practitioners have confirmed to Discovery Health that they will treat my information as confidential and in line with applicable laws.

and

I agree that by making this information available, Discovery Health will not be responsible for any loss or damage (whether direct or indirect) that may arise from the use of this information, other than where it is due to or attributable to grossly negligent or fraudulent conduct by Discovery Health.

What chance would one have to prove negligent conduct by one of these large companies? Food for thought.