April 27, 2021

Good morning, everyone!

Sometimes I have a particular theme I want to talk about in this newsletter, and sometimes my head is just full of random concerns from all the news of the week. Guess what kind of week this is?

This week’s critical vulnerabilities: If you use Passwordstate password manager and updated the software last week, read this and you may need to reset all passwords in the database. Multiple recent attacks have been traced to Pulse Secure VPN vulnerabilities – one actually bypasses 2FA! If you have one of these devices, you should run the Pulse Security Integrity Checking Tool ASAP. WordPress has released another update fixing two critical security issues. A critical vulnerability in the Kaswara Modern WPBakery Page Builder Addons WordPress plugin is being actively exploited. Remove the plugin as there is no fix anticipated. Update the Redirection for Contact Form 7 plugin if you have it. Finally, the N5 Upload Form WordPress plugin through 1.0 has a vulnerability that should be addressed. Google released more updates to Chrome to fix vulnerabilities that are being actively exploited. Vulnerabilities in SonicWall’s Email Security Tool have been fixed in the latest update. QNAP has released an update for its HBS 3 Hybrid Backup Sync that fixes a problem with hardcoded credentials. (eyeroll) Codecov’s Bash Uploader script was altered (a SolarWinds-style attack) and customer sites are being compromised.

Ransomware Fallout

Yet another reminder that you do NOT want to be the victim of ransomware. Quanta Computer, manufacturer of laptops for the likes of Apple, HP, Alienware, Dell, Lenovo, Cisco and Microsoft, recently suffered a data breach in the course of a ransomware attack. The ransomware group REvil claims they stole blueprints for Apple’s latest products, and have demanded $50M ransom. In the early days of ransomare, the bad guys just encrypted your data. Now they often steal a copy of their own before encrypting your copy. The legal fallout from this is expected to be significant.

Last week, the US Justice Department convened the Ransomware and Digital Extortion Task Force:

The Task Force will bring all of the Department's resources to bear to bolster our all-tools approach and work with our partners here and abroad to combat the threat of ransomware and digital extortion, and to ensure that we hold those who participate in the propagation of these crimes responsible and accountable

Let’s hope it helps.

Preparing for the Next SolarWinds Event

The Health Information Sharing and Analysis Center (H-ISAC) has published a new report, Preparing for the Next “SolarWinds” Event. While directed at healthcare institutions, the recommendations apply to any organization:

Simply put, the best ways to mitigate the next SolarWinds-level incident are having vulnerability awareness, applying proper patch application and management, implementing least privilege access, deploying Privileged User Monitoring & Access Control functions, and having access to reputable threat intelligence.

The report has a nice history of recent large attacks and how they unfolded. It’s an interesting read, and especially timely given the Passwordstate and Codecov attacks referenced above. Apparently software supply chain attacks are the new hotness in the world of cybercrime.

FLoC is a FLoP

While Google has been touting its new Federated Learning of Cohorts (FLoC) ad tracking technology as a “privacy enhancement” initiative, all major browsers are refusing to integrate it:

“The worst aspect of FLoC is that it materially harms user privacy, under the guise of being privacy-friendly.”

Chrome users can opt-out of FLoC by either going to Settings -> Privacy and Security -> Cookies and Other Site Data and selecting “Block third-party cookies” or by installing the DuckDuckGo extension for Chrome. If you are concerned about privacy (and I hope you are!), it’s a good idea to clear cookies and cache in your browser on a regular basis (I do this every time I log out of a website, at a minimum).

Whew! I think that's enough for this week.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Goes Virtual

Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.

Contact me to schedule your employee training sessions. They're fun! ☺