Data on Internet Society members exposed, an alert to Linux administrators, Microsoft Teams users get tricked and more.
Welcome to Cyber Security Today. It’s Monday February 21st. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
People are still being clumsy with the way data is stored on the internet. The latest example: Files with names, email addresses and login details of thousands of members of the Internet Society were recently found in an unsecured Microsoft Azure blob. The Internet Society is an international non-profit that lobbies for a resilient internet. What happened? According to security researchers who found the flaw, the Internet Society blames the association management software it uses. That software, which allows membership information to be stored in the cloud, was configured incorrectly. As a result, if someone knew where to look the information was open to be copied. It isn’t known if anyone other than the researchers found those open files. Misconfigurations are a prime cause of data exposures. Credit for the discovery goes to researchers at Clario and independent researcher Bob Diachenko.
Last week I reported on a vulnerability in Adobe Commerce and Magento e-commerce platforms. However, the patch Adobe issued to fix this flaw wasn’t enough. A new security update has been released for some versions of Commerce and Magento. Check with the Adobe website to see if your implementation needs this patch.
Attention Linux administrators: Security researchers at Qualys have discovered multiple vulnerabilities in the snap-confine function on Linux operating systems. One of them can be exploited to escalate privileges to gain root privileges. And once an attacker has root privileges they can do pretty much anything. Snap is a software packaging and deployment system allowing software developers to distribute their applications directly to Linux systems. Administrators are urged to apply security patches from their Linux distributions as soon as possible to plug this hole.
Researchers at Avanan have detailed a scam for tricking people using the Microsoft Teams collaboration service into downloading malware. It works like this: A hacker gets into a Teams discussion by one of several ways. If it involves people in two companies, one of the firms might have been hacked. Or the hacker has compromised a person’s email address or Microsoft password to access Teams. Then in the middle of a conversation they attach a compromised file to one or all of the participants. This is a trick that can work with any collaboration or chat application. But hackers often chose Microsoft Teams because Microsoft products are widely used by organizations. To defend against this IT administrators need to add anti-malware protection that sandboxes and scans attachments in collaboration software.
Canadians are getting recorded phone calls from someone claiming to be from the “the department of Service Canada.” This is a fraud. The goal is to get your government of Canada or bank passwords and then your personal information. Just hang up.
Attention WordPress administrators: If you use the free or paid UpdraftPlus backup and recovery plugin, install the latest security patch fast. It fixes a serious vulnerability that allows anyone – not just an administrator — who logs into a WordPress console to compromise a backup. The developer says it would take a very skilled hacker to do that, but assume a few of them are around. Administrators using UpdraftPlus Premium’s feature for encrypting a database backup are protected against data theft.
Finally, The U.S. Cybersecurity and Infrastructure Security Agency is making it easier for IT and business leaders to access its free cybersecurity resources. The agency has created a new online portal. It has resources under titles like “Fix the known security flaws in software,” and “Halt bad practices.” If you type ‘CISA free’ you’ll find the link. It’s also included here. The government of Canada’s free online advisory resources are at the Canadian Centre for Cyber Security. The U.K. resources are at the National Cyber Security Centre. All three are great places to start looking for advice on everything from stopping ransomware to setting up a cybersecurity program.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.