The LoJack mobile device location software can be hijacked, an example of why fast patching is vital and ESET updates its free cyber awareness training module.
We’re bringing you the latest cyber security news. Welcome to Cyber Security Today. It’s Friday May 4th. To play the podcast, click on the arrow below:
 |
 |
 |
Some laptop and tablet owners and companies use software called LoJack for tracking and recovering stolen mobile devices. However, this week Arbor Networks said it has discovered a sneaky way the software has been compromised: By using special agents that hijack the communication used between a device and LoJack’s parent company. That could give attackers backdoor access to machines running the software. With backdoor access, files could be copied or deleted. There are signs pointing to command and control domains suspected of being run by a group called Fancy Bear. Some researchers say Fancy Bear has ties to the Russian government.
After being warned, anti-virus software now scans for and identifies these malicious agents
Security experts regularly warn organizations and individuals about the importance of applying patches and security updates to software. That’s because one a bug is spotted by an attacker, an exploit is quickly created. I’ll give you a recent example of how fast: According to the SANS Institute, a security training organization, on April 17, 2018, Oracle patched a vulnerability in its WebLogic application server. Once word of that got out, it was only a few hours later that the first victim was compromised. The next day, technical aspects of the vulnerability were explained in a Chinese language blog post. And on April 19 a proof of concept exploit was released on the GitHub developers web site.
It isn’t easy for an organization to patch everything as soon as an update is released. Tough choices have to be made, and in some cases the patch has to be tested against other software used before being applied. But as a SANS Institute blogger noted, the time window between vulnerability disclosure and an exploit being released is shrinking more and more.
Making employees security-aware – not technology – is the heart of any cyber security strategy. But apart from lectures, how can an organization get the eye of staff? There are a number of resources online, including a free on-demand training program from security vendor ESET. The company said this week it has updated the course. New is a game-playing module that helps staff understand concepts and improve memory retention. The game challenges users to become a secret spy to protect a city from attack, while learning safe habits and channeling security assumptions. Registration is required.
Other free training courses come from Cybrary and Cofense to name a few. And the SANS Institue has free resources IT leaders can use to shape a course of their own.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening.