The SecuriTea News - Issue #3

Every Friday The Weekly SecuriTEA Report brings you the latest week’s trending information security news. Read on and join the conversation.

Big Tech Keeps on Paying. Google has agreed to pay a $13 million dollar settlement in a class-action lawsuit against the company over their collection of people's privation information through its Street View project. For those not familiar with the incident, the tl:dr report is: Street View is a feature, launched in 2007, that let users interact with panoramic imagine of locations around the world through cars it drove around. Unfortunately, it was confirmed that gathering photos wasn't the only thing its cars were doing as it also gathered emails, passwords, and other private information from wifi networks in more than 30 countries and stored this information in their servers. At first they tried to say it was a mistake but researchers found otherwise when it was uncovered that Google engineers built software and embedded it into their cars intentionally. 38 U.S. sued and is now currently set to be settled later this year.

Government demanding backdoors to see your messages. This past week, during the International Conference on Cyber Security at Fordham University, U.S Attorney General gave a speech insisting that U.S. consumers should accept the risks that come with the encryption backdoors to help ensure that law enforcement agencies can access encrypted communications. You enjoy the luxury of encrypted communications when you use products such as WhatsApp, your iPhone, and even Instagram. - For those not familiar with the terminology, an encrypted backdoor is generally defined as an undocumented entrance into a software program used typically by administrators to perform maintenance. (Think of it as a secret passageway into your house that only you should know about but has the potential of your nosy neighbor finding out.) An emphasis was placed on undocumented as this entrance is not to be used by ANYONE for fear of unauthorized access. - The use of backdoors in software that is in production is seen as a major no-no as it creates a majority security risk for the consumer. Barr is calling on tech companies to do more to help agencies circumvent this security measure during their investigations. Security Professionals and lawmakers alike have spoken out against this initiative as doing so leaves all consumers at risk of exposure to the government and malicious attackers alike.

Robinhood Trading Firm latest in Password Malpractice. NOTE: If you have received a recent notice by Robinhood please change your passwords immediately!!!!!!

Robinhood is a U.S. based financial company that took the way you trade stock by storm a few years ago. Earlier this week communications were sent out to some of its users admitting to the fact that the company discovered some user credentials were stored in plaintext. (Plaintext is any characters that are readable. For example, this article you are reading is in plaintext.) Companies that store user data, such as passwords, should be following high security standards to protect this information - including using encryption. (Encryption is when you take plaintext - such as ABCDEFG - and use an algorithm to change this text to an human unreadable format called ciphertext). Though the company insists that the passwords were only available internally and have no evidence that any accounts were comprised, a security mishap such as this could have easily exposed its user base to a larger threat. Robinhood has since taken measures to correct this issue but is one more example of the negligence companies have towards proper security standards.

Average cost of breaches has now reaching $3.92 million dollars. This number is an 1.5 increase from 2018 with one quarter of all data breaches caused by human error. This reported data is brought to you by the Ponemon Institute and IBM who recently released the 14th annual 'Cost of a Data Breach' report that measures the impact of reported breaches between July 2018 and April 2019. In addition to these highlighted measurement, it is important to note that the time it takes to remediate a data breach is growing as well (the average is now 279 days, almost 5% longer than the 2018 average of 266 days.) Human error in breaches can come from a variety of things - misconfigurations or susceptibility to social engineering for example - and it is important that companies place an emphasis on security awareness and empathy for their users. On top of their everyday duties employees are expected to be the human firewall to organizations in helping keep their data safe. It can be hard to do when employees are not equipped with the proper knowledge and tools to know what to look out for.

LinkedIn being used for social engineering campaigns. Social engineering remains one of the largest attack vectors used by malicious attackers. Social engineering is a method in which attackers use deception to trick an individual into doing what they want, be it gives up information in an email or click a link. Phishing (which is when you receive a dubious email posing as someone who they are not) is usually the main tactic but recently a campaign by Iran-linked threat actor APT34 started using another approach in which they asked their victims to join their social network. According to FireEye, these adversaries masqueraded as a Cambridge University lecturer and asked their linked connections to open malicious documents. APT34 specializes in cyber-espionage activity and is known for attacks that target a variety of organizations locates in the Middle East. Though this group’s target may be specific, it does raise the suspicion on other smaller attackers using the same tactic in order to generate large social campaigns under the radar. Be careful about who you connect with on various social media platform and the kind of information and links being provided. Check to see if you have mutual connections before adding on LinkedIn.

And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News.