Tech Friday

posted by Brian Thomas -

  • National Cybersecurity Awareness Month:
    • October is National Cybersecurity Awareness Month (NCSAM)
    • NCSAM is an annual campaign to raise awareness and educate folks about cybersecurity
    • Many organizations and tech companies have partnered to support the campaign including The National Cyber Security Alliance (NCSA) and the US Computer Emergency Readiness Team (US-CERT)
    • The NCSA has compiled a list of security tips here you can view here: https://staysafeonline.org/stay-safe-online/
    • Things you can do to protect yourself:
      • Use strong passwords
      • Use Two Factor Authentication (2FA) where possible
      • Install software updates and patches regularly
      • Use anti-virus/anti-malware software and keep it up to date
      • Disable unneeded services and apps
      • Avoid public Wi-Fi
      • Backup your data
      • Limit the information you share online
      • Understand the privacy and security settings of the sites/apps you use
      • Only use vetted apps from known sources
      • Maintain a healthy dose of skepticism
      • Stay educated and aware of the risks
  • Google's October Android patches are out:
    • Google has published its October Android security bulletin outlining new patches
    • This month they also unveiled a new way of handling the security bulletins. In addition to the normal details about a partial patch level and complete patch level, that have a new 'Pixel/Nexus bulletin' that documents additional bugs fixed on their devices
    • There 14 fixes in this package, eight affecting the Android operating system and six for other components related to the kernel as well as some drivers
    • Several of the vulnerabilities are rated critical
    • "Security vulnerabilities that are documented in [the Android] security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in device / partner security bulletins are not required for declaring a security patch level," Google explains in a Q&A section about the new bulletin
    • Google lists a further 38 security vulnerabilities in the Pixel/Nexus bulletin which affect Android, and other components
    • Android device manufacturers may address issues in the Pixel/Nexus bulletin, but are not required to fix them to state their devices are at the latest patch level
    • For those with Pixel and Nexus devices, the September Android patch will be included in the Android 8.0 "Oreo" release
    • You can read the full bulletin here: https://source.android.com/security/bulletin/2017-10-01
    • To check your version and patch level, read this: https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices
  • Yahoo / Equifax breach update:
    • Yahoo has said about 1 billion people use at least one of its properties per month (this includes Flickr and Tumblr) 
    • Yahoo reported in 2016 that least 1 billion records were breached in 2013, which was the largest known breach at that time
    • Yahoo wrote "The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected." 
    • bcrypt  "a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power." - Wikipedia
    • As part of the integration of Yahoo into Verizon, it was discovered that it's likely that every account has been leaked
    • External forensics experts worked with the Yahoo team to make this discovery
    • Yahoo made this disclosure in a recent update to its Account Security Update page. You can view it here: https://help.yahoo.com/kb/account/SLN28451.html?impressions=true
    • Yahoo was also hit by a hack in 2014, which affected roughly 500 million people. At this time, it is believed that hack is separate from the 2013 breach
    • In March 2017, the Department of Justice indicted four people in connection with the 2014 hack, two Russian spies and two hackers
    • Even if you haven't used Yahoo in a long time, you might become a victim of "credential stuffing", which is reusing credentials across multiple platforms. Hackers armed with these stolen credentials might be able to gain access to multiple platforms/sites
    • Industry research firm Garner reported that a survey found 50% of users share passwords across sites
    • Hackers can accumulate information from numerous accounts to create "fullz", dossiers than contain lots of valuable information which can used for identity theft and fraud, or sold outright 
    • Yahoo users should:
      • Change their password
      • Change their security questions
      • Enable two-factor authentication
      • Ensure that any shared credentials are changed on other sites
      • Watch for suspicious activity in their Yahoo accounts and on other sites
      • Beware of phising e-mails that attept to expoit this hack by prupoting to be from Yahoo and asking for information
      • Look for additional news from Yahoo
    • You can read the full statement from Oath (the Yahoo parent) here: https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/
    • And then to add insult to injury, Equifax has increased the number of records affected by their breach by another 2.5 million, so something like 146 million records exfiltrated
    • Stay tuned for more information on each of these breaches

Comments

Brian Thomas

Brian Thomas

Based in Cincinnati, OH, the Brian Thomas Morning Show covers news and politics, both local and national, from a conservative point of view. Read more

title

Content Goes Here

This ad will close in X seconds.