December 7, 2021

Good morning, everyone!

This week’s critical vulnerabilities: Microsoft Exchange Server is being actively attacked. Patches were released ages ago. HP has released firmware updates for more than 150 models of multifunction printers. Critical vulnerabilities have been patched. It’s important to update. Patch All the Things!

Securing mobile devices

CISA has released a new checklist for securing mobile devices. Good basic advice and it applies generically to all mobile devices, no matter the brand.

Don’t trust ISPs to manage your security

A few weeks ago, it was revealed that UK Internet service provider Sky Broadband rolled out patches for a critical vulnerability affecting more than 6 million routers – some 18 months (!!!) after the flaw was originally reported to Sky. And now, just last week, we learned that AT&T recently dismantled a botnet operating on its equipment (EdgeMarc Enterprise Session Border Controllers) provided to SMB customers. The botnet was exploiting a security vulnerability that the equipment manufacturer released a patch for in December 2018. Yes, two years ago. In commenting on this story, Dr. Johannes Ullrich of SANS Institute wrote:

Treat ISP supplied equipment as hostile and outside your perimeter.

Words to live by.

When the Internet locks you out

Some Tesla car owners were locked out of their cars a couple of weeks ago. Elon Musk said the problem stemmed from “accidentally increased verbosity of network traffic.” (rolling eyes) This is another example of why it’s important to have manual options for any important function that you have a primarily technical means of performing.

Longer is truly better

I've written before that "longer" makes a password exponentially more secure. Well, we have new proof that this is true:

According to data collected by Microsoft’s network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters.

“I analysed the credentials entered from over >25 million brute force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network,” said Ross Bevington, a security researcher at Microsoft.

“77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases,” said Bevington, who works as Head of Deception at Microsoft, a position in which he’s tasked with creating legitimate-looking honeypot systems in order to study attacker trends.

So, think pass phrases, not pass words. Easier to type, easier to remember and much less likely to be brute-forced.

Ya’ll have a great week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺