Archives for September 2018

September 28, 2018 by Joseph Martin

Users of Apple tech have a new reason to worry. A security researcher named Sabri Haddouche, who works for an instant messaging app called “Wire,” has published a proof of concept web page. It contains a fatal exploit that can crash and restart iPhones, iPads and any Mac.

Essentially then, the entire Apple ecosystem is vulnerable. Worse, the security flaw can be exploited using nothing more than CSS and HTML code. The flaw resides in Apple’s WebKit, which is its web rendering engine used by all apps and browsers running on Apple’s OS.

Haddouche tested the exploit using Chrome, Microsoft Edge, and the Safari web browser. He got the same result each time using both a MacBook Pro and an iPhone X. Apple users are advised to exercise extreme caution when visiting any web page until a patch can be issued.

The company is currently investigating the issue, and to this point has not given their legions of users a timeframe for a possible fix.

Sadly, this isn’t the first time a flaw like this has been discovered, and it’s unlikely to be the last. If there’s a silver lining, it is that Apple has historically been quick to patch flaws of this kind, and it should be noted that Linux and Windows systems are not affected.

It’s especially worrisome for small business owners, and until Apple gives us a time frame for a fix, your best bet is to steer clear of any websites but those that are business critical, and trusted sites that you know to be safe.

Although the exploit was specifically engineered to crash Apple devices, it’s easy enough to envision a nastier implementation which could critically damage the OS, rendering the device targeted by the attack completely inoperable. Stay vigilant, and stay tuned for a fix to what could be a devastating issue.

Joseph Martin

President & CEO
I hope you enjoyed this article. My mission is to take your stress away from dealing with IT problems. Call (252) 565-1235 or send me a message at our contact us page if you have a question, comment or want help.

September 27, 2018 by Joseph Martin

Western Digital has a big problem, and if you use the company’s “My Cloud” network-attached storage (NAS) storage devices, you’ve got one too. The WD My Cloud service is enormously popular because it’s so convenient, allowing both business owners and individuals to store their files, perform periodic backups, and of course, access their data from anywhere in the world.

Recently, security researchers have discovered an authentication bypass vulnerability that could allow an attacker to gain admin-level control over the device. This means they’d be able to monitor all of the files sent to, opened, or deleted on it, make copies of, or even delete the files found there.

The vulnerability has been given the designation CVE-2018-17153 and is about as serious as it gets. Without going into the technical details, essentially, all a hacker would have to do to take complete control over the device is for the hacker to “tell” the device that he’s an Admin via an uploaded cookie file. The device will accept it with no password required.

When the researchers notified Western Digital of the security flaw, they also released a proof of concept detailing the attack, and disturbingly, it can be executed using just six lines of code.

There is one silver lining in that to make use of the exploit, the hacker would need either local access or an internet connection to a specific WD My Cloud device. But this is a relatively low bar that most any experienced hacker could clear without a trace.

Western Digital has responded quickly, and according to a recent blog post on the company’s website, promises to have a patch that will resolve the issue “within a few weeks.” They also stressed to their customers the importance of ensuring that the firmware on all their products is always up to date and recommended enabling auto updates.

It’s good advice that will simplify your life and ensure you never miss an update, although not always practical for SMBs.

Joseph Martin

September 26, 2018 by Joseph Martin

We’ve known for some time now that the next big crisis the internet will have to come to grips with is the dramatic rise of the Internet of Things (IOT).

The problem isn’t with the devices themselves, which are enormously helpful and rapidly growing in their popularity. Rather, it lies in the fact that the overwhelming majority of IoT manufacturers have been notoriously lax when it comes to building even basic security protocols into the goods they make and sell.

The lack of security and the complete absence of any type of security has made the Internet of Things the new “low hanging fruit” of the internet, and hackers have been happy to take advantage of the incredibly easy access.

Kaspersky Lab has recently given us hard numbers to provide a sense of the scope and scale of the problem.

Last year, the company detected a total of 32,615 malware infections on IoT devices. In just the first six months of this year, the company has spotted 121,588 infections on IoT devices, representing a staggering 273 percent increase.

Far and away, the most commonly compromised devices were routers. Behind them were a whole raft of other IoT devices including smart TVs, refrigerators, DVRs, printers, washing machines and more.

Things have gotten so bad that earlier this year, the FBI issued a public service announcement in a bid to warn users of the dangers of unsecured devices.

These can be slaved by hackers to create enormous botnets like the one that brought down the internet on the entire eastern seaboard earlier this year. However, if they are connected to your home or office network, they provide a perfect launchpad for attacks against other network connected devices.

Sadly, manufacturers to this point have shown little interest in beefing up the security of the devices they sell, so the problem is likely to get much worse before it starts getting better.

Joseph Martin

September 25, 2018 by Joseph Martin

There’s a new report out, authored by ProofPoint, and its findings for business are grim.

It’s no secret that businesses of all shapes and sizes are coming under increasing fire from hackers around the world.

Now we have hard data that shows us exactly how big of an increase we’re seeing.

Here are some of the key findings in the report:

Email fraud attacks targeting businesses have increased 25 percent in the last quarter alone

They have increased by a staggering 85 percent from this time last year

Phishing links sent via social media platforms have increased by 30 percent

60 percent of those phishing links specifically targeted individual contributors and lower-level corporate management

23 percent of attacks targeted employees working in operations and production

Incidents of customer support fraud increased by 39 percent, compared to the previous quarter. This increased a whopping 400 percent compared with this time last year

Nick Frost (a co-founder of the Cyber Risk Management Group) had this to say about the disturbing report:

“Key to this is engineering emails and spoofing email addresses to a level of sophistication that fails to alert the recipient that there is anything suspicious about the email. Techniques such as web crawling and web scraping are able to collect and collate key information about an individual that can be used in crafting an email, accompanied by a link (as part of a phishing attack) to an unsuspecting user.

Whilst there are many legitimate web crawlers and many are enabled for business reasons, there may be organizations and individuals that wish for their information not to be collected and shared either for legitimate or adversarial purposes. There are tools that organizations can adopt that prevent or even delay web crawlers.”

Training is the first line of defense here. If you’re not doing it already, you should be holding regular phishing simulations so your employees become adept at spotting them.

Joseph Martin

September 24, 2018 by Joseph Martin

Google is taking yet another important step to help save us from ourselves. The company is releasing a complete redesign of their Chrome browser, which is exciting. There’s one feature in particular, however, that bears taking a special look at.

Perhaps the most significant change to the browser is the addition of a new password manager, which will offer to generate a random password when you sign into a website for the first time. The randomly generated password will be securely tucked away inside your Google Account and synced across both desktop and mobile versions of Chrome.

Password security is something humans aren’t very good at. Despite the risks and the repeated dire warnings, many people still have the tendency to use the same passwords that are only marginally different, across multiple websites they have accounts on.

The problem is that if one of the websites you have an account on is breached, it puts most (if not all) of your other web accounts at risk. It’s an extremely bad habit from a security standpoint, and unfortunately, it is one that has proved to be notoriously difficult to break.

Google’s solution to the problem is interesting,T but it should be noted that it is far from all-inclusive. Bear in mind that Chrome only manages passwords inside the browser, so if you log into services like Netflix on your smart TV, those login details won’t be captured in, or stored by your Google Account.

Google isn’t the only company doing what it can to save us from our worst password impulses. Apple is making changes too. With the release of iOS 12, Apple will give its OS the ability to autofill passwords across browsers and apps from third-party password managers.

Joseph Martin

September 24, 2018 by Joseph Martin

The Internet on devices continues to be a major problem when it comes to security. Unfortunately, a big part of the reason why comes down to end users. Recently, Bitdefender released a new report entitled “The IoT Threat Landscape And Top Smart Home Vulnerabilities in 2018,” and it paints a grim picture indeed.

The average home now contains twenty smart devices, and most of them contain security vulnerabilities. 95 percent of those vulnerabilities reside in the firmware.

While the majority of smart device users (60 percent ) claim to be “worried” or “very worried” about identity theft, most are utterly failing to adequately protect their IoT devices. In fact, sixty percent indicated that they had never performed a firmware update on their router, and 55 percent reported that they had never updated their smart TVs.

It gets worse. 40 percent of users surveyed indicated that they use the same password for each of their devices, and half of all smart TV owners said they had literally never updated their password.

Thirty percent of users claim that they’re worried about the prospect of a hacker accessing a smart camera to spy on them, but paradoxically, fully 70 percent have at least one camera connected to a vulnerable router.

To provide a sense of scope and scale, the company reported that its BOX product blocked nearly half a million threats (461,718) in just a 30-day period, with 76 percent of those being malicious websites.

Analyst Bogdan Botezatu stressed that while weak passwords are a big part of the problem, it’s not only users who are to blame.

He added:

“Smart device manufacturers share responsibility for the current state of IoT security because most of them are overlooking the security aspect. In their rush to launch the product ahead of the competition, they are leaving attack avenues wide open to attackers interested in user sensitive data.”

If you have one or more smart devices in your home, and you probably do, it’s time to get serious about securing them.

Joseph Martin

September 21, 2018 by Joseph Martin

Microsoft is making some long overdue and welcome changes to Outlook to include the Windows and the Web-based version.

People who use either one will now see a “Coming Soon” option that allows users to toggle between the version they’ve got now, and the new and improved version with the changes.

As to those changes, they fall broadly into three groups:

Better Organization – The improved Outlook offers intelligent technology, specialized icons, visual changes and a “highlights” feature that are all designed to help you manage your time better and provide a greater level of focus on your daily and weekly activities.

Improved Speed and Efficiency – The redesign is sleeker and faster. Using it will allow you to schedule meetings, read and act on emails and write new emails much more quickly than the old version.

More Customization – Hotmail users know only too well that Outlook on the web has lagged behind its competitors in terms of customization, and the redesign seeks to change that. Microsoft is playing a bit of catch up here, but any improvements on this front are welcome indeed. Among other things, you can now apply additional themes, personalize your inbox and simplify the ribbon.

There’s no word yet on how long the new features will be offered as an opt-in option, but of course, at some point, the company will mandate the change.

On balance, these are good changes. Perhaps more modest than long-time users would like to have seen, but again, any changes to one of the oldest email systems still around have to be counted as a positive.

Kudos to Microsoft for keeping Outlook reasonably up to date, and here’s hoping that the user base embraces them. which we hope hope will encourage the company to make additional improvements.

Joseph Martin

September 20, 2018 by Joseph Martin

Microsoft has been making two major Windows 10 releases every year, giving businesses 18 months before they need to move to the next update. This plan and schedule is part of the company’s “Windows as a service” paradigm, designed to ensure that Windows 10 gets new features, as opposed to the company’s former practice of a new Windows release every three years.

In most respects, the new paradigm has to be regarded as the superior approach, but unfortunately, the pace is a bit too fast for some businesses. High level executives have pushed back, asking for more time and flexibility to update the OS, so they can be sure that business critical apps work with the latest update.

Microsoft has heard, and more importantly, they’ve listened. However, business owners didn’t get everything they wanted. Here’s the scoop:

The company is planning to release a series of cloud-based tools that will make app compatibility testing easier, and has agreed to give IT admins more time to update. As things stand now, all currently supported feature updates of Windows 10 (Enterprise and Education editions) are supported for 18 months. The company is expanding that to 30 months, but only for their September release. The March updates will still only be supported for 18 months.

While not a perfect solution, it does give everyone some of what they wanted. Businesses will have an extra year to apply the latest features if they stick to the September cycle, while firms that don’t need the extra time can simply continue on as they are.

Jared Spataro, the Corporate VP of Microsoft 365 summarized the changes this way:

“You’ve been talking, and we’ve been listening. We recognize that it takes time to both upgrade devices and operationalize new update processes. Today’s announcements are designed to respond to your feedback and make it easier, faster, and cheaper to deploy a modern desktop.”

On the whole, this is very good news indeed.

Joseph Martin

September 19, 2018 by Joseph Martin

Do you use the Chrome browser extension for the MEGA file storage service? If you do, please read this article carefully. The official extension for that service has been compromised. It has been replaced with a malware version that has the capability to steal user login data for a number of popular websites, including Github, Google, Amazon, Microsoft and more.

The extension was compromised on September 4th, when an unknown attacker breached MEGA’s Chrome Web Store account and uploaded the poisoned version of the extension. Any user who installs it is at risk of having their other login credentials stolen.

It gets worse. If you allow auto-updates, then the poisoned version of the extension would have automatically “updated” on your PC or smartphone when the malware was uploaded. Note that when the extension attempted to update, it would have asked users for elevated permissions. Those elevated permissions would allow the extension access to personal information, which is the mechanism by which the credentials are stolen.

The poisoned file was in place for a total of four hours before it was found, eradicated and replaced by a clean version (version 3.39.5).

According to MEGA:

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, auto update enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4.”

If you think there’s even a chance you were impacted by this event, your best bet would be an across-the-board change of all your passwords, as there’s no way to be sure which ones may have been compromised.

Two things to note here: The Firefox extension was not impacted. This applies only to chrome users who have the MEGA extension installed. Also, you should check your extension version number immediately to be sure you’re not running version 3.39.4. If you are, uninstall it immediately and grab the clean version referenced above.

Joseph Martin

September 18, 2018 by Joseph Martin

In 2016, an unnamed US energy company left some 30,000 records (containing information about its security assets) exposed for more than two months (a total of 70 days), in violation of energy sector cyber security regulations. When the incident was initially reported, the name of the company was withheld.

That company has now agreed to a $2.7 million-dollar settlement, and its name has now been made public, along with some additional details about the incident.

Initially, the company admitted that they unintentionally exposed the database in question, but that it contained fake data. As the investigation into the matter continued, it became apparent that the data was not only real, but that it included hashed passwords for administrators that hackers could have easily reverse-engineered. PG&E subsequently reversed their fake data assertion.

The exposed data was found by independent security researcher Chris Vickery, who indicated at the time that the database contained details for some 47,000 computers, virtual machines, servers and other devices.

In addition to that a number of non-encrypted email passwords were found, along with 120 encrypted passwords. In Vickery’s words, “This would be a treasure trove for any hostile nation-state hacking group.”

According to the official NERC notice regarding the incident:

“The data was exposed publicly on the internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords. Exposure of the username and cryptographic information could aid malicious attackers in using this information to decode passwords.”

Once PG&E was made aware of the problem, it took a server offline, which removed the exposed data. They also brought in third-party forensic experts to investigate, and as a result of that investigation, revised a number of their security policies.

Overall, the company’s handling of the matter was spotty at best, but in light of the record-setting fine, the hope is that we won’t see a similar instance of carelessness in the future.

Joseph Martin

Contact Info

Navigation