Newsletter Archives

  • If you use LastPass…. read on

    So there is a bit of disturbing read on the LastPass situation

    Read this first.

    also a bit of commentary from a Security expert on the topic:

    Ask yourself…. do you have two factor authentation set up on your LastPass? I have Yubikey as a second factor on my password manager.

    If you use LastPass and do not have two factor enabled, ensure that you change your master password. Add two factor authentication to any cloud based password manager.

    Don’t get rid of a password manager, just make sure it’s appropriately protected. We will cover more on how best to protect your passwords in a future newsletter.

  • Final patches for 2022

    #PatchTuesday and MicrosoftCentric

    It’s the final patches for 2022 for those of you in the Microsoft centric world

    But don’t just think operating systems….. Firefox is out with Version 108

    Citrix is recommending you update Citrix ADC and Gateway 

    Fortinet is patching a zero day in FortiOS SSL VPNs

    No matter what OS you have, take this week to review your vulnerabilities.

    I’ll link up to the patches once they come out – and remember I’ll have full detailed guidance in the next newsletter.

    Looks like .net security updates this month.

    Our dear dear friend the lovely secure boot patch KB5012170 has been released to apply to Windows 10 22H2.

    PK reports that searching in the Microsoft catalog site appears to be wonky – you can search by KB but searching by 2022-12 gives you results that don’t make sense. Apparently the Outlook search team is branching out to the Catalog site?

  • 9th Chrome Zero day being patched

    Just a kind reminder, it’s that time of the year where depending on which hemisphere you are in it’s either a bit nippy, a bit tropical or a bit warm. But regardless of where you are located, it’s also that time of the year to ensure that whatever browser you use is fully up to date.

    Chrome is releasing a fix for the 9th zero day patch of the 2022 year. An exploit has been used in the wild. It’s unsure if this bug has been used in targeted attacks or widespread. The details are being withheld until we all get patched up.  Which also means that Edge will get it’s update soon. While you are there, make sure Firefox and any other browser you use is up to date especially given this is holiday surfing time.

    I was just online finding a recipe for a grilled cheese sandwich that looked really good and also saw the alert about the zero day.  Let’s be careful out there while we find good recipes for grilled cheese sandwiches!

  • Hacking into your friends

    The email came from someone I know. I could tell from how it was worded that it wasn’t truly from him, that someone was pretending to email from his account. But I played along anyway just to see what the scam was all about.

    The email asked….

    Hi please do you shop from Amazon?

    Thanks,

    Interested to see what the scam was about I answered, “Yes”.

    Back came the email….

    Good To hear from you I’ve been trying to purchase a $200 AMAZON E-Gift card in $100 denomination by email , but it says they are having issues charging my card. I contacted my bank and they told me it would take a couple of days to get it sorted. I intend to buy it for my niece whose birthday is today. Can you purchase it from your end for me? I’ll refund it to you once my bank sorts the issue out. Let me know so I can send you her email.
    Thanks

    Gift card scams are not new.

    In a FTC news release last year they said “In the first nine months of 2021 alone, nearly 40,000 people reported $148 million stolen using gift cards. And because the vast majority of frauds are not reported to the government, this reflects only a fraction of the harm these scams cause”

    So how did my friend get hacked? More than likely he has either reused his password on the email account or he got tricked (phished) into entering it on a web site. From there the attacker can log in and pretend to be him and email people in his contact list.  The scammer can then redirect any inbound email so when someone responds, like I did, to his email, the scammers then send back a responding email.

    I contacted a nephew of my friend to alert him that he needs to reset his email password and review is account and computer for issues.

    Sometimes they are out to get you. And during October’s cyber security month, it seems like even more so.

  • Dumb security questions – what have you seen?

    I was setting up access to a financial account which requested security reset questions…. some of them are …. well….

    Where were you on New Years 2000?

    Uh…what if you weren’t born yet? (one of the folks in the office answered that.. now I feel OLD!  I was here at the office booting computers making sure they worked)

    Who was your first babysitter?

    Uh… I was a baby?  How would I know? Grandma, maybe?

    What was the name of your third grade teacher?

    Uh…. I honestly am not sure…

    So what’s the dumbest security questions you’ve seen?

  • Zero days in browsers

    Now while Chrome has more foundation in security than Internet Explorer did, it’s a reminder that if you are someone who also holds back on updating your browsers and do them manually, you are at risk.

    Just a kind reminder, while I always recommend you defer updates for the operating system, I DON’T recommend the same for browsers.

    Just a few days ago Chrome patched it’s 6th zero day this year. Ensure that you are on 105.0.5195.102 (click on settings, help and ensure you are up to date). Edge is also based on Chrome and thus updates soon after. Other browsers built on the Chrome base include Opera, Vivaldi.Brave, Opera Neon, Comodo Dragon, SRWare Iron (among others).

  • The people who keep you safe

    Tonight I’m seeing a reminder of the people that impact the security on the Internet and you may not have been aware of who they are and what they did.  Peter Eckersley of the Electronic Frontier Foundation was also a key supporter of Let’s Encrypt to push free SSL certificates for all web sites to promote more security and privacy.

    From Crunchbase:

    “Peter Eckersley is Chief Computer Scientist for the Electronic Frontier Foundation. He leads a team of technologists who watch for technologies that, by accident or design, pose a risk to computer users’ freedoms—and then look for ways to fix them. They write code to make the Internet more secure, more open, and safer against surveillance and censorship. They explain gadgets to lawyers and policymakers, and law and policy to gadgets.

    Peter’s work at EFF has included privacy and security projects such as the Let’s Encrypt CA, Panopticlick, HTTPS Everywhere, and the SSL Observatory; helping to launch a movement for open wireless networks; fighting to keep modern computing platforms open; helping to start the campaign against the SOPA/PIPA Internet blacklist legislation; and running the first controlled tests to confirm that Comcast was using forged reset packets to interfere with P2P protocols.”

  • Do you use a different browser for…..?

    With many things ranging from banks to your local router using web interfaces to log into them, do you…..

    Close all other web site tabs when you are managing your router?

    Use a different browser that you reserve for highly secure tasks?

    Use in private browsing when managing sensitive sites and devices?

    Don’t save sensitive passwords in your browser?

    What do you do to keep the password of your router a bit more protected?

    Your browser brand for doing online banking should be a different browser than what you use for Twitter and other general web activity, which should be a different browser than what you use for managing things on your network.

    From Will Dormann on Twitter

  • How to use two-factor authentication the right way

    SECURITY

    Lance Whitney

    By Lance Whitney

    Two-factor authentication is still one of the best ways to protect your accounts. But there are right and wrong ways to use it.

    More websites and companies now offer two-factor authentication (2FA) to better protect your logins and accounts. The idea is to use a second form of authentication so that you’re not solely dependent on your password. The goal is to prevent your account from being accessed and compromised in case your password is ever leaked or stolen. And here’s how that can happen.

    Read the full story in our Plus Newsletter (19.19.0, 2022-05-09).

  • Are you prepared?

    It’s Saturday night or Sunday morning where you are and I’d like to challenge you to test that you can restore a file that has been damaged, deleted or removed or worse yet, you got hit by ransomware.

    So first step is to move a file to a different location on your computer. Next launch your backup software. Launch the recovery window and see if you can restore that file.

    Ransomware is now being used by commercial attackers and they are using zero days to gain access into systems.

    One-third of all hacking groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups, according to Mandiant’s research. During the last decade, only a very small fraction of zero-days were deployed by cybercriminals. Experts believe the rapid change has to do with the illicit, multibillion-dollar ransomware industry.

    For businesses, they are going after VPN software, Exchange on premises software among other vulnerabilities.

    So I challenge you tonight/tomorrow to test a backup and restoration process.

  • Ensuring your safety

    alert banner

    ISSUE 19.14.1 • 2022-04-05

    Susan Bradley

    By Susan Bradley

    MailChimp was compromised by attackers. Here’s what you should know.

    This is breaking news.

    An article at BleepingComputer on Monday, April 4, 2022, revealed the news that the MailChimp email and marketing service had been breached. The report has also been picked up by many different online services and will probably hit the bigger publishers by tomorrow. The attack focused on MailChimp’s internal tools, which allowed the bad guys to steal audience data and launch phishing attacks.

    Read the full Plus Alert (19.14.1, 2022-04-05).

  • Apple pushes updates for 2 new zero days

    watchOS 8.5.1
    This update has no published CVE entries.
    Apple Watch Series 3 and later 31 Mar 2022
    macOS Monterey 12.3.1 macOS Monterey 31 Mar 2022
    iOS 15.4.1 and iPadOS 15.4.1 iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) 31 Mar 2022
    tvOS 15.4.1
    This update has no published CVE entries.
    Apple TV 4K and Apple TV HD 31 Mar 2022

     

    – CVE-2022-22675 in AppleAVD

    – CVE-2022-22674 in Intel Graphics Driver

    2 zero-days in macOS Monterey 12.3.1

    1 zero-day in iOS and iPadOS 15.4.1

    Apparently actively exploited, used to hack iPhones, iPads and Macs.  It’s unsure if it’s merely targeted attacks or more widespread. Apple AVD is a media decoder file so watch (pun intended) what you are watching on your devices until they are patched.