In a society driven by technology, cyber security is dominating the headlines more than ever, and the past week was no exception. From high profile data breaches to cities being held by ransomware, there is always a story in the cyber security world.
Cyber criminals are becoming more sophisticated and unprincipled, therefore, keeping up-to-date on how attackers are exploiting weaknesses will help you get protected.
We’ve gone through some of the biggest cyber security stories from the past week in case you missed them.
On Friday afternoon Twitter CEO and co-founder, Jack Dorsey’s Twitter account was compromised. The group named ‘Chuckling Squad’ gained access to the account, using it to blast out a stream of unpleasant messages and plugs for their group’s discord channel. Luckily, within 15 minutes the account was back under control, however, the incident was a reminder of many things including how insecure phone-based authentication has become.
Chuckling Squad gained access through Twitters text-to-tweet service. To use the system it only requires users to link their phone number to their Twitter account, something that most do for security reasons already. According to a Twitter statement, Dorsey’s phone number was compromised due to a security oversight by the mobile provider. The type of attack is called SIM hacking, where the attacker would have convinced a carrier to assign Dorsey’s number to a new phone that they controlled.
Dorsey is not the first to be targeted by the Chuckling Squad with this type of attack. There have been a string of online influencers targeted previously.
Two popular VPNs, Fortigate and Pulse Secure have been targeted by hackers in an attempt to steal encryption keys, passwords and other sensitive data from servers that have failed to apply critical fixes.
Researchers at the Black Hat security conference said to exploit the vulnerabilities, unpatched servers are sent web requests that contain a special sequence of characters. The vulnerabilities are serious because they affect a piece of software that acts as a gateway to highly sensitive parts of an organisations networks. If exploited, attackers are able to penetrate those networks (a significant security concern!).
Representatives from both Fortigate and Pulse Secure have been urging their customers to patch their systems as soon as possible.
In what has been described as an “indiscriminate” attack, security researchers at Google announced they have found a number of malicious websites that were hacking into victim’s iPhones after being visited. Ian Beer, a security researcher at Google’s Project Zoo said “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant”.
Based off their analysis, Google said the vulnerabilities were being users to steal victim’s photos and messages, as well as track their location in the near-real time. The ‘implant’ could also gain access to the victim’s on-device bank of saved passwords.
Google privately disclosed the vulnerabilities in February to Apple, giving them only a week to fix the flaws and roll out updates to its users. Apple patched this issue in iOS 12.4.1. You should be applying this update to all your Apple devices if you haven’t already.
On Friday, Greg Abbott ordered a ‘Level 2 Escalated Response’ to the ransomware attack which stuck 23 Texas cities. Ransomware is a form of malicious software which usually works by taking over a victim’s computer and denies them access to their data. The attacker will then threat to publish or perpetually block them from it until a ransom is paid.
The malicious software for this attack was delivered through email attachments and links, costing cities across the country millions in damage. It has followed after attacks in other states including Florida, New York and Maryland.
Cyber security experts have since been deployed to assess the damage. Although the department has declined to name the specific cities impacted, they have commented the majority were smaller local governments.
Back in 2018, researchers revealed a serious flaw in the security of Tesla’s vehicles. In response to this, Tesla created a new version of its key fob that patched the underlying flaw. A year later, those same researchers say they have found another vulnerability.
The KU Leuven researchers haven’t carried out the attack as of yet, however, have proven it is possible. Tesla acknowledged this, and to prevent the possibility of attackers exploiting the technique, are rolling out a software fix.
The good news for Tesla customers is that the newer attack can be blocked with a software update, rather than a hardware replacement like in 2018.
The many stories and statistics hitting the headlines demonstrate why cyber security should be at the forefront of our consciousness in 2019. Verizon’s most recent Data Breach Investigation Report (DBIR) shows that almost half of all breaches occurred at small businesses. With this in mind, how secure do you think your business really is? If you would like help with your cyber security, why not take the first step and download our FREE White Paper >>