Cyber Round-up for 29th November
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Over the holiday season, online fraud increases significantly, which is why it is so important that you understand how to shop online safely and securely. The National Cyber Security Centre (NCSC) have created a guidance post to help you understand the dangers of online fraud, and how to effectively minimise the risk of being hit. Some of the advice includes strong password practice, MFA, choosing where to shop and avoiding unknown links. We highly suggest taking the time to read this guide so that you don’t become a victim of online fraud over the holidays.
Twitter has offered its users two-factor authentication for a few years now, but they have relied on a method that needed the use of their phone number, so users been waiting for a more secure way to protect their account. As of last week, twitter is allowing you to remove your mobile phone number from your account, while also introducing the use of WebAuthn for 2FA. This change was largely the result of their CEO Jack Dorsey recently having his account compromised. This gives users a more secure experience that is both easier and safer to use. If you do not already, we highly recommend enabling 2FA on twitter to prevent the risk of your account and any associated personal information being stolen.
The Chinese manufactured kid’s smartwatch SMA M2, which is being used by 5,000 children worldwide, has been discovered to have multiple vulnerabilities that leak the user’s personal data; this includes GPS data. Researchers found the data in an unencrypted publicly accessible web API sent from the watch’s SIM card. This product is very dangerous as it can reveal the location of everyone using it, as well as the names of the child and parents and ages; another flaw also allows attackers to potentially listen to all transmitted voice messages and manipulate messages sent from the device. If continuing to use these Smart Watches we highly recommend updating or simply avoid using them; at least consider these security risks presented by it.
As we get closer to the UK Tax Self-Assessment deadline on 31st January, HMRC are actively trying to educate its customers on the dangers of tax scams. They have published a blog discussing tax scams and how you can effectively spot and avoid them. In the last year, almost 900,000 customers have reported suspicious contact from HMRC and over 100,000 of these were confirmed to be scams. HMRC want to keep their customers safe and have compiled a list of advice that they recommend looking into. This includes what to look out for when checking if you’re being scammed, and what kind of information attackers may ask for. We encourage all customers to take a look at this guide to help protect you from tax scams.
Vulnerabilities & Updates
Adobe recently disclosed a security breach that is affecting users of the Magento Marketplace; the marketplace allows users to buy plugins for Magento-based online stores. The breach occurred because of a vulnerability that allowed an unauthorised attacker to gain access to sensitive account information belonging to registered users, however it was confirmed that no account passwords or financial information were exposed in the incident. Shortly after the breach, Adobe took the marketplace down, but have announced that it is now back online and fully operational.
The research team at Kaspersky Lab has discovered 37 CVE-listed vulnerabilities including memory-corruption and remote code execution flaws that are affecting the Virtual Network Computing’s (VNC) remote desktop software. These flaws pose serious threat to users of the product and can potentially allow an attacker to remotely take control of a target computer. According to the research team, these flaws are affecting around 600,000 users who have public-facing machines with VNC access. Immediate software updates are highly recommended so that you are not at risk from these serious vulnerabilities.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #69 – 29th November 2019
Ironshare – Security Simplified