Data breach at an international student insurer, avoid stalkerware and the latest business email scam.
Welcome to Cyber Security Today. It’s Wednesday May 19th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A Canadian-based insurance firm called guard.me has begun notifying policyholders of a data breach. The Markham, Ont., company specializes in covering international students not protected by government insurance. According to the Bleeping Computer news site, policyholders are being told the company spotted suspicious activity on its website on May 12th. Data accessed includes dates of birth and genders. The email and physical mail addresses, as well as phone numbers of some policyholders, were also copied. The data breach notification also says the company is now adding two-factor authentication to protect logins.
Does your organization allow employees to use the Internet Explorer browser? Do you as an individual use it? If so, better make sure the browser is patched. Bitdefender says an exploit kit used by a number of cyber attackers now includes ways of getting at two unpatched vulnerabilities in Explorer to deposit malware. Victims get hit just by going to an unsuspecting but infected website. By the way, one of those patches dates back to 2018, the other to 2019. Why they haven’t been installed yet by some people is baffling.
Stalkerware is a category of mobile apps that allow someone to monitor other people. Another word for it is spyware. Jealous lovers might secretly install stalkerware on a partner’s smartphone. They might tell the victim it’s an app for their own protection. Some spyware is marketed as a child or employee monitor. They come under names like Shadow Spy, SpyHuman, TrackView and others. But according to a new report from security vendor Eset, some of these apps have big privacy and security holes. Which means anyone can hack into them. Eset looked at 58 Android apps and found 158 vulnerabilities. The lesson: Don’t think you’re doing yourself, a lover, an employee or a child any favours by installing these snooping apps.
Here’s another one of those ‘oopsy’ moments.” Anker, which makes the Eufycam internet-connected security cameras, admitted a software error allowed some users on Monday to see video streams from the homes of strangers instead of their own. The news site the Register says Anker told it a software bug in a server upgrade was to blame. Anker said only a limited number of people had their privacy compromised. The Register says people in the United States, New Zealand, Australia, Mexico, Brazil, Argentina and Cuba were among the surprised users of the app expecting to see the insides of their own homes.
I’ve been covering the big RSA online cybersecurity conference this week. One session was about business email compromise attacks. These are attempts by crooks impersonating a trusted person to get an employee to send them money for a regular payment, or to send them a sensitive document. The employee thinks the funds are going to the right bank account, or the document is going to the right person. One recent trend: Crooks are asking accounting departments for their latest ‘aging report.’ This is a list of people who owe the organization money. Aging reports have all sorts of personal information. With one, a crook emails the victim and impersonates an official from the company and demands the money owed. If you work in a corporate finance department and get an email request from an executive for the latest aging report, make sure the request is legitimate.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.