Tuesday, April 7, 2020

Flaws in Mozilla Firefox Welcome Hackers

Ensure you are using the latest version of Firefox: Firefox versions 74.0.1 or later.

For more details, see below





Alerts & Advisories

In an effort to keep you apprised of the latest threats to your business security without inundating your inbox, Dox TotalCare is now combining all alerts and advisories into one email to save you time and simplify the alert and advisory process. In today's alerts and advisories, you will find:
  • An Advisory Regarding Multiple Vulnerabilities in Mozilla Firefox
Please feel free to contact Dox at (585) 473-7766 at any time with questions.
Advisory
Cybersecurity Advisory: 
Multiple Vulnerabilities Discovered in Mozilla Firefox
  
A cybersecurity advisory was issued Apr. 3, 2020 regarding multiple vulnerabilities in Mozilla Firefox and Firefox Extended Support Release (ESR). The vulnerabilities could allow an attacker to execute arbitrary code, which could potentially lead to a breach.
What It Is:
Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.


Read the original Mozilla Foundation Security Advisory.
Threat Intelligence:
Mozilla reports that these two vulnerabilities are being exploited in the wild.

Systems Affected:
  • Firefox versions prior to 74.0.1
  • Firefox ESR versions prior to 68.6.1
Risk:
Government:
  • Large and medium government entities: High
  • Small government entities: Medium
Businesses:
  • Large and medium business entities: High
  • Small business entities: Medium
Home users: Low

What It Means:
If you and/or your business utilize the Mozilla Firefox versions mentioned above, you will need to apply the appropriate updates provided by Mozilla to vulnerable systems immediately following proper testing.

Technical Summary:
Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
  • Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. (CVE-2020-6819)
  • Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. (CVE-2020-6820)
What To Do:
We recommend the following actions be taken:
  • Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.
Negative Consequences of Lost or Stolen Data:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
  • Temporary or permanent loss of sensitive or proprietary information.
  • Disruption to regular operations.
  • Financial losses incurred to restore systems and files.
  • Potential harm to an organization's reputation.
Should your agency or business need assistance with issues arising from vulnerabilities in Mozilla Firefox, including updates and/or patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online. 

Sincerely,

Ken Michael, VP of Dox
CISSP, CRISC, CISA, Certified Security Analyst
Direct: (585) 295-1932
Cell: (585) 329-7766

kenm@doxnet.com
Contact Dox
Meet the Dox Box
The Dox Box is our newly updated automated network scanning and reporting tool. With the Dox Box, Dox is able to regularly scan your networks for security threats. We then provide a monthly, automated report explaining where your high, medium and low-level vulnerabilities lie so you can quickly and efficiently address them to further secure every network you manage.

Consistent Vulnerability Scanning
The Dox Box network appliance is custom-built by Dox as a set-it-and-forget-it device with just a power cable and Ethernet connection to the target network. Dox remotely controls and maintains the device so you never have to worry about network scanning. The Dox Box can handle up to a total of 250 active IPs and up to five subnets.

With the Dox Box, you get:

  • Better Security for Your Business- The Dox Box regularly scans your network(s) to alert you to security threats fast.
  • Reporting You Can Count On- Receive a monthly report listing vulnerabilities detected on your target network(s), both internal and external, rating each by the severity of the threat.
  • Secure Service to Identify Threats- Reports are hosted on a secure Dox server so you don't have to worry about the security of your scanning and reports.
  • Regulatory-Compliant Scanning- Satisfy the requirements of government regulations across industries with both internal and external scans.
  • Peace of Mind- Set it and forget it. The device does all the work so you can focus on yours.
Learn More About the Dox Box
Facebook
Twitter
LinkedIn
Website
Copyright © 2020 Dox Electronics, Inc., All rights reserved.

Contact Dox:
105 College Ave
Rochester, NY 14607
(585) 473-7766

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list



Monday, April 6, 2020

FBI Alert on Zoom Bombing

The New York State Intelligence Center Cyber Analysis Unit (NYSIC CAU) has become aware of the following information. NYSIC-CAU will continue to provide updates as necessary.

Current Situation: Due to the ongoing COVID-19 national emergency a large number of businesses, schools, and government entities are using video teleconferencing platforms to conduct meetings in order to provide continuity for business and learning.  When these types of services are utilized with poor security practices, malicious actors are hijacking the meetings and performing what is now dubbed "Zoom bombing".  This involves the meeting being disrupted and supplanted with derogatory pictures containing objectionable content, including pornography along with some individuals disguising themselves and using profanity and hate-speech language.  These hijackings occur due to meeting information being made available to anyone through postings on websites and social media platforms.  In some instances, though a meeting identification number was not made public, enterprising malicious actors tried random number combinations and gained access to a meeting.

To clarify, hijacking a meeting by "Zoom bombing" is not a result of hacking. 

Background: Zoom, a highly popular video teleconferencing service, is currently experiencing a dramatic increase in its usage by both entities collaborating for official purposes as well as individuals using the service to conduct video chats with friends and families to remain in contact while practicing social distancing.  Because of its prevalence, along with the numerous news media reports of hijacking occurring, the action was dubbed "Zoom bombing". 

Best Practices: The following are some of the best practices for minimizing chances of a meeting hijack.  Each service offers guidance for securing a session.

  • Do not share meeting invitations in public forums found on social media or published on websites.
  • If the service offers a waiting room feature, utilize this to vet who is allowed access to the meeting.
  • Limit the number of attendees allowed in a meeting.
  • Manage screen sharing through a host. This will prevent someone from randomly taking over what is shown on the screen.
  • Password protect meeting access.
  • Ensure users are using the current version of the software

Monday, May 13, 2019

May 2019: 2FA—Control in the Palm of Your Hand

Wouldn't it be nice if your accounts could let you know when someone new is trying to get into them? Even better, wouldn't it be terrific to make a stolen password useless to others? Were you tricked into revealing your password through a phishing scam? Rest easy, your account is safe! That's essentially the control that two-factor authentication (2FA)—also known as two-step verification or login approval—gives to you. And, it only takes about two minutes to set up and two seconds to use. That's a lot of power for very little effort!
  • How does it work? Once you've activated two-factor authentication on an account, whenever an account login with your password comes from a different device from what you've already permitted, an authorization check will come to your smartphone or other registered device. Without your approval or current code, a password thief can't get into your account.
  • Is it difficult to set up? 2FA is becoming more widely available and easier to use. Typically, you'll either install a mobile security app on your smartphone and use that to handle the authorization checks for accounts, or you could use the text/phone call method if you can't install a mobile app. For international travelers, the mobile app also generates a code so that a data or cellular service connection isn't required for this second step.
  • Can I adjust the frequency of the checks? In many cases, yes, although some accounts may require the verification for specific transactions or functions. You may want to have the extra verification every time you log in (e.g., personal website administration), or you might be comfortable requesting the verification only when an access attempt comes from a computer/device other than the one you originally permitted when you set up 2FA—such as personal email account you typically only check from one laptop and one smartphone.
  • Which accounts should I protect with 2FA? Why wouldn't you protect all of them where it's available? But, start with those that are most critical to your identity and livelihood. Here are some suggestions:
    • Email accounts: "Forgot password” reset requests typically send instructions and links here, so protect this account to make sure you keep control of resetting your account passwords!
    • Financial accounts: Protect your money!
    • Social media accounts and website management accounts: Protect your brand!
    • Online shopping accounts: Protect usage of your stored credit card information!

Friday, April 26, 2019

SUNY Phishing Training Results

The Results are in, first, let me thank everyone for being part of this phishing training exercise without it we would not be able to improve upon our technology security measures and awareness.

Many of us, 3,839 CCC users received a phishing email that looked like the following:


"From: CCC IT <security@blackboardinfo.us>
Date: Wed, Apr 10, 2019 at 11:52 PM
Subject: URGENTReset your MyCCC password
To: Your Name <YourUserID@corning-cc.edu>


Your First Name,
We have increased our password requirements for security purposes. Please use the link below within 24 hours to maintain access to your account.
Thank you,
CCC IT
This email was intended for Your Name."

This email which was sent on April 10, 11, and 12 was part of the phishing training exercise.  When a user clicked on the "Click here" link it opened a web page to log into a fake MyCCC login page where it asked for the user's login information.  If a user logged in they were presented with some educational information about phishing which is shared below.  The key indicators that this email  was a phishing attempt are that it is from a user that is not from an @corning-cc.edu email address, the email wants you to do something soon or else and click on some link.


Now for the results, the below graph has three columns, the first "Emails Sent" column indicates the total emails that were sent to all CCC users, the second "Click Rate" column indicates all users that clicked on the "Click here" link, the third column indicates all users that logged into the fake MyCCC website:


And this below graph shows how CCC compares to other SUNY Schools.  CCC had a click rate of 17%, which is slightly higher than the SUNY average click rate of 16%. The form submission rate was significantly higher with the SUNY rate of 8% compared to 14% of Corning Community College users:

Here are a few things you can do to help guard against phishing attacks:
  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won't. Still not sure if the e-mail is a phish? Contact your IT help desk (607)962-9555. 
  • Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
  • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
  • Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • Don't click links in suspicious messages. If you don't trust the e-mail (or text message), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.


Tuesday, April 9, 2019

April 2019: Whaling, SMiShing, and Vishing…Oh My!





Cybercriminals use types of social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you're on the lookout for these variants on the traditional, mass emailed phishing attack:
  • Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called "whaling").
  • SMiShing: Literally, phishing attacks via SMS, these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
  • Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

  • Don't react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don't fall for it!
  • Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don't trust people who contact you out of the blue claiming to represent your company.
  • Know the signs: Does the message/phone call start with a vague information, a generic company name like "card services," an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!


Wednesday, March 6, 2019

Campus Security Campaign - March 2019

 Identity theft has become a fact of life during the past decade. If you are reading this, it is a safe bet that your data has been breached in at least one incident. Does that mean we are all helpless? Thankfully, no. There is a lot we can do to protect ourselves from identity theft and to make recovery from cyber incidents quicker and less painful.
First, take control of your credit reports. Examine your own report at each of the "big three" bureaus. You get one free report from each credit bureau once per year. You can request them by going to AnnualCreditReport.com. Make sure there's nothing inaccurate in those reports, and file for correction if needed. Then initiate a credit freeze at each of those plus two other smaller ones. Instructions can be found at Krebs on Security. To keep an eye on your credit report all year, space out your credit bureau requests by requesting a report from a different credit bureau every four months.
Next, practice good digital hygiene. Just as you lock your front door when you leave home and your car when you park it, make sure your digital world is secured. This means:
  1. Keep your operating system up to date. When OS updates are released, they fix errors in the code that could let the bad guys in.
  2. Do the same for the application software you use. Web browsers, plug-ins, email clients, office software, antivirus/antimalware, and every other type of software has flaws. When those flaws are fixed, you are in a race to install that fix before someone uses the flaw against you. The vast majority of hacks leverage vulnerabilities that have a fix already available.
  3. Engage your brain. Think before you click. Think before you disclose personal information in a web form or over the phone.
  4. Think before you share on social media sites. Some of those fun-to-share-with-your-friends quizzes and games ask questions that have a disturbing similarity to "security questions" that can be used to recover your account. Do you want the answers to your security questions to be published to the world?
  5. Use a password manager and keep a strong, unique password for every site or service you use. That way a breach on one site won't open you up to fraud at other sites.
  6. Back. It. Up. What do you do if you are hit with a ransomware attack? (Or a run-of-the-mill disk failure?) If you have a recent off-line backup, your data are safe, and you can recover without even thinking about paying a ransom.
  7. Full disk encryption is your friend. If your device is stolen, it will be a lot harder for a thief to access your data, which means you can sleep at night.
  8. Check all your accounts statements regularly. Paperless statements are convenient in the digital age. But it is easy to forget to check infrequently used accounts such as a health savings account. Make a recurring calendar reminder to check every account for activity that you don't recognize.
  9. Manage those old-style paper statements. Don't just throw them in the trash or the recycle bin. Shred them with a cross-cut shredder. Or burn them. Or do both. Data stolen from a dumpster are just as useful as data stolen from a website.
If you've been a victim of identity theft:

  • Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
  • Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
  • Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-685-1111); TransUnion (888-909-8872); or Experian (888-397-3742).

Campus Security Campaign - February 2019

 Our social networks tell a story about us. You want to make sure that the story your social media tells about you is a good one. As articulated in a blog from the Digital Marketing Institute: "Sharing online allows you to craft an online persona that reflects your personal values and professional skills. Even if you only use social media occasionally, the content you create, share, or react to feeds into this public narrative. How you conduct yourself online is now just as important as your behavior offline."
A positive online reputation is vital in today's digital world. Like it or not, your information is out there. What you can do is help to control it and what it says about you.
Social media is so ingrained in our society that almost everyone is connected to it in some form. With every social media account you sign up for, every picture you share, and every post you make, you are sharing information about yourself with not only your friends and family but the entire digital world. How can you make sure your information and reputation stay safe online? Here are a few easy steps to get you started.
  • Keep it clean and positive. Be entirely sure about what you're posting. Make sure to post content that you feel positively reflects you, your creativity, your values, and your skills. Remember that future employers may look at your social media accounts before hiring you. Questionable content can leave a bad impression; this can include pictures, videos, or even opinions that make you seem unprofessional or mean and may end up damaging your reputation.
    Always think before you post or share negative or inappropriate content. Use the 24-hour rule before posting, allowing yourself 24 hours before posting any content that may be questionable to give yourself time to reflect on whether it is a good idea.
  • Oversharing and geotagging. Never click and tell. It can seem like everyone posts personal information on social media all the time, including where they are and where they live. As noted on the DHS.gov site: "What many people don't realize is that these seemingly random details are all criminals need to know to target you, your loved ones, and even your physical belongings—online and in the real world. Avoid posting names, phone numbers, addresses, school and work locations, and other sensitive information (whether it's in the text or in the photo you took). Disable geotagging, which allows anyone to see where you are—and where you aren't—at any given time."
    If you really want to post that picture of your friends at brunch, consider following the concept of #latergram and post your content at a later time than when it actually happened. It is a win-win. You get to share your experience and at the same time still maintain the privacy of your location in real time.
  • Don't rely on privacy settings. You have a private social media account so you can post anything you want? Nope. Privacy settings make it harder to see your full account, but it's not impossible. Also, there is always the chance that one of the people with access to your private account could screenshot and share the content.
    Make sure to keep your social media apps up to date and check the privacy settings frequently. Under no circumstances should you rely on privacy settings to shield inappropriate content. If there is any question that the content is inappropriate, don't post it.
  • Make sure you're professional. Keep it classy! Every post is a reflection of you. Your social media accounts allow you to put your best foot forward or stumble if you aren't careful. A positive social media presence can help create both personal and professional opportunities. Promote your personal brand or what you want people to think of you. And, your high school English teacher was correct—proper spelling and grammar are always a plus.
  • Control your content. Claim your identity on social media. Set up social media accounts and keep the profiles current. You don't have to join every platform; a few key ones will do. You can also look into apps that will cross post the content to all of your social media accounts, freeing up some of your valuable time. Use your accounts to engage professionally and personally in a positive way.
    Your social media accounts should tell the story of you that you want employers and others to see. Google your own name on a regular basis to make sure that that information out there is accurate. If you find incorrect information online, request that the website update it or take it down.

If you follow these few simple recommendations, you are on your way to safely building a positive online reputation. Using social media positively doesn't mean you can't have fun and use it to express yourself; however, you want to ensure that you're okay with anyone seeing everything you post. Once you post something online, it's out there forever.