Cyber News Roundup: Consumer service flaws and breaches hit Siri, MyFitnessPal app

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

The notion that cybersecurity should concern all Oregon residents has come into full view of late with news of significant flaws and data breaches impacting popular consumer services.

Most recently, athletic wear company Under Armor disclosed that data tied to the popular MyFitnessPal app has been breached, affecting 150 million user accounts (including this editor). Meanwhile, it turns that Apple’s Siri may be talked into giving out more personal information than you might want – like personal messages and emails.

In the case of Under Armour, the breach occurred in February and was discovered on March 25. Four days later, Under Armour sent out a notification to users and will require all users to change their password. It’s not clear who was responsible for the breach. Usernames, email addresses and hashed passwords were taken in the breach, but credit card details were stored in a separate database that was not breached.

Until a patch is released, Apple iPhone users, should keep close tabs on their device. When a user asks Siri to “read my notifications,” the iPhone can read messages and emails from third-party apps like Facebook Messenger, WhatsApp and Gmail even if the iPhone is locked and notifications are hidden. Users who assume that their notifications aren’t read by others need to take notice.

In a statement provided to MacRumors, Apple said “We are aware of the issue and it will be addressed in an upcoming software update.” It’s quite possible the fix will be included in iOS 11.3, which remains in beta testing, but Apple may elect to address the problem with a minor update such as iOS 11.2.7.

California develops new security risk and maturity measurement program

Similar to the State of Oregon adopting important measures to improve cyber security, the State of California has just released California Cybersecurity Maturity Metrics. The metrics were created to “provide an objective comparison across all state government agencies.” The metrics will give the state CIO and legislators a tool to help decide where to invest funds for cyber security and help drive policymaking.

The metrics, which were announced with the release of Technology Letter 18-01, include measurements with names like risk, threat, impact, and maturity. Each metric is rated on a scale from 0 to 4, entirely based on existing data from audits, anecdotal reports, and existing measurement policies.

“This is literally us doing our best to ensure we find weak areas or those that are risky and help ensure that they’re empowered to get a better program and increase their maturity to decrease their overall risk,” said state CIO Peter Liebert.

Cybersecurity spending on the rise

President Trump agreed to sign the new Federal government spending bill which will include an unprecedented $15 billion for cybersecurity. Of that, $8.5 billion will be earmarked for the Department of Defense. The $15 billion request is $583.4 million higher than the estimated cybersecurity spend in FY 2018. This may be good news for companies that develop cybersecurity technology – and help keep us all safer online.

As highlighted in an article in The Hill, the much of the budget will be used “on DOD cyber command activities, programs at the Department of Homeland Security (DHS) that protect the federal government and critical infrastructure, and law enforcement investments in cybersecurity investigations.”

Unlike in past years where each agency could earmark funds towards their own specific areas of interest, the agencies are now adhering to the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions, categories, and subcategories.

According to The Hill article, “Agencies are diving even deeper by investing in specific capabilities that roll up into those framework functions. Examples of specific investments would include patch management tools, security operations center infrastructure and personnel, identity and access management applications, and intrusion detection and prevention systems which are mapped to Federal Information Security Modernization Act (FISMA) metrics that agencies are mandated to report to OMB on a regular basis.”

Photo credit: REUTERS/Rick Wilking