This tech news roundup episode of The Cybersecurity Insider covers pivotal topics shaping the cybersecurity industry. Hosted by Yigal Behar, he is joined by Seth Melendez of WareGeeks Solutions.
Apple’s Swift Response To Zero-Day Vulnerabilities
Yigal and Seth dive into Apple’s recent move to address three zero-day vulnerabilities. Seth begins by realizing that these vulnerabilities have likely been known for a few weeks, but he praises Apple for their prompt response compared to other tech giants like Microsoft.
He argues that while Apple and Microsoft might seem similar in their security profiles, it’s often the size of the user base that makes a platform more attractive to attackers. Despite Apple’s relatively large market share, their quick action on vulnerabilities earns them some credit in Seth’s eyes.
Yigal also reflects on Apple’s past approach to security. He points out that there was a time when Apple did not disclose information about vulnerabilities, leading some to wrongly assume their systems were inherently more secure.
This perception was partly due to Apple’s shift from a proprietary operating system to a Linux-based system, which brought its own set of issues. Although Apple has since tailored its kernel, the transition didn’t eliminate the inherent risks of a Linux-based system.
Yigal then updates listeners on the specific updates Apple has released:
- Mac OS versions 11.4, 10.15, and 10.14
- iPad OS 14.6
- Watch OS 7.5
- TV OS 14.6
These updates address the zero-day vulnerabilities that hackers have exploited in the wild. The vulnerabilities bypass privacy protections and affect the WebKit component of Apple TV and Apple TV HD.
Apple’s Ongoing Patch Updates & Public Awareness Challenges
It’s the second time this month that Apple has issued notifications about vulnerabilities and new patches. They also address a specific concern about Apple TV vulnerabilities, which can be particularly tricky to manage.
Seth notes a key point about the dissemination of such information. He explains that while hackers and cybersecurity professionals are often aware of these vulnerabilities, the general public may not be as informed or proactive despite receiving notifications.
Tulsa, OK Against Ransomware
Yigal then shares some encouraging news about the City of Tulsa, Oklahoma’s successful defense against a ransomware attack, which is a rare victory in the ongoing battle against cyber threats.
The city made a firm decision not to pay the ransom demanded by the attackers. The city detected suspicious activity on its network early and swiftly shut it down before the attackers could access sensitive information. Although the attack did disrupt residents’ ability to pay their water bills online or in person, Yigal finds it noteworthy that the city prevented a more damaging breach. The podcast hosts commend Tulsa for their effective response and resilience in the face of a ransomware threat.
Network Segmentation
Yigal looks into the technical reasons behind this issue suggesting that the problem may stem from a lack of network segmentation. He explains that effective network segmentation involves dividing a network into separate segments so that a breach in one segment doesn’t affect others.
For example, credit card processing systems should be isolated from other parts of the network to ensure they remain operational even if other segments are compromised.
Seth speculates that “the other issue could be that they’re using the same application regardless of where you come from, whether you’re online or not. It could be the same application, so on the back end, it’s the same. Wherever you go, you’re just screwed. So, I guess they shut it down as a precaution—who knows.”
Yigal contrasts this with many companies that still struggle with poor visibility into their networks, which hinders their ability to detect and respond to threats. Tulsa’s detection capabilities are a step forward, though he mentions that prevention and detection are both key components of a strong cybersecurity strategy.
Seth mentions this lack of full visibility into their networks, a problem that, surprisingly, is sometimes intentional. By not seeing issues these companies don’t have to take action or allocate resources to fix them. This avoidance allows them to defer spending, as many CIOs or CEOs prefer to deal with problems later rather than investing money upfront to prevent them.
Microsoft Retires Internet Explorer
The discussion shifts gears on Microsoft’s decision to retire Internet Explorer. Yigal introduces the topic, noting that some customers still rely on the old Internet Explorer application, despite the availability of a compatibility function within Microsoft Edge.
Microsoft plans to retire Internet Explorer on June 15, 2022, for certain versions of Windows 10. It will be replaced by Microsoft Edge, which includes an IE mode to support legacy web pages that require the older browser.
Seth agrees that this move is long overdue while humorously suggesting that Microsoft should have retired Internet Explorer back in the days of the old network navigator wars.
While Microsoft is finally doing something right, there are still concerns about the underlying code. Seth wonders whether the IE mode within Microsoft Edge could still harbor the same security risks as the original Internet Explorer. Although it’s unclear whether these vulnerabilities persist, they agree that if such issues are found, it would indicate that the old, vulnerable code is still present in some form.
Conti Ransomware
As the conversation resumes, Yigal references a recent FBI alert about the notorious Conti ransomware group, which has been actively targeting healthcare and first responder networks.
The FBI’s flash alert indicates that this group has successfully breached at least 16 such networks within the past year. The alert not only shares technical details and indicators of compromise (IOCs) but also offers practical mitigations. Among the recommended steps are implementing network segmentation and regularly conducting offline data backups.
The discussion then shifts to examples of municipalities like Tulsa and Oklahoma City, which have taken steps to address these threats. However, both Yigal and Seth express frustration that many organizations, especially in the healthcare sector, seem to have their “heads in the sand,” ignoring the clear and present dangers.
Seth reflects on a common scenario where companies claim they “had to pay” the ransom, arguing that such payments could often be avoided if proper precautions were taken in advance.
Seth encourages us to heed the frequent warnings issued by the FBI and other cybersecurity authorities. Despite the flood of alerts and updates that they receive daily, Yigal notes that most people tend to ignore them, failing to recognize that everyone is a target for cybercriminals.
How Hospitals & Schools Become Prime Targets For Ransomware
Yigal turns his attention to the vulnerabilities plaguing critical institutions like hospitals and K-12 schools. He points out that these organizations are particularly susceptible to cyberattacks because they often neglect even the most basic aspects of IT management.
Something as fundamental as patch management—installing updates and fixes to software—can go a long way in protecting against threats. Yet, many of these institutions fail to perform even this basic task. He also urges proper password management and regular data backups, which are essential to protect against cyber threats.
Yigal explains that modern ransomware doesn’t just target data; it also goes after backups, encrypting them to make recovery even more difficult. He refers to a recent case involving a gas company in Florida that suffered a cyberattack. The company didn’t have sufficient or properly managed backups, forcing them to pay the ransom to retrieve their data.
Yigal stresses the need for organizations to maintain backups in multiple locations, both online and offline, to enable quick recovery in case of an attack. He mentions Recovery Time Objective (RTO) and Recovery Point Objective (RPO), which are key metrics to ensure a swift and effective recovery process.
Why Basic Cybersecurity Practices Matter More Than Ever
Yigal and Seth now focus on the recent Apple security issues. Seth says, “With the Apple vulnerabilities, they put them out. You’ve got to give the companies credit, you know. We could argue and debate how long it takes for them to do it—that’s a separate argument—but once they do it, you’d be amazed how many people never update, never do that. Like you just said, these are the basics, low-end; this is low-hanging fruit.”
He stresses that failing to patch software is a fundamental oversight, likening this neglect to leaving a door wide open. He then pivots to the importance of backups, where they should be kept offline and disconnected from the network to avoid being compromised by ransomware.
Seth explains that there are services available that routinely check backups for signs of ransomware or other vulnerabilities. These services can detect issues before a company even realizes they’ve been compromised. “So when you restore quickly after one of these things has been taken over by some type of ransomware, at least you have peace of mind that you’re most likely not reintroducing these ransomware or vulnerabilities back into your network.”
Yigal and Seth also touch on the challenges posed by legacy systems—older software or hardware that can’t be easily patched without risking functionality.
In these cases, Yigal advises implementing compensating security controls around such systems to protect them from vulnerabilities. He warns against complacency, urging organizations not to simply ignore these legacy systems but to actively manage their security, even if direct patching isn’t possible.
Why Big Companies Still Rely on Outdated Technology
Seth reflects on how baffling it is that some companies, particularly large ones like gas companies, continue to rely on outdated systems. He admits that he can understand the use of slightly older technology, such as three- or four-year-old computers, but finds it hard to justify the persistence of legacy systems in major corporations.
Yigal suggests that the reluctance to upgrade might stem from a desire to avoid spending money. However, there could be more to it than just financial concerns. Sometimes, technical limitations are the reasons why these companies continue to use outdated systems despite the obvious risks and challenges they present.
Modernizing Legacy Systems
Yigal also outlines the process involved in managing these systems, starting with connecting sensors from the field—part of the Internet of Things (IoT). The data from these sensors is collected and sent to a controller, which then communicates with the manufacturing systems and management systems. The challenge is not just in collecting and sending this data but also in ensuring control mechanisms are in place for managing these systems from outside sources.
Yigal explains that many of these systems use outdated protocols and equipment that are no longer supported or upgradable. This lack of support can make transitioning from legacy systems to newer technologies challenging.
Seth offers a solution from his own experience working with companies like Johnson & Johnson. He describes a strategy where old legacy systems are virtualized. This involves taking the entire server and virtualizing it onto new equipment while making the system believe it’s still operating on the old hardware.
This approach allows for continuity while gradually updating the infrastructure. Seth notes that, although additional connections and adjustments—such as RS connections—might be necessary, there are ways to modernize even the most outdated systems without disrupting ongoing operations. “It surprises me that I don’t see more of that,” he adds.
Workplace Fix Available For WordPress Statistics Vulnerabilities
Yigal and Seth then discuss an update regarding WordPress statistics vulnerabilities. Yigal notes an SQL injection vulnerability in the WordPress Statistics plugin that could allow attackers to access database information without needing to log in. This means that an attacker could exploit the plugin simply through injection, bypassing authentication entirely.
Yigal notes that the plugin, which is installed on approximately 600,000 WordPress sites, had the vulnerability disclosed to the plugin developer on March 13, 2021. The developer responded swiftly, releasing an updated version just twelve days later on March 25. This quick turnaround in addressing the issue demonstrates a high level of responsiveness from the developers.
Yigal adds that while the developer acted promptly, the real challenge is whether WordPress site owners will update their plugins. Fortunately, WordPress now supports automatic updates for both plugins and the core installation.
Once an update is available, WordPress can handle the installation automatically, reducing the burden on-site owners. Yigal mentions that with this automation, there is less excuse for not keeping systems up-to-date, as the necessary updates can be applied without manual intervention.
Yigal adds a word of caution: while automatic updates for WordPress and its plugins are highly beneficial, they can sometimes cause functionality issues, leading to site outages. He suggests that, despite these problems, it is often preferable for a site to experience temporary downtime due to update issues rather than remaining vulnerable to cyberattacks.
According to Seth, it is far easier to address and explain a temporary outage than to deal with the fallout from a successful hack.
Necessity Of Multi-Factor Authentication (MFA)
Yigal and Seth dive into the topic of multi-factor authentication (MFA). Seth expresses a common frustration: although MFA is important for security, many people find it annoying and inconvenient.
He recounts a recent experience where he struggled with MFA, noting the hassle of locating his phone and dealing with the various authentication apps he uses, such as Google Authenticator and Microsoft Authenticator.
Yigal describes the situation where, if a phone dies or malfunctions, it can create issues because MFA often relies on receiving text messages or using an app. Seth asserts that while MFA is a “love-hate relationship” and is a reality many face, it’s a necessary step to enhance security.
From MFA To Email Server Vulnerabilities
Yigal brings up a relatable frustration: his kids want to access certain online activities that he believes they shouldn’t, which shows the ongoing challenge of managing digital security and permissions.
Yigal transitions to the topic of multi-factor authentication (MFA), urging listeners to enable it without delay. Seth likens it to taking medicine—it’s not enjoyable, but it’s necessary for security. He mentions that Google plans to automatically enroll users into two-step verification if their accounts are set up to allow it.
The conversation then shifts to email server vulnerabilities. Yigal reports that researchers at Qualys have discovered 21 security flaws in the AEXM mail server, which could be exploited to achieve full remote code execution and gain root privileges. These vulnerabilities date back to releases from 2004 and are prevalent in mail servers running on Linux systems. Seth urges patching systems, especially since a proof of concept code for the vulnerabilities has been released.
Seth warns about the risks of leaving networks open and notes that even if systems are protected, people often expose themselves by leaving remote tools accessible with bad passwords. He humorously points out that sometimes it feels as if people are inviting attackers in with open doors, offering them a “comfortable chair” and perhaps even a “donut” while they exploit vulnerabilities.
Exploiting Google Forms Is A New Spam Tactic
Yigal shares his discovery about an unusual spam tactic involving Google Forms. He recounts receiving an email from a customer who reported a troubling issue: spam emails promoting products like Viagra were being sent not from typical spam sources, but from Google Forms.
Seth confirms that this is indeed a novel approach. Instead of coming from conventional spam email addresses, these messages are routed through Google Forms, a platform not typically associated with spam. Because Google Forms is widely recognized and not usually blacklisted, it bypasses many spam filters.
Yigal explains that this method involves setting up a Google Form, automating the process to collect email addresses, and then using that form to distribute spam emails. He notes that this tactic is particularly clever because it leverages the trusted reputation of Google to avoid detection.
To address the issue, Yigal advises the customer to report the abuse directly to Google and blacklist the sender’s email address. He also recommends tightening spam filters to prevent future occurrences. As of the next day, Yigal hasn’t received any further complaints, suggesting that the measures taken may have resolved the problem.
Update On Insider Threats & Ransomware Reactions
Seth then shifts the discussion to a more pressing frustration: the response of managers and CEOs to ransomware attacks. He expresses dissatisfaction with how some executives react indignantly when criticized for paying ransoms.
Seth believes that such payments only encourage further attacks, creating a cycle of increased threats. The root problem lies with these leaders’ decisions. He argues that if organizations had invested properly in IT infrastructure and security from the start, they might not face these issues.
Despite having substantial resources, like the $12 million used to pay a ransom, some companies fail to allocate adequate funds for preventive measures. Seth strongly argues that these companies “are not broke.”
Yigal agrees, “They are too cheap to spend the money from the beginning.”
Misconceptions Of Small Business Security & Compliance
Yigal addresses a common misconception among small businesses: the belief that they are unlikely targets for cyberattacks. He recounts how some small business owners think they have nothing of value and therefore believe they are not at risk. They often justify their lack of investment in security by claiming they have nothing to hide or that their data isn’t of interest to attackers.
Yigal shares a story about a company that faced a data breach and was given a plan to address the issues. Despite the clear recommendations, the company was resistant to investing in the necessary fixes. Instead, they considered shutting down the business as a cheaper alternative to compliance costs.
Need For Minimum Security Standards & Accountability
Yigal shares a recent experience with another customer who was initially hesitant about investing in necessary security infrastructure, specifically a firewall. Despite Yigal and his team’s warnings about the consequences of not upgrading, the customer questioned the need and was concerned about possible issues with Ethernet speed.
Yigal maintains that failing to act swiftly could lead to the customer confronting severe risks or closing down the business.
Seth reflects on the broader issue of businesses, both large and small, arguing over minor expenses while neglecting essential security measures. He believes there should be minimum security standards across the board to ensure that businesses prioritize their cybersecurity.
Seth slams companies that spend excessively on executive salaries but skimp on infrastructure. Yigal chimes in, “Look, it depends on the message, and I think the message, whether to big CEOs, small CEOs, or small business owners, is that they don’t spend the money. Regardless of the size, you are still vulnerable, and cybercriminals are still after you, regardless of your size.”
Seth also asserts, “I think those companies that can affect the public at large should be held accountable.”
He points out that when large organizations, like Netflix or healthcare providers, experience breaches, hundreds of millions of people’s information can be exposed. He argues that there should be greater accountability for these breaches, especially when they affect a large segment of the public.
Seth contrasts this with smaller businesses, where a breach might impact a limited number of customers. He believes there should be a distinction in the level of accountability required for smaller versus larger organizations.
Incentivizing Cybersecurity Investments
Yigal mentions ongoing efforts, such as those by New York State’s Department of Financial Services, to enforce cybersecurity standards across various industries, including small businesses like insurance brokers and check-cashing services. Compliance is challenging and many small businesses resist following these standards.
To incentivize better security practices, Yigal proposes the idea of offering tax credits to businesses that invest in cybersecurity. He suggests that businesses could receive tax credits for documented expenditures on security measures, provided they submit proof and third-party verification to the IRS.
He compares the cost of investing in cybersecurity measures with the higher cost of a ransomware attack, “Would you rather spend fifty thousand dollars plus ten thousand dollars, or twenty thousand dollars per year? What are your choices?”
The Case for Government Regulation
Seth believes that government intervention is necessary for ensuring cybersecurity accountability. He argues that there needs to be some form of regulation or standard that industries must follow.
Different industries, such as healthcare and finance, already have specific compliance requirements when working with the government. Seth suggests that this approach should extend to all sectors, including both large and small accounting firms.
He envisions a system where businesses must follow documented compliance standards and undergo independent audits to verify their adherence. If a business fails to produce the necessary documentation during an audit, it will face fines.
According to Yigal, even if a breach occurs after demonstrating due diligence and compliance, the business should be protected from severe penalties. While no system is perfect, businesses that have followed proper procedures should not be unduly penalized for breaches.
Seth also notes that insurance companies are currently leading the way because they’re requiring a lot of cybersecurity insurance in certain industries.
Insurance Companies Can Drive Cybersecurity Compliance
Seth shares his experience of living in New Jersey, noting that the quiet environment is a contrast to the busy world of cybersecurity. He points out that insurance companies are starting to push for better cybersecurity practices.
Insurers are increasingly requiring businesses to comply with specific rules if they want comprehensive protection. This includes both small businesses and major corporations.
Seth explains that insurance companies are using their influence to mandate cybersecurity measures. For businesses to secure coverage, especially against substantial threats like ransomware, they must meet certain standards. This shift is gradually rolling out to ensure that businesses are better prepared and protected. Seth expresses hope that these efforts by insurance companies will lead to a big difference in overall cybersecurity practices.
Starting With The Basics
Seth encourages starting with the basics when it comes to cybersecurity. He advises small businesses, particularly those with just one or two employees, to focus on the fundamental elements of security.
Seth suggests beginning with simple but crucial steps, like ensuring a firewall is in place and that systems are regularly patched. Once these basics are covered, businesses can gradually implement more advanced measures. “Just start doing something today.”
Yigal stresses that taking action is key, even if it’s just one small step. He recommends that after finishing the podcast, listeners should pick one area to improve and start there. For the best return on their investment of time, he suggests focusing on patch management, which can reduce security risks. In essence, he advocates for starting with patching as a straightforward way to enhance cybersecurity.
Stay informed and boost your knowledge of current threats and best practices with The Cybersecurity Insider podcast. You can also catch us on YouTube, Apple Podcasts, and Spotify.
Apple, Google 2FA, Exim Mail Server, WordPress, City of Tulsa, Microsoft Will Retire IE, Conti Ransomware ware, and more items.
