A warning to Cisco Small Business router administrators, a caution over website redirects, and more.
Welcome to Cyber Security Today. It’s Monday, August 8th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
I’m back after a week’s vacation. My thanks to IT World Canada CIO Jim Love for filling in while I was away.
Cisco Systems is warning network administrators with its Small Business RV series routers that some models need to be patched quickly. The updates fix several vulnerabilities that could allow a remote attacker to launch a denial of service attack or get into the device and do nasty things. This alert was issued last Wednesday, so there’s no excuse for administrators not to have installed the patches by now.
IT administrators have been warned by Canadian and American government cybersecurity agencies of a serious vulnerability in older versions of the Digi ConnectPort X2D. This is a Digi XBee to Ethernet gateway that provides IP networking for wireless devices and sensor networks in industrial settings. Successful exploitation of this vulnerability could allow an attacker to upload malicious Python files. The problem affects devices made before January 2020. IT and OT administrators should remember to minimize the network exposure of any industrial control systems and devices to ensure they aren’t accessible from the internet.
Web site builders have the ability to redirect users to a different web address. That’s handy if, for example, a company or government department needs to change its home address to a new one. If a user types in the address they’re familiar with they automatically get sent to the new one. However, if the process isn’t done carefully hackers can take advantage, slip in code of their own and redirect victims to a look-alike site. Researchers at security firm INKY say that’s what attackers were doing recently to the websites of Snapchat and American Express. After exploiting a vulnerability the hackers would send phishing messages to targets that looked like they came from DocuSign, FedEx and Microsoft asking them to click on a link. That led victims to a site that looked like a Microsoft login page. If they logged in the crooks captured their username and password. In addition to training employees to look for such scams domain owners can prevent their site from being abused by either not allowing website developers to use redirections or by creating a white list of approved safe links.
Twitter users who don’t use their real names were at risk of being identified for eight months last year because of a vulnerability in the site’s system. The problem became public last week after Twitter acknowledged email addresses and phone numbers of 5.4 million users that were stolen in January and are being sold on the dark web related to the bug. No passwords were stolen in the hack. But between June 2021 and January anyone who knew could have used a known email address or phone number to find out who an anonymous account really belong to. That’s because all a user had to do was enter a phone number or email address and the bug in Twitter’s system would reveal the name of the person it was tied to. Twitter says the bug that caused this was introduced when the platform’s code was updated in June 2021. It says that vulnerability was closed soon after a security researcher warned the company in January. Because no passwords were stolen Twitter says users don’t have to do anything. Still, it reminds all users to enable two-factor authentication to prevent their accounts from being taken over. Twitter users who want to be anonymous shouldn’t add a publicly-known phone number or email address to their Twitter account. Meanwhile, those 5.4 million people whose phone numbers or email addresses are now being made available to threat actors could be targets of scams.
As of Sunday, when this podcast was recorded, Germany’s Chambers of Industry and Commerce was still dealing with the aftershocks of a cyber attack last week. On Thursday the agency had to shut its IT systems as a precaution and hasn’t issued an update since on when systems will be fully back to normal. The CEO of the Chamber said on LinkedIn it suffered what he called a massive cyber attack.
Thousands of Slack users had their passwords reset last week after the messaging platform discovered a vulnerability that had been around for the past four years. If a user created or revoked a shared invite link for their workspace a hashed version of their password was sent to other workspace members. If someone monitored encrypted network traffic from Slack that scrambled password could have been seen. Slack says it is “practically infeasible” for a plaintext password to be derived from the hash. But to be safe Slack is forcing affected users to create a new password. Slack estimates 10 million people use its platform every day. It says only 0.5 per cent of all users were affected.
Finally, the DuckDuckGo browser now blocks tracking scripts from Microsoft from loading on websites that users go to. This comes after the discovery in May that third-party tracking scripts from Facebook, Google and other companies were being blocked, but not those from Microsoft. The revelation sparked a lot of complaints to DuckDuckGo, which promotes itself as making a privacy-focused browser. Third-party scripts inserted into websites can collect a lot of information about internet users, including their IP addresses. This and other data is a revenue bonanza for Facebook, Google and others — and the advertisers they sell the data to. DuckDuckGo promises to be more upfront with users about what it doesn’t block.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.