November 23, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
This is useful! This website: Router Security Vulnerabilities has an incredibly comprehensive list of routers with known vulnerabilities and remediation steps. Look for yours on the list!
Patch All the Things!
So did you hear that the FBI’s Law Enforcement Enterprise Portal (LEEP) was compromised and used to send fake emails? Ouch! That's pretty embarrassing for them, but it does give me a good opportunity to talk more about how to recognize and handle phishy emails.
The important thing to note here is this: the fake emails actually came from the FBI’s mail server. The most common thing I hear from people who have been tricked into installing malware via phishing emails is ”But I looked to see if it was really from [this person I know] before I opened that attachment!” That isn’t good protection if that person’s email account or server was compromised and used without their knowledge (and it’s pretty easy to spoof the “from” address anyway).
So, looking at the "from" address and the headers can be a coarse filter to spot big fat red flags (e.g., a "from" address that looks totally wrong), but the most important thing is this: what does this email want me to do? Phishing emails use social engineering techniques to get you to do what they want. Most of these emails are carefully crafted to get you to click on a particular link in the email. Oftentimes, other links in the email are totally legitimate, but the one big button in the middle that your eye is drawn to – that’s the toxic one! Don’t do it! Don’t click that link!
Consult only original sources of information
I gave you some tips in this regard in a previous newsletter, and I’ll give you two more today.
Install OS updates on your devices only from the Settings/Update options. Recently the FluBot malware was going around via fake security updates. It popped up a scary red box saying that Android had detected your device was infected, with a button to install a security update right then to clear the infection. But guess what? If you clicked on that button, you were installing the FluBot banking trojan! So if you get a popup that you need to update, go to the place you usually get your updates (Settings → General → Software Update on my iPhone for example) and download legitimate updates from the manufacturer.
When in doubt, pick up the phone. If you have any doubt whatsoever about the legitimacy of an email, pick up the phone and call the person who supposedly sent it. Most of the time, they will say “I didn’t send that email to you.” Don’t reply back to the email!! If the bad guys have compromised the email account, they will respond to your email “Yes, it’s safe, you need to read that.” And you’re cooked.
Do you have Industrial Control Systems (ICS) in your organization?
CISA has put out a warning of vulnerabilities in ICS equipment due to certain open source software modules that are often embedded in ICS equipment:
"many industrial control system owners don't realize that their systems are full of open-source software [...] The reasons for this are multifaceted"
Affected equipment includes systems from Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing. There's a lot to read in this article, so if you have ICS systems, please check this out.
And don't forget the usefulness of network segmentation at protecting ICS and other IoT/operational technology!
The Booming Underground Market for Bots That Steal Your 2FA Codes
This is a fascinating article, well worth the read and with a valuable lesson inside:
The call came from PayPal’s fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer….
Remember, develop your natural skepticism! Follow standard procedures. When in doubt, don’t.
Happy Thanksgiving, everyone!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺