August 9, 2018
Bluetooth and Phishing Security Risks

The Latest Bluetooth and Phishing Security Risks: Some Summertime Tips

It’s hot, it’s humid…it’s summer! That means lots of outdoor activities, from fishing (and no, we don’t mean phishing!) to sunset runs to lounging on the beach.

It also may mean listening to some summer tunes via Bluetooth while enjoying these long days of summer. But is the method by which you are playing your favorite summer tunes safe? Maybe not.  Bluetooth is the protocol used by devices to connect wirelessly to other devices.  Security experts have recently discovered what’s called a “major flaw” in the way authentication is handled during pairing of the devices.  This “major flaw” is, in fact, major: it effectively could allow an attacker to intercept encrypted data, including passwords, accounts names, and phone numbers on your device.  Due to the nature of Bluetooth, the attacker would not need physical access to your device to launch an attack. For an attack to be successful, an attacking device would merely need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. Yikes!

 

To protect your device, we advise that you:

  • Install Device Updates: manufacturers of these devices are pushing security patches rapidly to address the issue.  When you see your device prompt for an update, please allow the update as soon as possible so the risk of vulnerability is reduced and the security gap closed.
  • Turn off your Bluetooth When Not In Use (or When You’re Near Anyone You Don’t Trust!): You likely are not using Bluetooth all the time. During those times you are not listening to audio via Bluetooth, TURN THE BLUETOOTH OFF! The more time your Bluetooth is off, the less opportunity the attackers have to intercept.

 

Unfortunately, the Bluetooth blues aren’t the only summertime security risk we are seeing.  We’ve also seen a sharp increase in the volume of “CEO phishing attacks” via email.   This type of attack attempts to get users to send out confidential information or transfer bank funds by posing as an Official or CEO or President of the company.

 

To protect against such phishing attacks, we advise you to be vigilant and do the following:

  • Check the “From” Field in the Email. The “From” field of the email will show the actual name of an Official of your company so it looks quite real.  You must look at the actual email address of the sender, however, to confirm. A phishing email will say the Official’s name, but the actual email address will be different than the Official’s email address.
  • Pay Attention to the Body of the Email: The body of a phishing email will typically be very short, i.e. asking for information to be sent or funds to be transferred.  Pay attention to the style of the email.  Is the apparent Official corresponding in the same manner/style/tone that he typically corresponds with?
  • Confirm Via Telephone: You know your boss’s voice. If you are being asked for confidential information over email – or are being asked to wire or issue funds over email – pick up your phone and confirm.
  • Institute and Follow Data Security Policies. Institute a “no wire” over email policy (which you should have anyways to comply with MA data security laws).

 

An ounce of prevention will go a long way to protect against these summertime security risks!

-Mike Archambault, NBM IT Director