THE CYBER LANDSCAPE: UNPATCHED MICROSOFT JET VULNERABILITY
GOOGLE+ TERMINATED IN RESPONSE TO LEAKAGE OF USER’S DATA
In response to a publicized security breach, Google is looking to shut down their failed social media site. Google+ was created with the intention of overthrowing Facebook, but instead has left its scanty user base exposed to third-party data intrusions via software bug.
How Data Was Compromised
Destined to be a popular site, Google+ was once an exclusive social media alternative that required an invitation, which made it all the more alluring; how users data was then shared with others is less exclusive. When signing into apps, there was the option to sign in with Google+, similar to signing into an app with Facebook, which then allowed the app to collect and harvest data generated by the user. When a Google+ user logged in with their account, they not only offered up their information, but also their friend’s information.
Who Was Affected
While Google+ never experienced the fame it had predicted, there was still a notable user base. 500,000 users were ultimately affected by this security bug, which revealed their age, jobs, and local information– placing them in danger of fraud. The software bug gave approximately 438 third-party vendors access to users private information from 2015 to March 2018, when the loophole was discovered.
Why Was it Not Made Public
The Google+ data leak was discovered in March– incidentally the same month that Facebook was under fire for the Cambridge Analytica scandal. Looking to avoid Facebook’s fate, Google+ chose not to disclose the data leak– instead choosing to quietly repair the software bug. The difference in data leaks is rather apparent, with Google+ having a much smaller user base in comparison to Facebook.
What You Can Do
Many users made a Google+ account when it was all the rage, but most didn’t use it after initial creation. While you may not be using Google+ anymore, one of your friends might have– leaving you exposed. Checking to see if you have a Google+ account is as simple as checking your gmail or university email, then going into your settings to completely delete the Google+ account. A lot users have an account and they don’t even realize it.
The site is said to shut down in ten months, while leaving a business aspect of Google+ still available.
TECH UPDATE: 10 FEATURES YOU’LL LOVE ABOUT THE WINDOWS TEN UPDATE
The October Windows Ten Update was released earlier this week, with changes that are sure to suit every user. The update will be available via the Windows website, or will begin to sneak onto Windows users screen as a reminder within the next week.
Kicking off this update are these ten new features:
Fewer Restarts
One of the most grating features of previous updates were sudden restarts. Dona Sakar, a Windows Insider, has noted these disruptions, “We heard you… We trained a predictive model that can accurately predict when the right time to restart the device is.” This means that getting up to get a cup of coffee won’t mean coming back to a computer in reboot mode.
Battery Usage
What’s draining your battery? Task Manager has a new feature that will allow you to view how much battery each app and program is using, best for identifying that excessive power gobbler.
Bluetooth Battery
Love your new wireless headphones? With the new update Windows users will able to see how much battery each of their bluetooth batteries has left.
Text Slider
Among the updates is one that will benefit those who need larger text. Instead of zooming in on a page and distorting the website layout, this text slider will allow the text itself to appear larger.
Snip and Sketch
Bundling multiple applications into one, the “winkey + shift + s” option will allow for a quick screenshot with the possibility of sketching on the saved image. Sharing and printing the saved clipboard image has gotten easier.
Phone Sync
Texting doesn’t have to stop at your phone. Syncing your phone has never gotten easier, the Windows update allows for you phone to link to your computer.The new “Your Phone” feature allows for messages and photos to be linked to your Windows 10 device. This means there is no need to transfer large files via Dropbox or email.
As for compatibility, this works best with Androids and is quickly expanding for better functionality with Apple products.
Dark Mode
Dark Mode has expanded to other Windows 10 applications: File Explorer. This fan-favorite dark screen theme has expanded to your search for files.
Cloud Clipboard
Those that have multiple Windows 10 devices will find this feature of the update most useful. With the Cloud Clipboard feature, you can easily have the same files available across all devices. The transition of moving from a work computer to home computer has been simplified with the new update.
Search Preview
Looking for a file just got easier. With this new search preview feature, a user can search within the start menu and will be able view previews of the files. Allowing for an effortless search.
HDR Support
With the gamer in mind, this Windows 10 update will allow for more contrast and vivid colors than ever. While HDR support has been difficult in the past, this update is looking to fix that.
The new update will also allow for ray-tracing, a Nvidia feature that will allow for better gameplay.
THE CYBER LANDSCAPE: YOUR HOME WIFI ROUTER
Can my wi-fi router be compromised?
Wi-Fi routers pose an easy target for most hackers. A router’s firmware will pose a risk if left running without an update. Most households will keep their Wi-Fi router running day in and day out, without being checked for the latest patches or bug fixes.
Over time, Wi-Fi routers’ vulnerabilities are amplified. Most firmware is built with open source code, which is a cost-effective way to allow for customization, but is also seen as more susceptible to cyber attacks.
Is this even a serious threat?
Yes. In a study done by the American Consumer Institute (ACI), it was found that in a range of 186 Wi-Fi routers, from a slew of popular providers, 155 were found to be based on open source code. This means that 83% of those routers have a higher probability of being exposed to attacks.
Earlier this year there were thousands of Wi-Fi routers infiltrated by Russian hackers, reported by NBC. Barreling through little protection, a semi-experienced hacker could easily move past password barriers such as: 1234 and other simple passwords. Once they have access to your router, they can sift through private data, spy on web interactions, or even gain access to your financial institutions.
How to protect yourself:
- Update your Router’s firmware
- Search online for vulnerabilities on your device
- Turn off Remote Administration
While the “Remote Admin” tool is helpful for when you need tech help from afar, it leaves a loophole that could be used by hackers.
THERE IS SOMETHING “PHISHY” ABOUT SPEAR PHISHING.
We all know about email phishing, it’s relatively easy to spot. When the prince of Nigeria emails asking for help, we know not respond with our banking info, but when your I.T. provider “emails” with a link to click to login, this might be a little harder to recognize as an attack. Spear phishing is the next worst version of plain old phishing.
Spear phishing is a relatively cheap and effective way to gain access to someone’s personal information or computer system. With a little research and an email address, a hacker can pose as a trusted source. Posing as this official source, hackers can access aia a spoofed login link or an attachment.
This type of phishing has increased by 65% since last year, meaning your inbox may soon receive an email you weren’t expecting. Here are a few examples of what a spear phishing attack may look like:
The Executive
Emails from higher-ups are always more likely to receive special attention, something hackers realize too. An American steel company was targeted with an email from the board of directors, which prompted employees to click a link. This link allowed for hackers to gain access to employee’s email database and all attachments.
Protect yourself from dubious links by double checking with the person who initiated the email. It is unlikely that there will be a login link attached in an email, but always double-check.
The Job Candidate
With team expansions come new hires, but not all job applicants are alike. This “potential” hire will typically send a short intro summary and an attachment of their resume, which is what holds this compromising malware.
Protect yourself from malicious attachments by having an intermediary defense system, like a web portal or file uploader to scan all attachments to verify a word document.
The IT Note
Who hasn’t run into IT troubles? When an email pops up from your provider, it doesn’t signal any red flags, but they link they provide might be anything but helpful.
Protect yourself from these malicious links by remaining vigilant online and refraining from providing personal information online.
Remaining Vigilant Online
There are many ways for a hacker to investigate a user’s personal interests, such as through their social media. With simple research, a personally crafted attack could be sent to an unexpecting inbox. Don’t be the one to fall for the attack:
- Remain very vigilant online
- Double check with the sender
- Have an intermediary defense system
- Avoid links that direct to a login page
- Keep up to date with cyber attacks
APPLE USERS ARE LEFT EXPOSED TO A NEW PHISHING ATTACK
This new phishing attack has gained a level of sophistication that will trick even a trained user. An unpatched URL vulnerability allows a hacker to imitate a website address and then acquire information through a fake login portal.
The URL vulnerability was discovered by Rafay Baloch, a security researcher based in Pakistan. Microsoft Edge by Windows and Apple Safari by iOS are the two major browsers affected. While Microsoft has created a patch for the spoof URLs in the previous month– meaning Google Chrome and Mozilla Fox users are in the clear.
Baloch discovered that this vulnerability (CVE-2018-8383) as a result of a race type condition issue: a web browser will allow JavaScript to change the web address in the URL bar while a page is loading.
Here’s how this phishing attack works: hackers are able to load an authentic webpage, allowing for the proper web address to display in the URL bar, and then quickly swap in a more sinister code. Users are then led to what appears to be a legitimate login screen, where usernames and passwords are then captured. This can easily deceive a vigilant user, as the web address doesn’t appear to change drastically.
Any website can be recreated by a hacker with this URL loophole, including Gmail, Facebook, Twitter, and even a large number of banking websites.
Baloch produced a proof-of-concept (PoC) page where he exposed the URL vulnerability on both Microsoft Edge and Safari. Both web pages granted JavaScript access to change the web address in the URL bar while the page was still loading.
Ultimately, it’s best to double-check web addresses, but to also keep an eye on the latest phishing attacks.
To read more about technical details about the phishing attack, read Baloch’s blog.
IS AIRPORT WI-FI SECURE?
The one thing that makes an airport layover bearable may be more risky than many realize.
Airport Wi-Fi, though sometimes faster than cellular networks, is often unencrypted and rather unsecure, according to a study by Coronet. They created a list of the 10 U.S. airports where you’re most likely to have information stolen via the Wi-Fi.
This doesn’t mean you should never connect to airport Wi-Fi, but it does mean it is important to be careful when doing so.