Don’t be flattered by an award scam, Microsoft pushes MFA and why you need to patch fast
Welcome to Cyber Security Today. It’s Wednesday March 11th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
There’s no shortage of email scams. Some are related to news events, like coronavirus. Some take advantage of fear, like messages pretending to be from the tax department. Others try to flatter you. David Gewirtz, a technology reporter for the ZDNet news service recently got one. It said his online magazine had won a media award by the city where it was published. For details of the award, click here. There were a couple of problems: One was he hadn’t published the magazine for almost 20 years. And he left the city years ago. So someone had got hold of some old information and thought David could be flattered, and then tricked. He figures the trick would have been to ask him to pay a fee to collect his “award.” Lesson: If you get an email offering you an award ignore it.
Regular listeners know I talk a lot about the need for individuals and organizations to protect logins with multi-factor authentication. Also called MFA, it means a criminal needs more than a username and password to get into email or a company’s data. Microsoft has added weight to the argument. At a recent security conference it said only 11 per cent of compromised accounts it sees had MFA enabled. That means hackers are able to use simple techniques like using lists of commonly-used passwords stolen from years of data breaches to break into computers and email. Sure, they’ll try to trick people into revealing their passwords. But what are called password spray attacks and brute force attacks are very effective if the victim doesn’t have two-factor or multi-factor authentication. Want to lower the odds of you becoming a victim? Check to see which applications, like email and websites you have to log into, offer MFA. Then enable it. And company leaders should make sure your firm offers it to online customers and subscribers.
Yesterday was the second Tuesday of the month, which means it was Patch Tuesday. That’s the day Microsoft releases security updates for its products. Over the next few days you might want to check your Windows has been updated.
Meanwhile, companies that have been slow to install security patches released last month for Microsoft’s Exchange email servers may be in trouble. According to a security firm called Volexity, hackers are now exploiting or trying to exploit the vulnerability the patch fixes. Organizations are in a different position than home users. Usually a Microsoft patch doesn’t affect a home computer and its small number of applications. But many organizations have to test how a patch affects the hundreds of applications on its computers before applying it. However, they have at the most a couple of weeks to make a decision. Hackers move fast every Patch Tuesday trying to find those who are slow to install fixes.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.