Security updates and patches to watch for.
Welcome to Cyber Security Today. It’s Wednesday December 9th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Cyber Security Today is brought to you by the new Cisco Security Outcomes Study, where we surveyed 4,800 cybersecurity and IT professionals.
Visit https://cisco.com/go/SecurityOutcomes to read the results.
Most of today’s stories have a common theme: The need to deal with security updates.
Black Friday gets its name from the day many North American retailers sell so much their bottom line turns from red to black. Well, for some online retailers foolish enough to be running old software it may be getting a black eye. That’s because data-stealing malware was installed on their sites that activated on Friday November 27th. According to a Dutch security company called Sansec, for several months hackers quietly infected 50 online stores of large retailers running old versions of the Magento e-commerce platform. Magento allows companies to sell products online. The malware skims off personal information including credit and debit card numbers entered by customers. All affected sites were running versions as old as 2.2. Magento stopped patching that version 12 months ago. Why companies don’t regularly update their all their software isn’t known. Sites running Magento should be running at least version 2.3. Those that aren’t may find a lot of angry customers when they realize their payment cards are being used by crooks.
Organizations and individuals that use the DSR family of virtual private networking routers from D-Link should check for security updates. These are routers that allow people to remotely connect to their company over the Internet. A couple of vulnerabilities have been found that could allow an attacker to access the device and get into a system. The patches may be available now or shortly. Usually to update a router you have to log into its administration page. If you don’t know how to do it see the instruction manual. By the way, for any brand of router you should regularly check to see if the manufacturer has issued a security update.
The U.S. National Security Agency has warned companies using VMware Access and VMware Identity Manager to patch systems as soon as possible. That’s because Russian backed hackers are exploiting a vulnerability in the software. VMware released a patch on December 3rd and already attackers are going after the hole. In addition to patching, if administrators enforce the use of strong passwords for users who access the management console that lowers the risk. Even better is if the console isn’t accessible from the Internet.
Yesterday was the monthly Patch Tuesday for Microsoft products. Nine of the security updates are classified as critical. Corporate IT administrators have to decide on priority for the patches, which not only cover Windows but also Sharepoint, Exchange and HyperV. Windows computers at home should be set to update automatically, but it doesn’t hurt to check that updates have been installed.
In addition Adobe issued updates for Prelude, Experience Manager of Lightroom.
Software developers using the OpenSSL software library for creating secure applications are being warned the toolkit has a serious vulnerability. Developers need to upgrade to the latest version
Attention hospital and clinic IT administrators with medical imaging equipment from GE Healthcare: There’s a serious password vulnerability in the management software. According to a report on the Bleeping Computer news site, over 100 MRI, ultrasound, x-ray, mammography and other products with names like BrightSpeed, Brivo, Optima and others are affected. See GE for details.
Finally, gift cards are a great idea — especially these days when many jurisdictions have imposed limitations on in-person shopping due to the pandemic. But crooks are taking advantage with gift card scams. A security firm called Bolster reports seeing a sharp rise in two types of scams: In one victims get an email suggesting they check the balance of their gift cards. The goal is to steal the card numbers. The other is offering phony free gift cards for completing a survey. The real goal is to collect personal information to sell to other crooks. What makes these scams hard to spot is the criminals create websites that closely mimic the real sites of retailers like Target, Best Buy and others. So if you want to check your card balance don’t click on a link in an email. Go to the site by typing in the address yourself. And ignore offers for free cards if you fill in a survey.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.