More bugs in Microsoft Exchange, cybersecurity training effectiveness questioned and Amazon bomb threat foiled.
Welcome to Cyber Security Today. It’s Wednesday, April 14. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
More serious vulnerabilities in on-premise versions of Microsoft Exchange Server have been found. The discovery was announced yesterday as part of the monthly Microsoft Patch Tuesday security update releases. The patches need to be applied as soon as possible to Exchange versions 2013, 2016 and 2019. According to news reports some of the vulnerabilities were found by the U.S. National Security Agency. This comes after last month Microsoft reported that a Chinese-based threat actor and others are exploiting bugs to get into on-premise Exchange email accounts. The patches released yesterday also fix holes in Windows, the Edge browser, Office and other Microsoft products. At the same time Adobe released fixes for Photoshop, Bridge and other applications.
UPDATE: The U.S. Justice Department said Tuesday it is getting court orders to remove web shells installed earlier this year on hundreds of on-prem Exchange servers without getting permission of owners. The unprecedented move is aimed at cleaning up Exchange servers of organizations and individuals who are having trouble and aren’t moving as fast as others in the U.S. Web shells are used for remote access. “This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the Justice Department said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
How effective is cybersecurity training for employees? Not very, if a survey conducted by a learning management systems company is accurate. The company, TalentLMS, surveyed 1,200 American workers, of which 69 per cent had taken some sort of cybersecurity training. Of them, 61 per cent failed to get at least four of seven multiple-choice questions right about security. Fewer than one per cent got all seven questions correct. The biggest group, 24 per cent, got four of seven right. Interestingly, those who worked in the IT field were the worse performers – only 17 per cent passed the quiz. The best performers were in the healthcare and social assistance fields. One lesson, says the company that sponsored the research: To be effective cybersecurity training has to be fun, hands-on and use real-life examples.
Last week a Texas man was arrested for plotting to blow up an Amazon data centre in Virginia. The FBI says his goal was to bring down 70 per cent of the Internet. Coming after a fire last month that destroyed an OVH data centre in France and knocked out major websites, how much damage could the bomber have caused? Some, experts told SC Magazine this week, but it wouldn’t have crippled the internet. There might have been reduced capacity, said one. But another noted that because Amazon spreads compute loads between multiple locations a local crisis wouldn’t spread too far. Destroying one location of a big internet provider won’t break the internet. The fire in France showed that. But IT departments should remember software bugs, power failures, network loss and misconfigurations can happen at the best of data centres. So have data backed up in several locations. And if your operation depends on round-the-clock availability, have multiple internet providers.
I often remind people who download smartphone apps to to be careful. Just because an app is in the Google or Apple store doesn’t mean its safe. Crooked developers keep trying to evade detection. The latest examples are bad Android apps found by security firm McAfee in the Google Play store. They pretend to be helpful utilities that scan your device and tell you when updates to Chrome, WhatsApp, a PDF reader or other apps are available. Instead, they install fake updates that take over a smartphone or tablet and download malware to steal bank passwords. They go by names like PrivacyTitan, SecureShield and DefenseScreen. These have been removed by Google.
Here’s some advice: First, you don’t need an app to help search for Android app updates. If you go to the Google store a couple of times a week, tap on ‘My Apps & Games’ and it automatically finds available updates. Second, be careful when an Android app asks for permission to use accessibility services. Any app that has full access to this can take over your device. And before choosing an app check the developer information to see if its legit. Ask your friends if they’ve used the app and trust it.
That’s it for now.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.