With ransomware attacks constantly in the news for the past few years, you’ve likely become adept at spotting phishing emails and other suspicious online behavior. However, not all security breaches are the result of these types of social engineering attacks. In fact, many security holes are simply the result of poor software or web development.
Epic Games, the makers of your kids’ favorite kill or be killed pastime Fortnite, announced in January that they had resolved vulnerabilities that could have let hackers access users’ accounts. According to Engadget, researchers were able to exploit an unsecured Unreal Tournament stats page, allowing them to listen to players’ conversations and purchase V-Bucks virtual currency using players' stored credit card information. This vulnerability isn’t a first for Fortnite. Epic's first Android installer included a flaw that would have let intruders install malware on users’ devices.
Audio equipment manufacturer Sennheiser recently announced a fix for a security flaw introduced by the driver software for their headphones. According to Ars Technica, the vulnerability stems from a self-signed root certificate that kept the private cryptographic key in a format that could be easily extracted by hackers. The result? Security researchers were able forge TLS certificates that any computer running the vulnerable Sennheiser app would trust until 2027 when the root certificate was set to expire.
And, in cruelly ironic news, a new study uncovered a wide array of vulnerabilities in password management services. Last week, research firm Independent Security Evaluators released the results of their tests of popular password managers, including 1Password, Dashlane, KeePass and LastPass. All of the password management solutions tested failed to secure users’ passwords as advertised and could expose the very data they are supposed to protect, according to ZDNet.
Protecting against security vulnerabilities
These vulnerabilities were discovered and resolved before hackers were able to exploit them. Of course, that’s not always the case. For example, you may recall the WannaCry ransomware campaign of 2017, which infected more than 230,000 computers in over 150 countries in the first day of the attack alone. WannaCry used an exploit known as EternalBlue which targeted a vulnerability in Windows' Server Message Block (SMB) protocol as opposed to the more common phishing approach. So, how do you protect against these kinds of attacks?
- Keep your operating system and applications patched and up-to-date.
Software vendors issue frequent updates to address vulnerabilities as they are discovered. Neglecting these updates can leave your computer defenseless. Keeping your operating system and applications up-to-date is goes a long way toward avoiding attacks.
- Install (and update) anti-virus software
Anti-virus software provides a line of defense against malware designed to exploit software vulnerabilities. The suggestion above applies to anti-virus software as well. Ransomware and other types of malware are constantly being modified to evade detection, so keeping anti-virus software up-to-date is critical.
- Backup your data
They don’t protect against every type of attack, but taking regular backups is critical. Backup is the only way to recover data in the event of attacks that encrypt or destroy files. Look for backup products, like Carbonite Safe, that take automated backups of files, applications, and settings, so you can restore your system to a clean state following an attack.