Emerging threat: New USB stick crashing computers
A new USB stick designed to fry a computer has emerged from a Hong Kong company. The device, named USB Kill 2.0, discharges 200 volts when it is plugged into an unauthorized computer or device. The manufacturer, USBkill.com says the devices were created primarily to test against power surge attacks.
Of course, the USB devices could be used maliciously and unknowing computer owners could plug the computer-crashing devices into their own computers rendering them useless.
This isn’t the first case of USB sticks gone wrong. Earlier this year, experts saw an increase in malware-ridden USB sticks infecting devices. In fact, the American Dental Association sent USB sticks to all members that were supposed to contain new dental procedure codes. Instead the dentists got a bad case of malware.
It’s best to not insert an unknown USB stick into your computer.
Yahoo leak exposed 500 million users’ passwords. The hack occurred two years ago and it is the biggest hack in history. A cybercriminal is supposedly selling all the credentials—which includes usernames, passwords, birthdates, and other information— on the dark web for only $1,800. Yahoo users should change their password immediately.
Hackers target online banking credentials using smartphone malware. U.S. banking regulators and the FBI have seen an uptick in malware designed to steal banking credentials as users log in to their online banking account via smartphone apps. The malware downloads on the phone when a user clicks on a malicious link sent via text message or advertisement. It then stays dormant until the banking app is opened, when it records the username and password. The malware affects both Apple and Android phones and users should update their software and banking apps immediately.
Dropbox users: If you haven’t changed your password since 2012, do so now. The online cloud storage system announced that credentials stolen in 2012 are now being exploited by criminals. You should be prompted to change your password when you sign-in if you have not done so in the last four years.
One million people affected by tax return identity theft were never notified by the IRS, a Treasury Department Watchdog found. In 2014, the IRS launched a pilot program to contact victims of tax fraud, but the program was cancelled due to lack of funding. The IRS claims they will begin contacting new victims in January 2017. The audit also found that there is no communication between the IRS and the Social Security Administration to report fraudulent earnings from tax reports. This could result in a change in Social Security benefits for victims. The IRS is working on a way to alert the SSA on this issue.
New ransomware strain takes advantage of common typos. Online security firm, Endgame found that hackers have been purchasing domain names similar to popular websites but with a typo. (For example, amazon.om instead of amazon.com.) They then plant ransomware on the site and urge users to click through so they can overtake their device. Be sure to double-check the website you are visiting before clicking on links.
Report finds that Office of Personnel Management ignored security threats prior to 2014 breach. Congressdiscovered that the agency was using outdated software which jeopardized the security of information of millions. OPM also knew about data being stolen early on but was not able to stop the theft. The report found that had OPM adopted basic security tools such as two-factor authentication, the hackers would have most likely failed. The agency spent less than almost every other federal agency on cybersecurity.
Data breaches cost retailers nearly 20% of consumer base, according to a new survey from KPMG. Following a breach, nearly one-third of customers will stop shopping at the store for up to three months and one-fifth declared they would avoid using the retailer in the future regardless of how they responded to the incident. And while data breaches are certainly costly to a business, over half of the cybersecurity executives surveyed said they had not invested in their company’s cybersecurity in the last year.
Twitter PayPal scam makes rounds. Phishers have taken their quest to Twitter targeting users who tweet questions to the official “@PayPal”. They respond to the users with a link to an official-looking but fake PayPal login screen in attempt to capture their credentials. Be sure to take a close look at any tweets from PayPal and ensure they are coming from the official account.
Adobe: A patch closing nearly 30 security holes in Adobe’s Flash Player was released this month. You should be prompted to update on your own computer, but you can learn more here. If you have Flash installed on your browsers, make sure you update those as well.
Apple: iPhone and iPad users should update their devices to the new operating system iOS 10. The new operating system was released with the iPhone 7 and upgrades many features on the devices. But there are security reasons to update as well. Earlier this month, a major security flaw was found that allowed hackers to completely take over an Apple device with a simple text message. Your devices should prompt you to update automatically. You can read more about the security flaw here.
Microsoft: Fourteen patches closing over 50 security vulnerabilities were released this month. The patches fix flaws in Windows and Internet Explorer. Half of the updates are considered critical and one for Internet Explorer closes a zero-day exploit. Windows should update automatically, but you can learn more here.