Cyber Security News & Tips by Glenda R. Snodgrass for The Net Effect

[ View this email in your web browser ] [ Visit our archives ]

May 31, 2022

Good morning, everyone!

The latest critical vulnerabilities:
  • Multiple WordPress vulnerabilities are being actively exploited in a campaign to redirect visitors to scam websites. Jupiter Theme and JupiterX Core plugin for WordPress have been updated to fix critical issues, as well as the School Management plug-in.
  • Apple fixed 20+ security issues in each of iOS and iPadOS 15.5, watchOS 8.6, macOS 12.4, macOS 11.6.6, Catalina update 2022-004, Xcode 13.4 and tvOS 15.5
  • Zoom fixed six vulnerabilities in its latest update.
  • VMware has released critical fixes for Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, vRealize Suite Lifecycle Manager and VMware Cloud Foundation. CISA is urging immediate updates.
  • Microsoft has released an out-of-band patch to fix an authentication issue in some of its latest patches. No reason to hold back on the May Patch Tuesday releases now.
  • SonicWall has released security updates for its SSL-VPN SMA100 series devices.
  • Cisco has released security updates for its IOS XR router software.
  • Zyxel has released critical fixes for its firewalls that have the zero-touch provisioning feature – vulnerabilities are currently being exploited.
  • A vulnerability in F5’s BIG-IP product is being actively exploited, according to CISA.
  • NVIDIA has released security updates for its D3D10 driver for graphics cards used in many PCs.

Patch All the Things!



Credential Stuffing attacks are on the rise

General Motors is among the latest organizations to report a data breach:

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards.

Identifying GM as the “victim” in this scenario is misleading on two counts, (1) GM corporate data wasn’t stolen, rather its customers' personal information was stolen, and (2) this wasn't the result of an actual attack on GM information systems, but rather a standard credential stuffing attack.

You are probably asking yourself, What is a credential stuffing attack?

In this type of attack, cyber criminals use combinations of user names and passwords (“credentials”) stolen in past data breaches, to break into other sites where individuals reused these same credentials. This is why re-using passwords across multiple sites is so dangerous. If that password gets stolen from one site, it can be used to log into other sites.

How do you protect yourself? Two ways:

(1) Don’t re-use passwords, particularly on important websites that contain sensitive information (e.g., DOB, SSN, financial data, health data). Try not to re-use even part of a password, as it makes that partially-new password easier to crack than a brand-new one.

(2) Monitor your data that shows up on the dark web (the Internet black market). There are commercial services that will do this for you for a fee, but you can also sign up free of charge to https://haveibeenpwned.com to check if your email or other user name has shown up in a data breach, and get notifications if it shows up later.

Do it for others, if not for yourself

I often see people shrug their shoulders when I talk about securing home computers and devices. They say things like “I don’t have anything important on that computer” or “I don’t care if someone can see the camera feed from my front porch, it’s on the street!”

It’s not just about protecting your data; it’s also about preventing the bad guys from using your devices to attack others. Say what? Yep, sometimes the only way you know that your device has been compromised is when the FBI shows up at your front door with a warrant to seize all the computers in the house. I was reminded of this fact when this story from 2016 The Chinese Hackers in the Back Office was referenced in an online conversation with colleagues:

“When they first told us, we said, ‘No way,’” Mr. Cate said one afternoon recently over pizza and cheese curds, recalling when he first learned the computer server his family used to manage its welding business had been secretly repurposed. “We were totally freaked out,” Ms. Cate said. “We had no idea we could be used as an infiltration unit for Chinese attacks.”

It’s not just small-business servers, though, frequently “smart” devices such as webcams are hijacked by cyber criminals and put into botnets (networks of smart devices often used to attack commercial and government networks) – the most famous example is probably the Mirai botnet:

The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks.

I know that all of YOU take security seriously, or you wouldn’t have read this far today! But think about this the next time you hear someone else disparage the need for cyber security at home. It’s naive to think that you don’t have anything valuable on your home network – everything has value to someone somewhere, even if it’s just to use your device to attack a bigger target. Don’t let the bad guys use your stuff to commit crimes.

Secure Your Stuff!

Hope this gives you something to think about this week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

The Net Effect is a CMMC-AB Registered Provider OrganizationRPO

Copyright 1996-2022 The Net Effect, L.L.C. All rights reserved. Read our privacy policy