World Password Day advice, your car’s infotainment system may be a privacy risk, a new hacker discovered and more security updates.
Welcome to Cyber Security Today. It’s Wednesday, May 5 I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Tomorrow is World Password Day. It’s to remind people how to pick safer passwords, and how to protect them. Regular listeners may recall that Dinah Davis and I talked about this on the Week In Review show. Briefly, our advice boils down to this: Use a password manager so you don’t have to remember passwords, use multifactor authentication as extra protection against password theft, and chose safe passwords or passphrases. This week a number of security vendors are also issuing advice. Digital Guardian urges people not to share passwords with anyone – that includes room-mates, best friends and lovers. Parents, teach that to your kids. Don’t use easily guessed personal information like your name, birth date or phone number in your passwords.
Here’s another tip: Don’t use the names of famous people like athletes. They’re also easily guessed. And because Star Wars Day was this week a security company called Specops points out you should not use passwords with the names of Star Wars characters.
Many privacy-sensitive people worry about protecting the data and location information on their smartphones. However, they may not realize that plugging the device into an infotainment system in their vehicle is a risk, even if it’s just for charging. That’s the warning in an article this week on the news site The Intercept. Infotainment systems allow people to give voice commands to play smartphone music through the car’s stereo system, read email out loud or give directions. But they may also save smartphone data. The Intercept became interested after learning the U.S. Customs and Border Patrol recently contracted to use forensic kits to download that data made by a company called MSAB. The firm claims police customers can access data on where a car has gone, smartphone call logs, contact lists, text messages and other things. Depending on the jurisdiction, police may need a search warrant. Regardless, think carefully if your car has an infotainment system before synchronizing your smartphone to it.
A few podcasts ago I mentioned that a code development tool called Codecov had been compromised, allowing hackers to siphon information from applications that used the tool. This week the communications app Twillio said some of its projects were affected, but not its critical systems. Developers who use Codecov should change the credentials and tokens used within their applications, and tell customers who they created applications for to also change their credentials and tokens.
FireEye’s Mandiant threat intelligence service has discovered a widespread phishing campaign targeting organizations in a number of countries. Launched by a new threat actor in December, the targeted email campaign tries to fool employees into clicking on a link and downloading a file. Tricks initially used include pretending to be an executive of a small California electronics manufacturing company. The subject lines of the emails had appropriate words that would catch the eye of the recipient. For example, a message sent to a finance firm would have the words “financing” or “appraisal” in the subject line. But others had clumsy wording like, “Dear worker.” What’s concerning is the downloaded files include malware not seen before. This new group is sophisticated in the use of technology. A link to the full report is here.
Here’s a few security updates to tell you about:
Critical vulnerabilities have been discovered in the Exim mail transfer agent. It is vital Exim email servers be updated to the latest version, says Qualys, which discovered the problems. A total of 21 vulnerabilities have been found that could allow an attacker to take over the mail server.
Anyone with a Dell computer or server should be on the lookout for a patch to close several old but recently discovered vulnerabilities in a Dell driver. A patch is available now for Windows 10, and will be available soon for Windows 8.1 and 7. There’s a link to the security update here.
Finally, Apple has released security updates this week for Macs, iPhones, iPads and iWatches. Make sure they’re installed.
That’s it for now. Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.