Friday Five: 10/20 Edition
Happy Friday! Get the latest InfoSec news with our weekly roundup.
An exploit called KRACK, short for Key Reinstallation Attack, targets a weakness in WPA2, a protocol that makes wireless connectivity possible in the large majority of connected devices. Security academic and researcher Mathy Vanhoef discovered KRACK, which allows attackers to eavesdrop on your network traffic. This was revealed to the public on Monday . CNET has taken an interesting approach in seeing how large corporations are responding to KRACK. MSFT has already issued a security update while Apple and Google are working on rolling out patches – this is important given the amount of devices running Android, which was particularly susceptible.
2. We Heart It says a data breach affected over 8 million accounts, included emails and passwords by Sarah Perez
We Heart It, an image-sharing site used by millions of teens (up to 40 million as of a few years ago) informed their users that their personal data may have been compromised. Last week We Heart It was alerted to a possible security breach that involved over 8 million accounts. The breach took place a few years ago and included account names, emails, encrypted passwords for We Heart It accounts that were created between 2008 and 2013. Victims were notified over email during the weekend, and We Heart It published a blog post communicating the incident in detail to its users. We Heart It isn’t as popular as it used to be, but this breach shows that our information is still at risk, even if we haven’t used the application in years.
Earlier this week, Google said it will be rolling out advanced security features for high-profile targets including government officials, political activists and journalists. Essentially, users will be able to opt-in to the enhanced security features that are aimed at protecting Gmail, Google Drive, and YouTube data from phishing attacks. In addition, “the advanced protection features include an option to require a physical USB security key to connect to a desktop computer before each log-in as a way to verify a user’s identity. Mobile log-ins will require a Bluetooth wireless device.” Google has created a dedicated site for users who are interested in learning more.
4. Unintended disclosure accounts for a big chunk of data breaches in 2017, and spear phishing is on the rise by Evan Sweeney
The Beazley Group, which provides cyber liability insurance, recently issued a report showing that more than 40% of healthcare data breaches were the result of unintended disclosures (through the first three quarters of 2017). This is interesting given how often the healthcare industry was targeted by external attackers in 2017. The “second most common data breach cause was hacking or malware at 19%, while 15% involved an insider.” Ransomware attacks were also up, which isn’t surprising given the rise in cyber-extortion this year. Social engineering attacks were also on the rise, increasing ninefold compared to last year.
Pizza Hut experienced a “temporary security intrusion” for about 28 hours between October 1 and through midday of October 2 where cybercriminals were able to harvest customer names, billing zip codes, delivery addresses, email addresses and PCI. Pizza Hut admitted the incident on Saturday and sent an email to affected customers. Pizza Hut is the latest PCI victim of chains we’ve seen in the past several weeks as cybercriminals continue to target retail chains to siphon PCI.