By OptionOne Technologies
We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.
Chrome and Edge Fix Zero-Day Security Vulnerability
According to a report by naked security by Sophos, Google Chrome and Microsoft Edge have both released fixes for a zero-day security hole. Chrome’s release came just three days after a previous update that patched 24 security holes.
The bug appears to relate to the incorrect handling of input data. This means the bug could lead to an elevation of privilege (EoP) security outcome, or a more disastrous remote code execution (RCE) outcome.
Someone accessing a system under the cover of a limited user profile, such as a “guest,” could potentially exploit the vulnerability to give themselves root or system admin powers. Likewise, RCE exploits could be used to implant malware via the vulnerability.
Chrome users should ensure they are up to date by verifying they have Chrome version 105.0.5195.102 or later. Edge users should have 105.0.1343.27 or later.
Apple Releases iOS 12 Update for iPhones and iPads
Apple has updated iOS 12 to fix a security vulnerability, naked security by Sophos reported. The update came almost a year after the previous iOS 12 update, which occurred on September 23rd, 2021. Many users assumed Apple had abandoned iOS 12 in favor of its newer operating systems, like iOS 16.
The new update applies to the following models:
- Phone 5
- iPhone 6
- iPhone 6 Plus
- iPad Air
- iPad mini 2
- iPad mini 3
- iPod touch 6th generation
The security patch is intended to fix a WebKit remote code execution bug, CVE-2022-32893. The bug enables cybercriminals to lure users to fake websites where malware could be implanted on devices.
Attackers Exploit WordPress Zero-Day Vulnerability via BackupBuddy
A critical flaw in BackupBuddy, a plug-in that automatically saves a website’s themes, media libraries, and content, has enabled hackers to read and download arbitrary files from affected websites. According to a report by DarkReading, an estimated 140,000 websites are using the plug-in.
WordPress reported observing attacks targeting the flaw on August 26th. It has blocked close to 5 million attacks since then.
The plug-in’s developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began, which means a high volume of websites could have already been compromised.
“This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation,” iThemes warned.
WordPress plug-in security has been an endemic problem for years. Thousands of flaws have been disclosed in WordPress environments, and almost all of them involve plug-ins.
Microsoft and Others Will Ban Basic Authentication
According to a report by DarkReading, Microsoft and other cloud providers have moved to ban basic authentication. This would require users to provide more than just a username and password to access accounts and systems.
In other words, multi-factor authentication will no longer be optional.
Microsoft will require customers to use token-based authentication on October 1st. Google has auto-enrolled 150 million people into its two-step verification process. Rackspace plans to turn off cleartext email protocols by the end of the year.
The moves represent a change in how cloud service providers balance security requirements with users’ demands for ease of use. According to Pieter Arntz, a malware intelligence researcher at Malwarebytes, “The balance is shifting to the point where they feel they can convince users that the extra security is in their best interest while trying to offer solutions that are still relatively easy to use.”
Here are the latest cybersecurity tips from OptionOne Technologies and other industry leaders.
SOC 2 is Now Essential for All Businesses
Although SOC 2 is a voluntary security standard it is now an essential step for any security-conscious business.
According to The Hacker News, SOC 2 “requires compliance for managing customer data based on five criteria or ‘trust service principles.’” The criteria include:
SOC 2 is “both a technical audit and a requirement that comprehensive information security policies and procedures are documented and followed.”
Most importantly, SOC 2 isn’t just for tech and tech companies. It should now be a primary security consideration for all business types.
It’s Time to Add a PIN to Your Cellular Account
Your phone is no longer just a tool for communicating with people. It’s now an important part of your cybersecurity suite.
Countless companies contact you on your phone for multi-factor authentication purposes. If your phone isn’t PIN protected, anyone who gets their hands on it could use it to access important accounts, such as your bank account.
But your phone itself isn’t the only thing that needs to be PIN protected. You should also protect your cellular account with a PIN.
Consider this scenario: a hacker calls your cell service provider and provides the last four digits of your SSN or credit card to authenticate. If the service provider accepts their input, they can now change your SIM or move it to another carrier.
This effectively bypasses two-step and multi-factor authentication.
By protecting your account with a unique PIN, the hacker would have to know it to access your account via phone or make changes. And if a hacker can get control of your mobile account, that can leave many of your other accounts vulnerable.
Here are our latest cybersecurity tips:
- Train employees to be diligent: Many security incidents occur simply because someone clicked a link they shouldn’t have or downloaded an attachment that looked legitimate but wasn’t.
- Use 2FA: Two-factor authentication is quickly becoming standard at major technology companies, and it should be a standard in your business. 2FA can prevent some of the most common types of attacks.
- Back up your data: Work with your IT team to ensure all your files and data are backed up in a secure, remote location. Some companies choose to use physical and cloud-based backups for critical data.
- Patch and update regularly: Security patches should be applied regularly to your applications, operating systems, and other tools. Make checking for patches a regular part of your business day, or automate the process.
Thanks for Reading
That’s it for the latest Cybersecurity Briefing from OptionOne Technologies. Contact us today to learn more about our services.