Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.

Top 5 tips for using password managers

Password managers are a good way to keep your passwords unique, strong and safe. Tom Merritt gives us five tips on how to use them correctly

CISA and NSA Release Guidance on Selecting and Hardening VPNs

Original release date: September 28, 2021

The National Security Agency (NSA) and CISA have released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors.

Exploitation of these devices can enable:

  • Credential harvesting
  • Remote code execution on the VPN device
  • Cryptographic weakening of encrypted traffic sessions
  • Hijacking of encrypted traffic sessions
  • Arbitrary reads of sensitive data (e.g., configurations, credentials, keys) from the device

The information sheet helps organizations select standards-based (rather than proprietary) VPN solutions and provides hardening guidance to prevent compromise and respond to attacks.

CISA encourages organizations to review and adopt recommendations in the information sheet to reduce risk.

Yes, robots are coming for your job, but you might like the new one more (if you’re still employed)

For decades, a speculated wave of job-stealing technologies has stirred debate about the role of humans in the labor force alongside automation and AI adds a new wrinkle to the equation.

Gift card fraud: four suspects hit with money laundering charges

Gift card fraud may sound like small beer against ransomware – but it’s personal, it hurts, and it’s still a multi-million dollar problem.

Remember the Panama Papers?  Get Ready for the Pandora Papers

This “unprecedented leak” on 14 offshore services firms from around the world that set up shell companies tied to dozens of current/former country leaders is a big deal: icij.org/investigations

T-Mobile Breach Exposed the Personal Data of 54 Million Customers

The T-Mobile data breach in August 2021 was massive. Find out what data was stolen, what T-Mobile is doing to help customers affected by the breach, […]

The post T-Mobile Breach Exposed the Personal Data of 54 Million Customers appeared first on CHIPS.

How people concoct their passwords, and why they often stink

Less than a third of the people surveyed by NordPass follow best practices when devising a password.

Over 1.5 billion Facebook users’ personal data found for sale on hacker forum

Unrelated to other recent problems Facebook has had, this particular batch of data was scraped from profiles, meaning it’s publicly available knowledge. That doesn’t stop it from being dangerous.

Apache Releases Security Update for Apache HTTP Server

Original release date: October 6, 2021

The Apache Software Foundation has released Apache HTTP Server version 2.4.50 to address two vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected system. One vulnerability, CVE-2021-41773, has been exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache HTTP Server 2.4.50 vulnerabilities page and apply the necessary update.

CISA Releases Security Advisory for Honeywell Experion and ACE Controllers

Original release date: October 5, 2021

CISA has released an Industrial Controls Systems (ICS) advisory detailing multiple vulnerabilities affecting all versions of Honeywell Experion Process Knowledge System C200, C200E, C300, and ACE controllers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review ICS advisory ICSA-21-278-04 Honeywell Experion and ACE Controllers as well as Experion Network and Security Planning Guide and Honeywell Support document SN2021-02-22-01 for more information and apply the necessary mitigations.



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.