Security Summary – February 2020

Our short monthly review summarizes important news and blog posts, which focus on IT security, cloud computing and privacy protection.

1. Don't change strong passwords for no reason

If it was up to the German Federal Office for Information Security, the "Change your password" day would have rolled around for the last time this year. Because what had already been stipulated by British and US authorities back in 2016 and 2017 has now also found its way into the 2020 edition of the BSI Grundschutz Compendium: Changing a strong password is only recommended if it is suspected to have fallen into the wrong hands. Rules on change intervals are also counter-productive, since they lead to the use of rather weak passwords that follow a certain pattern.

Source: heise.de

2. Trojan Emotet keeps German authorities busy

In recent months, Emotet attacks caused institutional offices to close, while hospitals were unable to accept new patients and surgical operations had to be postponed. In addition, countless computers were placed into quarantine. In addition to the loss of sensitive data, the malware can also do enough damage to ensure entire IT infrastructures need to be rebuilt. Since the Trojan places not only monitoring software on computers, but also other malware, an increasing number of countermeasures are progressively being adopted. Caution should be particularly exercised in the case of emails with links or attachments.

Source: egovernment-computing.de

3. Security gaps in Google Pay and Paypal

A security gap in the interaction between Google Pay and Paypal already reported in February 2019 is now apparently being exploited by criminals. Various users report unexplainable debits from their PayPal accounts, but there is always one thing in common: the link between their Google Pay and PayPal accounts. There are several security issues. On one hand, contactless payment is possible while online transactions are enabled. On the other hand – and herein lies the critical issue – PayPal doesn’t check the name or CVC security code of the virtual credit card during transactions. Lawbreakers, on the contrary, can read out the credit card number and expiry date required to make the purchase relatively easily using an NFC-compatible reader.

Source: golem.de

4. Major security gaps exposed in US voting app

A US voting app from Voatz, which has already been used in several elections across various US states, has exposed a number of vulnerabilities. MIT security researchers determined that a mere insight into the app's network traffic could reveal where votes were allocated. This gives attackers the opportunity to thwart or manipulate votes. There are also a number of data protection issues, given that blockchain verification, despite being promised, does not occur.

Source: heise.de

5. Hackers already in Citrix for five months

Between October 13, 2018 and March 8, 2019, hackers were on the move in the internal network of software giant Citrix. As the FBI announced to Citrix at the beginning of March 2019, the hackers most likely use a technique called “password spraying” to gain access to a large number of employee accounts. The attackers may have downloaded business documents and gathered information such as Social security, drivers’ license, passport and credit card numbers as well as health-related information, as Citrix itself announced.

Source: krebsonsecurity.com

6. A spike in hacker attacks on IoT devices

A new study by security provider Kaspersky says that attacks on IoT platforms have increased by a factor of 9 to 105 million. 61% of companies worldwide use IoT platforms, although security issues related to the Internet of Things were identified in 28 percent of those surveyed last year. Also affected were critical infrastructures such as the energy sector (41.9%), automotive engineering (39.9%) and building automation (37.8%). In addition, in the third quarter of 2019, 37% of computers, servers and workstations on which biometric data is recorded and stored had been targeted by at least one malware infection attempt.

Source: zdnet.de

7. Spanish football club: account takeover and false tweets

In mid-February, hackers took over FC Barcelona's Twitter account and distributed false tweets. By its own admission, responsibility was attributed to the hacking collective OurMine, which was already under the spotlight back in January for having taken over the Twitter accounts of 15 different NFL teams. According to OurMine, there are good intentions behind their hacker attacks: They want to help the "target objects" improve their data security.

Source: threatpost.com

8. Data from MGM resort guests on the net

Data pertaining to 10.6 million guests of the MGM Resorts hotel chain, which had already been tapped by hackers last summer, has now appeared in a relevant forum. The data leak included guests’ names, telephone and passport numbers, email addresses and birthdays, but no payment information. MGM Resorts confirmed that the hackers were using a cloud service to extract the data. Some of those affected were informed last year.

Source: zdnet.com