April 20, 2021

Good morning, everyone!

I know y’all hear me say this all the time, but honestly there is absolutely nothing more important, easy and free of charge – update everything all the time! Some good tales this week.

Patch all the things!

This week’s critical vulnerabilities: Last week was another big “Patch Tuesday” with updates coming out from Microsoft, Adobe and SAP – make certain your updates were downloaded and installed. I hate to say this, but last week Microsoft released more security updates for Exchange Servers, patching holes that are being actively exploited. Flaws in the Zoom desktop client for both Windows & Mac can allow attackers to remotely control the computer. A fix is not yet available, but it appears that the attack works only on the Zoom desktop client, not the browser client. So for now, it’s best to do all your Zoom meetings in the browser only.

Two-year-old vulnerability being actively exploited

A two-year-old vulnerability in Fortinet VPNs is being actively exploited by cyber criminals. The National Cyber Security Centre (NCSC) has issued warning to organizations with a Fortinet firewall:

In fact, the NCSC has warned that organisations using unpatched Fortinet VPN devices must assume they are now compromised, and should begin incident management procedures. That includes removing the device from service and returning it to factory settings, as well as investigating the network for suspicious or unexpected activity.

Don’t be a victim of FBI hacking

To say that I have mixed feelings about this story is a tremendous understatement:

A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks…. The FBI said it’s attempting to inform owners via email of servers from which it removed the backdoors.

So the FBI is hacking into servers owned and operated by private companies, executing commands on the servers, and “attempting to inform” the owners? Is this really legal? Is this a path that we want to follow? Couldn’t they just call the companies in question, or show up on their doorstep, with a warning that they have been hacked and instructions on how to resolve the problem?

I guess the biggest takeaway from this story is don’t get hacked by the FBI. How do you avoid this? Patch your own servers! If you don’t know how, get help.

Weed-Zapping Robots A robotics company in Seattle has developed a self-driving robot that uses artificial intelligence to identify weeds and zap them with laser bursts. It can cover up to 16 acres a day, zapping as many as 100,000 weeds an hour. When they build a robot that can zap mosquitoes like that, I'll pre-order!

Patch what you can, and segment everything

Recently discovered so-called Name: Wreck flaws are exposing over 100 million IoT devices to compromise. The problem is that so many of these inexpensive, ubiquitous devices are manufactured using the same software/firmware. So when a flaw is found, its reach can be tremendous:

All of the vulnerabilities, discovered by researchers at the security firms Forescout and JSOF, now have patches available, but that doesn't necessarily translate to fixes in actual devices, which often run older software versions. Sometimes manufacturers haven't created mechanisms to update this code, but in other situations they don't manufacture the component it's running on and simply don't have control of the mechanism.

So patch what you can, when you can. As an extra safeguard, segment everything. Put your “things” on a guest network, separate from your computers and mobile devices, behind a properly configured firewall. If they don’t need Internet access to function, block them from Internet access. Remember, smart “things” are just little computers, and they need to be protected from the bad guys just like your PC does. Make it hard for the bad guys to do their work!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Goes Virtual

Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.

Contact me to schedule your employee training sessions. They're fun! ☺