Tag: Alert

Categories
Casserly Consulting Blog

ALERT: Change Your Twitter Password, Says Twitter

Alert_Blog_400.jpg

Twitter is recommending that all 336 million users change their passwords as soon as possible due to the discovery of an internal security flaw. While the issue has been fixed and no data breach seems to have taken place, Twitter is clearly taking this situation seriously.

On Thursday, May 3, it came to light that there was an internal log upon which an undisclosed number of account passwords were recorded without any protection. As a result, this unknown amount of passwords can no longer be considered secure, even though there is no apparent evidence that any data breach has occurred.

Twitter uses a process called hashing to protect their passwords, as many companies do. However, a bug created a log of passwords before they were hashed, leaving them fully legible. This bug has since been resolved.

In response to this situation, Twitter is being proactive and recommending that all of its users change their passwords, just in case. To do so, log in to your account in your browser, access Settings and privacy, and from there, Password. It is also a good idea to enable two-factor authentication by accessing Settings and privacy, clicking into Account. Once there, click on the “Set up login verification” button and follow the instructions. You will find yourself on a Login verification screen, where you can activate the means to generate another authentication code.

While disaster seems to be averted this time, you should not hesitate to change your password as soon as possible, and makes sure that all of your online accounts have strong passwords in place. For more information about keeping your identity safe online, call the IT professionals at COMPANYNAME at PHONENUMBER.

 

Categories
Casserly Consulting Blog

ALERT: Meltdown/Spectre Hardware Vulnerability Requires Action

meltdown_spectre_four_400.jpg

Just a few months after finding themselves in a firmware fiasco, Intel is making news for all the wrong reasons. This issue had the potential to affect the CPU of a device, causing a severe dip in the performance of the device.

In a blog post by a user going by the name Python Sweetness, an issue was reported, describing “an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve.” This means that, thanks to this bug, the interactions that different programs would have with the CPU would be affected.

Under normal circumstances, a CPU will have two modes that it operates under: kernel, which permits the user to make changes to the computer itself, and user, which is considered a ‘safe’ mode. Python Sweetness discovered a bug that blurred the distinction between the two modes. The bug allowed programs run in user mode to also access kernel mode, possibly allowing malware to access the computer’s hardware.

However, the circumstances have proven to be less dire than they originally appeared. The expectation was that this bug would cause entire processes to shift back and forth between user and kernel mode, hamstringing the speed at which the device would operate. There was also the expectation that this issue would not be able to be resolved without a hardware change.

For PCs with Windows 10 installed and an antivirus that supports the patch, the fix should already be in place. However, to confirm this, go to Settings > Update & Security to see if there are any updates waiting to be installed. If not, check your update history for Security Update for Windows (KB4056892) or check with your antivirus provider to find out when it will be supported, the patch will not install until it sees that the antivirus has been updated to a version that the vendor verifies supports this patch.

Android devices had an update pushed on January 5 to provide some mitigations, with more protections coming in later updates. These patches have already been pushed to Google-branded phones, like the Nexus and Pixel lines, and may have been on other Android devices. It doesn’t hurt to check, and if you haven’t been updated, go online and put pressure on your carrier on a public forum.

Google Chrome should be updated with similar mitigations on January 23, with other browsers updating soon after. To help protect yourself until then, have your IT team activate Site Isolation to minimize the chance of a malicious site accessing data from another browser tab.

Other devices (like NAS devices, smart appliances, networking equipment, media equipment, etc.) may also be at risk, as they are using similar hardware. It’s really important for business owners to have their entire infrastructure reviewed and audited.

These kinds of issues help to demonstrate the value of an MSP’s, or managed service provider’s, services. MSPs like COMPANYNAME are sure to keep themselves informed on the latest developments in IT security and any resolutions they can pass on to businesses like yours, if they don’t implement them on your behalf.

As a result, you and the rest of your team can go about your business without having to concern yourself with solving issues like these, knowing that you can trust the team who is solving it for you. For more ways that an MSP can help keep your business security and operations optimized, reach out to COMPANYNAME at PHONENUMBER.

Categories
Alerts

Alert: LastPass Vulnerability Found. Is Any Password Manager Safe?

b2ap3_thumbnail_last_pass_leak_400.jpg Thanks to one of Google’s researchers with the Zero Day Project, it has been discovered that LastPass has a major vulnerability as a result of a major architectural problem. This news comes on the heels of many other flaws the same researcher discovered within LastPass. However, based on what the researcher claims, these vulnerabilities were much less serious than his latest discovery.

After having “an epiphany in the shower,” Tavis Ormandy realized that the latest version of the password manager’s browser extension is subject to a flaw that allows some malicious websites to have their way with the user’s system. Otherwise, the vulnerability allows malicious websites to steal the user’s passwords from behind LastPass’ protections. Unfortunately, this vulnerability seems to be present in the extensions for every major browser on Windows and Linux, and is most likely present for Mac users as well.

Making this vulnerability even more significant, the vulnerability only requires the extension to be installed in order for it to be exploited. A user could be logged out and still be subject to receiving malicious code from the website they’re visiting.

To their credit, LastPass is committed to resolving this issue, acknowledging Ormandy’s report a mere hour after he submitted it. Two days later, LastPass released a blog post going over these events and offering a few recommendations:

  • Launch websites from the LastPass vault: To retain the highest level of security as possible, it’s better to access websites from the LastPass vault itself.
  • Use Two-Factor Authentication wherever possible: This will add an extra layer of security to prevent leaked credentials from granting easy access to your accounts.
  • Keep an eye out for phishing attacks: Clicking on a malicious link is a great way to hand over your access credentials to malicious entities, so before you click on a link in a received message, take a moment to ask yourself if the link makes sense to be coming from who allegedly sent it.

LastPass has also been vocal in their appreciation for people like Ormandy finding issues like these before they are found the hard way. According to Joe Siegrist, cofounder and vice president of LastPass, “We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement.

LastPass now has 90 days before Ormandy and Project Zero release the technical details as part of their disclosure policies. In the meantime, it would be prudent to take LastPass’ advice to heart for the sake of your own network security.

To ensure your credentials are protected, and to schedule a full security audit, contact COMPANYNAME at PHONENUMBER. 

Categories
Alerts

Alert: 33.7 Millions Records Released to Public Due to Leak of Massive Marketing Database

b2ap3_thumbnail_do_you_have_a_data_leak_400.jpg In recent news, millions of records containing personal information were made available to the public in a sizable data leak, providing potential scammers with plenty of information to utilize in their schemes. These records were all part of a 53 GB database that was available for purchase from Dun & Bradstreet, a business service firm.

The database contained information that could be of great use to hackers and marketers alike, as it outlined corporate data for businesses within the United States, providing professional details and contact information for members at every level of the businesses included.

Dun & Bradstreet released a statement via email in an attempt to remove the firm from any responsibility. According to the firm, there was no evidence of a breach on their systems. The email also pointed out that the leaked data was sold to “thousands” of other companies, and that the leaked data seemed to be six months old. In essence, Dun & Bradstreet’s position was “not our fault.,” and that there was little cause for worry, as the list only contained “generally publicly available business contact data.”

However, not everyone feels that the responsibility for this event can be passed off so easily, especially considering the nature of the data found on the database.

Troy Hunt manages Have I Been Pwned, a data leak alert site that allows a user to reference one of their accounts to determine if their credentials have been compromised. He offered up his own take after reviewing the database for himself. Hunt’s analysis revealed that the organizations with the most records in the database were:

  • The United States Department Of Defense: 101,013
  • The United States Postal Service: 88,153
  • AT&T Inc.: 67,382
  • Wal-Mart Stores, Inc.: 55,421
  • CVS Health Corporation: 40,739
  • The Ohio State University: 38,705
  • Citigroup Inc.: 35,292
  • Wells Fargo Bank, National Association: 34,928
  • Kaiser Foundation Hospitals: 34,805
  • International Business Machines Corporation: 33,412

If this list alarms you, you have the right idea. In his comments, Hunt brought up a few concerns that he had with the contents of the database out in public.

First of all, this list is essentially a guidebook for someone running a phishing campaign. A resourceful scammer could easily use the information contained in this list (including names, titles, and contact information) to create a very convincing and effective campaign. Furthermore, the most common records in the leaked database were those of government officials and employees. Hunt went so far as to mention which personnel records could be found in the database for the Department of Defense: while “Soldier” was the most common, the list also included “Chemical Engineer” and “Intelligence Analyst” entries.

In his response, Hunt asked a very important question: “How would the U.S. military feel about this data – complete with PII [personally identifiable information] and job title – being circulated?” With the very real threat of state-sponsored hacking and other international cyber threats in mind, Hunt brought up the value this list would have to a foreign power that isn’t fond of the U.S.

Finally, Hunt cited the chances of this data being recovered to be at a firm “zero” percent.

In short, despite the reassurances from Dun & Bradstreet, this database going public could present some very real dangers to any businesses included in it.

If you’re worried that your business may be vulnerable, there are two things you should do. First, you should see if your data has been exposed by checking Hunt’s site, Have I Been Pwned . Second, you should reach out to us at COMPANYNAME, so we can help keep you secured against threats like this and others. Give us a call at PHONENUMBER.

Categories
Technology

In Case of Emergency, Activate Facebook’s Safety Check

b2ap3_thumbnail_facebook_safety_check_400.jpg In 2014, Facebook launched Safety Check, a helpful tool allowing users to “check in” that they’re okay during a crisis event, like a natural disaster, mass shooting, etc. Recently, Facebook made a major change to Safety Check by allowing users affected by the crisis to activate the feature. This is yet another example of how social media is changing the way people find out about major events and react to them.

To give you an idea of the sizeable difference this change makes, consider the fact that in the first year of Safety Check (when it was exclusively controlled by Facebook), the feature was activated 39 times worldwide. Since the change was made in December of 2015, Safety Check was activated a total of 328 times over the following six months. That is a significant number of crisis situations that would have been overlooked if Facebook alone was at the helm.

Rest assured, Facebook is still involved in Safety Check’s activation process. Otherwise, jokesters and Internet trolls would surely abuse the tool and “cry wolf” every chance they get, which would effectively render the tool useless. To prevent this, Facebook has a two-step activation system.

  • Step 1: A user submits a crisis event to Facebook they deem to be worthy of Safety Check activation.
  • Step 2: Facebook checks on the validity of the event by analyzing the chatter over its social network, along with third party organizations.

If the crisis event makes it through rigors of this automated process, then Safety Check is activated and those affected can begin “checking in” that they’re okay.

Of course, the Internet being the Internet, there will always be those who make light of a crisis situation by “checking in” on Safety Check events that have nothing to do with them. However, this annoyance aside, society can only benefit from the public having a tool like Safety Check to quickly notify scores of friends and family of one’s status during a crisis.

Have you used Facebook’s Safety Check to notify your friends that you’re okay? If so, then share with us in the comments if you’ve found this tool to be useful or not.