Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: How Apple AirTags are a stalker’s dream and modern superyachts are a pirate’s dream.

This week’s action: Remind staff that attackers love the Easter holidays.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.


 

THREE ARTICLES

 

1: Police Records Show Women Are Being Stalked With Apple AirTags Across the US

“[About a] year ago [..], Apple unveiled the AirTag, a shiny, half-dollar-sized coin with a speaker, Bluetooth antenna, and battery inside, which helps users keep track of their missing items. Attach an AirTag to your purse, keys, wallet, or even your car, and if you lose it, the device will ping every nearby Apple product with Bluetooth turned on to triangulate its location. Those devices send its location back to you on a map, showing where the AirTag has been and its current location.

Police records reviewed by Motherboard show that, as security experts immediately predicted when the product launched, this technology has been used as a tool to stalk and harass women.

Of the 150 total police reports mentioning AirTags, in 50 cases women called the police because they started getting notifications that their whereabouts were being tracked by an AirTag they didn’t own. Of those, 25 could identify a man in their lives—ex-partners, husbands, bosses—who they strongly suspected planted the AirTags on their cars in order to follow and harass them.”

We always suspected that our phones were also tracking devices. But now someone else’s coin-sized AirTag could also track us. There’s clearly a privacy issue here, which is leading to a physical security issue for many women.

Read more: https://www.vice.com/en/article/y3vj3y/apple-airtags-police-reports-stalking-harassment via https://grahamcluley.com
 

2: Modern Pirates hack superyachts’ cybersecurity

This report by euronews discusses the latest developments at the Dubai International Boat Show. For those of us who were unable to attend, it reports that “Most modern marine vessels are heavily equipped with technology, from GPS and navigation systems to electronic chart displays and information systems (ECDIS). The arrival of this new technology has sailed superyachts into dangerous waters with a new type of pirate. [..] High-tech superyachts with wealthy owners create the perfect combination for bounty-hungry hacking pirates. [..] [T]oday, a pirate can hold a ship at ransom from the comfort of a coffee shop.”

Wherever the money (or the monied) go, the cyber attackers are sure to follow.

Read more: https://www.euronews.com/next/2022/04/11/no-plain-sailing-modern-pirates-hack-superyacht-cybersecurity via ISACA SmartBrief
 

3: A WordPress security tool reduced the security of WordPress sites

If you have not heard of WordPress, it is a website platform that is currently used on over a third of the world’s top 1 million websites. Your website may also use it.

WordFence, a WordPress security plugin provider, recently discovered a vulnerability in another vendor’s WordPress security plugin, which made “it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) [was] enabled but not yet configured for an administrator.”

They reported the vulnerability to the plugin developer, SiteGround, who then fixed the issue a day later.

No one layer of security is flawless. This is why having multiple layers of security (also known as ‘defence-in-depth’) is so important. If (or when) one layer becomes vulnerable, another layer may be able to mitigate the vulnerability.

Read more: https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulnerability-patched-in-siteground-security-plugin/
 

TWO NUMBERS

 

1: 62%

62% of cybersecurity teams worldwide are understaffed, according to an ISACA survey of over 2000 cybersecurity professionals around the globe. This reflects last week’s statistics from Microsoft, which reported that for every 2 cybersecurity jobs in the US, a third one remains vacant.

Read more: https://www.teiss.co.uk/leadership–management/leadership–management/60-of-companies-face-difficulties-in-hiring-and-retaining-cybersecurity-staff-isaca-survey
 

2: 705,000

The UK’s data protection authority, the ICO, has recently fined 5 companies a total of GBP £405,000 for making 705,000 nuisance calls. Many calls were to elderly and vulnerable people (including those suffering from dementia), to try to sell them insurance products or services for white goods “which the companies often knew they did not need”.

“The ICO investigation found that these companies were deliberately targeting older people by buying marketing data lists from third parties, specifically asking for personal information about people who are aged 60 and over, homeowners and with landline numbers. [..] This resulted in some people losing thousands of pounds.”

If cyber-attacks were not a crime, I doubt too many people would be upset if attackers focused their attention on the people who profited from the activities of the 5 companies involved.

Read more: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2022/03/ico-takes-action-against-companies-over-predatory-marketing-calls-targeting-elderly-vulnerable-people/
 

ONE ACTION

 

1: Holidays are a busy time for attackers

It is Easter weekend. Many of us will use this as an opportunity to take some time off, and enjoy the thoughts of lovely weather turning up at some point.

Cyber attackers are known to target holidays such as Easter, when they know people are in a rush to log off and others are offline.

Remind your staff that they should be suspicious of any urgent requests, including emails from senior management and executives (especially those who are on leave or travelling).