Monday 4 January 2016

It’s a Vulnerable World: December 2015

It's a Vulnerable World, Internet insecurity, security vulnerability, SumRando Cybersecurity
[Source: EFF Graphics]

For many, January means a fresh start, but December’s Internet insecurities are far from over. 2015 rounded out with threats to nearly every facet of everyday life, including the basic acts of using a credit card, logging onto a computer and accessing a favorite website. At risk are:
Windows Users: Users who login to Windows 10 via a Microsoft account (i.e. most users) unknowingly upload a copy of their recovery key to Microsoft’s servers, which can be used to access information that would otherwise be protected by encryption. In the words of cryptography professor Matthew Green, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”
Android Devices: Symantec recently discovered Android.Spywaller, malware pretending to be a well-known Chinese antivirus app that actually steals information from infected Android devices.

Outdated Encryption Lacking “Salt”: 3.3 million user accounts were leaked from Hello Kitty-owner Sanrio’s database. Much remains unknown about the data breach, but one thing is clear: the compromised passwords were encrypted with now-deprecated SHA-1 hashing and lacked an extra layer of security known as “salt”.

International Officials: Private data including names, phone numbers, usernames, email addresses and secret questions and answers of over 1,400 officials at the UN’s Paris climate talks were made public by Hacktivist movement Anonymous. The leak was in response to the arrest of approximately 100 protesters on November 29. Weak encryption was found to be at least partially to blame.

German and Turkish Banking: Security researcher Karsten Nohl found flaws that compromise personal identification number (PIN) codes, transactions and funds in German retail payment systems. In Turkey, a two-week attack thought to be carried out by Anonymous repeatedly disrupted credit card transactions and banks in general.

Internet of Things:
A study of 4,000 IoT devices from 70 different manufacturers revealed only 580 unique keys, the result of sharing, leaking and/or stealing code. Motherboard summarized the situation well: “Imagine an apartment building of 4,000 rooms but with only 580 different locks; the odds would be pretty good that your neighbor and you share the same front-door key. It’s a bit unsettling.” These static keys most affect devices in the United States, Mexico and Brazil.

Mobile Apps: Wandera revealed that 16 travel and leisure companies, collectively serving 500,000 users per day, had failed to use the encryption necessary to protect credit card information when submitted via a mobile app or website. To date, only easyJet, Chiltern Railways, San Diego Zoo, CN Tower, Aer Lingus, Air Canada and SISTIC have remedied the issue.

World Wide Web: Malvertising, when hackers buy ad space on otherwise trustworthy websites, became increasingly common in 2015. By taking advantage of computer vulnerabilities, hackers only need users to open a website in order to steal financial information or lock files in exchange for ransom.
As always, let us know if there are any vulnerabilities we missed in the comments below.

Want to know more about previous security vulnerabilities? Read on!

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

No comments:

Post a Comment