January 17, 2023

Good morning, everyone!

This week’s critical vulnerabilities: Microsoft's first Patch Tuesday of 2023 brought us 98 patches, 11 critical and one already being actively exploited Apple released iOS 16.2 which includes 35 security patches, along with new features. It has apparently been backported to some older devices also, since my iPad received the update (though it was previously ineligible for 16.0). Cisco Small Business RV016, RV042, RV042G, and RV082 routers have critical vulnerabilities that will not be patched, as the devices are past support life. Replace them immediately. Citrix released critical patches in Nov & Dec but report that thousands of Citrix servers remain unpatched Netgear released important fixes to its Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC routers Multiple WordPress plug-ins are under attack: read more here and here Control Web Panel should be updated immediately Patch All the Things!

Windows Server 2012 Extended Support will End in October

If you still have any Windows 2012 servers, now is the time to plan on replacing them, before extended support ends in October.

The Number One Way to Protect Your Devices Online

CISA announced recently that a US satellite network was hacked by a Russian group known as Fancy Bear:

It appears that Fancy Bear exploited a 2018 vulnerability found in an unpatched virtual private network, giving its hackers the ability to scrape all the credentials with active sessions.

(slapping forehead) An unpatched vulnerability from 2018?!?!? Remember, Patch early, patch often! A patched vulnerability is no longer a vulnerability. It's that simple. This is literally the single most important (and easy! and free!) thing you can do to protect your devices online. Have automatic updates turned on everywhere, and periodically do a manual check to be sure you have the latest patches installed for everything.

It turns out that the hackers stole customers' passwords stored in the LastPass vault. Fortunately the passwords are protected by strong encryption, so assuming LastPass properly implemented this encryption, the only way attackers can read those passwords is with the master password that provides the encryption key. This is why it's so important to use a really good, long, strong, unique password as a master password -- minimum 12 characters, preferably 20 or more. If you use LastPass and you didn't have a really good master password in place prior to this breach, you should probably change all your passwords now. For further reading, this blog post has a lot of good info on passwords and password managers.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺