February may be the shortest month of the year, but that doesn’t mean there was any shortage of information security news. With countless breaches, vulnerabilities, and people behind the scenes working to prevent them, the news is bigger than ever. Take a look at how the month of February impacted the information security landscape with this month’s news roundup.
- This is one of those “do you want the good news or bad news first?” deals. Fortunately, the number of breaches in 2018 was down 23% from the number in 2017. Unfortunately, the data that was collected in the 2018 breaches
- Want to know if your password has been compromised? Well, you’re in luck. Google has released a Chrome extension, Password Checkup, that alerts you if your password and username combination has appeared in a data breach.
- Cybercriminals have placed nearly 620 million data records for sale on the dark web. The information was gathered from 16 breaches, including MyFitnessPal, MyHeritage, and Animoto. Experts suggest people beware of their accounts being compromised, even if they no longer use these sites or services.
- Drupal, the world’s third-most-popular content management system, was made vulnerable by a critical flaw in the system. This exploit allowed attackers to remotely execute code. While patching and updates were created to prevent further issues, many system admins of Drupal-based sites fail to do their updates and patches in a timely manner.
- Hackers have found vulnerabilities in shipping containers. These underlying flaws could pose serious data risk, as they don’t just impact a single container, but the entire container host, ultimately compromising the hundreds to thousands of other containers running on it. Emergency updates from shipping companies like Red Hat, Google, and Amazon aim to fix the flaws, but this will not be the last set of attacks on containers.
- Vendor risk management continues to be one of the most important trends in security. In mid-February, ConnectWise, the popular project management tool, was the victim of a ransomware attack coming from one of their managed service providers (MSPs). The attack resulted in some 1,500 to 2,000 systems belonging to the MSP’s clients getting
cryptolockedand the MSP itself facing a $2.6 million ransom demand.
- Speaking of vendors and bad situations, they happen to everyone— even security experts. Stu at KnowBe4 was almost compromised through a real email thread from a real vendor. Luckily it was caught by their tech team before it escalated, but it’s just further proof that we always need to be wary of the risks our vendors pose to us, and that we need to be cautious when opening any links or attachments in emails.
- Microsoft had a handful of issues in February that caused a stir. Notably, an attack called “
NoRelationship“ allowed attackers to bypass Office 365 email attachment security by editing the relationship files that are included with Office documents. This allowed them to hide malicious links in their phishing attempts to Microsoft users.
- 2018 was a record year for healthcare fines related to breaches. This past year, the OCR settled 10 cases totaling $28.7 million from enforcement actions. The previous record in 2016 was surpassed by 22 percent.
- Each year, tens of thousands of healthcare professionals gather at the HIMSS conference to discuss pressing matters in the healthcare industry. This year, without question, the number one topic of interest was cybersecurity, particularly among IT professionals.
- Imagine conducting a Google search of your own name and finding your medical records in the results. A recent breach at UW Medicine made nearly one million protected records and internal files available and visible by
searchon the internet.
- It seems like we could write a blurb about a Facebook privacy issue every month. February is no different. Facebook is facing more heat due to a research app. The app gave wide-ranging access to users’ mobile devices, but in order to do so, they needed to bypass Apple’s privacy rules in their app store.
- WhatsApp has added biometric security measures to its app. A recent update allows users to lock the app with either Face ID or Touch ID.
- A major benefit of the world of social media is for consumers to very quickly interact with brands. Unfortunately, scammers are taking advantage of this by creating Twitter accounts that look nearly identical to company accounts and then attempting to get card information by responding to complaints.
- Apple released an update including a ton of patches to fix some major bugs in their iOS. Mainly, this update fixed a flaw in their FaceTime functionality— affectionately dubbed “FacePalm”— which allowed users to hear FaceTime recipients before the call was even answered.
Understanding information security trends is important. It gives you an idea of what’s going on in the industry so you can continue to protect yourself and your business. Follow FRSecure on Twitter and LinkedIn for consistent updates on information security news like this, and visit our site to learn how your organization can continue to make improvements to its security measures.