Monthly News Roundup - December 2015 (TL;DR)

2015-12-31_GCluley.png

NEWS

This month we learned that Microsoft’s browser is vulnerable and many people’s Java has security flaws. No, you haven’t traveled back in an infosec time machine. These old-fashioned headlines came back in a new way this month. Oh, and a mere 191 million people’s personally identifiable information was exposed online. Check out those stories plus much more in our December 2015 news roundup:

  • US Voter Records Leaked Online: On Dec. 20, security researcher Chris Vickery discovered an exposed database containing personally identifiable information for 191 million registered US voters. The data included voters’ full names, addresses, voter IDs, birthdates, phone numbers, political affiliations, voting histories, and confirmation about whether or not they are on the do-not-call list. Depending on state law, much of that information must remain private and secure. As of now, the owner of the database remains unknown but the database has been taken offline.
  • Apps Share User Info But Don’t Tell Their Customers: Seventy-three percent of of the 55 most popular Android apps share users’ personal information with third parties, without notifying customers. That was one of the many disturbing findings presented at the recent Data Transparency Lab conference. Another take-away from the event: While freemium services are increasingly popular online, paid subscription models are more likely to maintain a user’s privacy.
  • LatentBot Malware Plants Seeds In The Finance Industry: A dangerous new malware is targeting the financial services and insurance sector. The nefarious program, dubbed Latentbot by investigators, infects machines through a downloaded Word document. Once successfully installed, the code hides itself and loads additional malware on a user’s machine, giving a hacker full control over the device. Eighty percent of antivirus software is able to id the program but the best defense is to refrain from downloading the malware in the first place.
  • Microsoft Browser Woes Persist: Microsoft Edge might not be a complete departure from its browsing predecessor, Explorer. According to Microsoft’s site, the Edge browser is supposed to “defend users from increasingly sophisticated and prevalent attacks.” However, the past 5 months of updates to Edge, which comes with Windows 10, indicate that the new app has as many as 25% of Explorer’s known security flaws.
  • MacKeeper Data Leaked: MacKeeper is a well-known scare-ware product aimed to convince Mac owners they need to buy more security for their devices. In addition to selling a useless product, the MacKeeper parent company Kromtech also leaked 13 million of its customer records. Security researcher Chris Vickery discovered the data through a search on Shodan and notified Kromtech. (Hey, that’s the same guy who discovered the voter info leak!) The company shuttered access to the database immediately. In a public statement, Kromtech thanked Vickery for his effort, yet the “security” firm neglected to note the irony of their failure to protect customers.
  • IRS and States Ramp Up Digital Security to Prevent Fraud: The IRS is upping its anti-fraud game. The agency has partnered with online tax prep providers, including TurboTax and H&R Block, to create at least 20 new identifiers in people’s digital 2016 filings. The goal is to reduce fraud against the government and harm to the hundreds of thousands of taxpayers affected by false returns filed in their name. Looking at data from 2013, the IRS estimates it paid out $5.8 billion in phony refunds.
  • Oracle Ordered to Notify Users Of Outdated Java: Following a settlement with the the Federal Trade Commission, Oracle must offer more help to users running old, vulnerable versions of Java. In recent years, when users updated their Java, the previous versions remained on machines. The legacy versions left devices vulnerable to known methods of attack. Oracle’s old updates and website warnings failed to clearly indicate that an uninstall was the only way to thoroughly secure a device. Oracle acquired Java as part of its buyout of Sun Microsystems in 2010. At that time, it’s estimated Java was installed on 850 million PCs worldwide.