WhatsApp clamps down on COVID-19 fake news, Zoom makes passwords mandatory, hack at an Italian email service and FBI advice to prevent email scams.
Welcome to Cyber Security Today. It’s Wednesday April 8th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
The internet is filled with scams and false information about the COVID-19 crisis, forcing social media platforms to react. The latest is by messaging service WhatsApp, which is now limiting the ability of users to forward messages they’ve received from someone else. If you as an originator of a message want to send something to lots of users, that’s fine. But a message you get from someone else who is not a close contact can now only be forwarded to one chat at a time. Hopefully that will make people think about the content they’re passing around. WhatsApp users know a message has been forwarded several times because it comes with a double arrow. Facebook, which owns WhatsApp, has also taken steps on its Messenger service to combat coronavirus misinformation. So have the Viber messaging service and Twitter. University of Alberta professor Tim Caulfield, who is studying COVID-19 misinformation and conspiracy theories, says people should think about what they are reading and sharing before pressing the send button. More than one observer has said there’s no reason to spend all day looking for the latest news on the virus. Nothing really changes — stay home as much as you can, wear a mask if you go into a store, wash your hands thoroughly when you get back home, don’t touch your face. Checking reputable websites for information once or twice a day is enough.
While I’m on the topic of the virus, with people staying at home more of us are using videoconferencing to keep in touch with family and friends. That raises some security concerns, particularly with the Zoom service, which is popular because it’s easy to use. But it has been easy for mischievous people or criminals to muscle into sessions by either guessing meeting ID numbers or seeing meeting invites on social medial. As I said last week, videoconferencing hosts — whether business or personal — should think carefully before posting meeting links on open places like social media platforms. Zoom has quickly moved to improve privacy by forcing meeting hosts to password-protect sessions. That will limit the number of unwanted intruders on its service. Meanwhile, always be careful about what you talk about or show in a video or audio conference, even if its with a few friends. In addition, organizations should get advice from a security professional about which services have business-strength conferencing to meet corporate privacy needs.
People worry about hackers intercepting and reading email, text messages and financial transactions as they cross the Internet. That’s why it’s important web sites are encrypted. That’s what HTTPS stands for in the address bar at the top of your browser. Encryption protects data in transit. However, data that sits on company servers — what’s called data at rest — is also at risk of being hacked and copied. Depending on the sensitivity it should also be encrypted. What’s sensitive? Personal information like birth dates, social insurance numbers, credit card numbers — and passwords. Which brings me to news of the hack of an Italian email service called Email.it. Over the weekend hackers started selling stolen data on more than 600,000 users of the free version of the service. The data allegedly includes users’ passwords, security questions, email content and attachments of those using the service since 2007. The hackers claim they broke into the company two years ago. Many organizations protect the servers that hold data with passwords. That isn’t enough if hackers can guess or steal a password. Unfortunately many firms aren’t willing to spend the money to encrypt sensitive data at rest.
Finally, the FBI this week warned organizations that hackers targeting organizations using cloud-based email services like Gmail and Office 365 for business email scams. The tactic is to mimic these email services to convince victims into transferring money they usually send to a bank account into sending funds to an account controlled by the attacker. When organizations host their own email service the IT department knows how to configure it for protection. Well, cloud-based email has to be configured for security as well. That includes enabling multifactor authentication for all users, prohibiting automatic forwarding of messages to outside email addresses, and putting a banner or special colour on messages coming from outside the organization. That’s important — it’s a flag to a user. Why would a message from a senior staff member come from outside the company? Probably because it’s a fake. There’s a link to the full list of FBI tips in the text version of this podcast at ITWorldCanada.com. It also has links for the other stories.
That’s it for Cyber Security Today. The show can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon