April 20, 2021
Good morning, everyone!
I know y’all hear me say this all the time, but honestly there is absolutely nothing more important, easy and free of charge – update everything all the time! Some good tales this week.
Patch all the things!
This week’s critical vulnerabilities:
Two-year-old vulnerability being actively exploited
In fact, the NCSC has warned that organisations using unpatched Fortinet VPN devices must assume they are now compromised, and should begin incident management procedures. That includes removing the device from service and returning it to factory settings, as well as investigating the network for suspicious or unexpected activity.
Don’t be a victim of FBI hacking
To say that I have mixed feelings about this story is a tremendous understatement:
A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks…. The FBI said it’s attempting to inform owners via email of servers from which it removed the backdoors.
So the FBI is hacking into servers owned and operated by private companies, executing commands on the servers, and “attempting to inform” the owners? Is this really legal? Is this a path that we want to follow? Couldn’t they just call the companies in question, or show up on their doorstep, with a warning that they have been hacked and instructions on how to resolve the problem?
I guess the biggest takeaway from this story is don’t get hacked by the FBI. How do you avoid this? Patch your own servers! If you don’t know how, get help.
A robotics company in Seattle has developed a self-driving robot that uses artificial intelligence to identify weeds and zap them with laser bursts. It can cover up to 16 acres a day, zapping as many as 100,000 weeds an hour. When they build a robot that can zap mosquitoes like that, I'll pre-order!
Patch what you can, and segment everything
Recently discovered so-called Name: Wreck flaws are exposing over 100 million IoT devices to compromise. The problem is that so many of these inexpensive, ubiquitous devices are manufactured using the same software/firmware. So when a flaw is found, its reach can be tremendous:
All of the vulnerabilities, discovered by researchers at the security firms Forescout and JSOF, now have patches available, but that doesn't necessarily translate to fixes in actual devices, which often run older software versions. Sometimes manufacturers haven't created mechanisms to update this code, but in other situations they don't manufacture the component it's running on and simply don't have control of the mechanism.
So patch what you can, when you can. As an extra safeguard, segment everything. Put your “things” on a guest network, separate from your computers and mobile devices, behind a properly configured firewall. If they don’t need Internet access to function, block them from Internet access. Remember, smart “things” are just little computers, and they need to be protected from the bad guys just like your PC does. Make it hard for the bad guys to do their work!
Talk to you again soon!
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺