March 2019 Savvy Cybersecurity Alerts

Welcome to the March 2019 edition of your Savvy Cybersecurity newsletter. What’s your cybersecurity plan for the year?

It is important to think of your cybersecurity plan from a tactical standpoint as well. What can you do at home and in your business to be more secure? Perhaps you should review the Savvy Cybersecurity Quick Reference Guide or the Business Protection Checklist and pick three actions you’d like to do in the next 90 days.

Read on to learn more about cybersecurity happenings this month including:

• The Apple FaceTime flaw
• Why you need to check your credit status at Equifax
• An alert for Nest users
• And much more

What you need to know about the Apple FaceTime flaw

A 14-year-old discovered a major flaw in Apple’s video chat software last month. Grant Thompson went to FaceTime his friend and discovered that he could eavesdrop on his friend’s call before he even answered. The flaw was a part of the newer feature; Group FaceTime which allows multiple Apple users to video conference at one time. When a second person was added to the call, the original caller could capture the video and audio of the first person before they answered.

After Grant discovered the eavesdropping issue, his mother immediately tried to notify Apple via Apple Support, email, fax, and social media with no response.  A week passed before a developer reported the same flaw which sent Apple rushing to create a fix while disabling Group FaceTime.

Apple immediately faced criticism for the security flaw itself and the slow response time. The American Civil Liberties Union released a statement warning users that the bug “carried serious potential privacy implications.” Other security experts explained that this flaw should have been caught by Apple before the software went live, considering how easy it was to manipulate.

What Apple users should do

If you are an iPhone or iPad user, Apple has released a software update that closes the Group FaceTime flaw. iOS 12.1.4  was released a week after the initial discovery and fixes that flaw along with other issues discovered in a security audit.

Your device should prompt you to update automatically. However, if you want to manually check for the update you should open the Settings app on your device, then select General, and then Software Update.

The importance of up-to-date devices

It is important to stay on top of software updates for all of your programs and devices. More often than not, these updates are released to address critical security issues. Not updating your software leaves you vulnerable to viruses and malware attacks. Whenever possible, you should enable auto-updates for your programs and devices. This ensures that you will be getting the latest updates as soon as they are released.

Cybersecurity Shorts

Facebook secretly gives teenagers e-gift cards to track their web activity. The social media giant is facing backlash after reports of asking teenage users to install a VPN app that would give Facebook access to their phone and internet activity. The VPN app, called Facebook Research, gave Facebook access to private messages, emails, web searches, and even location history. In exchange for their data, the teens were given $20 in e-gift cards per month. Since reports of the program came out, Facebook has shut down the program for iOS users. .

Family Tree DNA allows FBI agents to search genealogy database. The home-kit genetic testing company has allowed the FBI to access its database in the case of violent crimes. The FBI will not be able to freely browse all genetic profiles, but the agreement does bring up privacy concerns. Many users are unhappy with the news.

Voya Financial exposes Social Security numbers of some registered reps and financial advisors. A memo distributed to Voya advisors explained that an error on the “Find a Professional” webpage exposed Social Security numbers if the link to the broker’s biography page was pasted into a text message or social media. This glitch occurred between April 2016 and November of 2018. It is unknown how many advisors were affected.

Google launches new browser extension that alerts users if they are using a compromised username. Password Checkup, the new browser plugin, will tell users if they are using a login combination that has previously been exposed in a hack. You can add the plugin here.

Nest users are warned to strengthen passwords after one family’s security camera is compromised. The home security company states that while they have not suffered a breach, many users may make themselves vulnerable to being hacked by repeating their Nest password for other accounts. Nest is also advising users to activate two-factor authentication on their Nest accounts

Your iPhone apps may be recording your every tap, according to TechCrunch. Certain popular apps such as, Expedia, Air Canada, and Hotels.com use a program called Glassbox that allows companies to see how its customers interact with the app. Often, the user is not aware that this program is being used and that their usage is being tracked.

Forty-six percent of Americans believe having their identity stolen would be worse than having their home broken into, yet 90% still practice risky cybersecurity actions according to a study by CreditCards.com. For instance, 80% of users repeat passwords online with 60% using the same password more than half the time. One-third of people admit to carrying their Social Security card in their wallet. These behaviors put you more at risk for an identity theft situation.

Credit Unions hit with phishing campaign. These malware-laced emails were sent specifically to Bank Security Act (BSA) officers who are in charge of reporting possible money laundering according to security writer, Brian Krebs. These emails appeared to come from BSAs at other credit unions and reported potential money laundering from one of the credit union’s customers. A malware-infected document was attached to the email. The National Credit Union Association conducted a review and does not think that any information was compromised.

Some Equifax credit reports unlocked without notice. Individuals who enrolled in the free TrustedID Premier program through Equifax after its massive 2017 breach may no longer be protected. The program expired on January 31, 2019 and credit reports were unlocked at that time. According to Equifax, subscribers were sent an email with a one-year extension or advised to place a security freeze on their credit. If you signed up for TrustedID Premier, be sure you freeze your credit.

Do you know where the U.S. ranks in cybersecurity? In a study comparing cybersecurity among 60 nations, the U.S. comes in fifth behind Japan, France, Canada, and Denmark. The nations were compared using data such as the percentage of devices infected with malware, the number of financial malware attacks used to steal money from bank accounts, and the percentage of attacks by crypto miners. The study also considered legislation and preparedness plans.

Software updates

Adobe: Adobe released updates for Adobe Acrobat and Reader this month closing over 70 security issues. You can learn more and download the updates here.

Apple: Apple released iOS 12.1.4 which includes a patch for the group face time flaw. Your device should prompt you to update automatically. You can read more about the update here.

Microsoft: Microsoft released over 70 security patches this month, 20 of which were considered critical. One bug was a zero-day exploit affecting Internet Explorer. The flaw would allow attackers to scan for specific files on a target’s computer.  Your device should update automatically, but you can find the updates here.