Tag Archives: Business Advice

Posted on Author Atlantic Computer Services Categories Blog

FTC Enforcing That Businesses Patch Log4j Java Security Issue

By now you’re almost certainly aware of the Log4j Java issue.

It’s a serious and fixable flaw relating to java logging.

Recently the United States Federal Trade Commission (FTC) has issued a chilling warning to anyone who hasn’t yet fixed the flaw and protected against the vulnerability.

The FTC’s statement reads in part as follows:

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future. 

Failure to identify and patch instances of this software may violate the FTC Act.

The Log4j vulnerability is part of a broader set of structural issues.  It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies. 

These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.

This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security.”

The FTC has already made it clear that they’re not playing around with this issue either.  Not long ago in 2019, they hit Equifax with a staggering $700 million fine because of customer data exposure.

The FTC clearly has the muscle to make this threat stick. So if you haven’t already installed the remedy for Long4j, do it now before you lose track of it. Keep an ear to the ground for other similar issues.

Fines of the sort that the FTC is threatening are enough to rock any business back on its heels. So don’t take any chances.  Stay vigilant out there.  It’s going to be an interesting year.

0
Posted on Author Atlantic Computer Services Categories Blog

Update Your All In One SEO Plugin For Security Patch

Do you own and operate a WordPress website?  Do you also use the “All in One” SEO plugin?

If you answered yes to both of those questions, then be aware that you’ll want to update that plugin as soon as possible.

Recently security researcher Marc Montpas from Automattic Security discovered and reported a pair of critical security flaws.

These flaws put any website using the non-upgraded version of that plugin at risk. The security flaws are being tracked as CVE-2021-25036 and CVE-2021-25037 respectively. The first is an Authenticated Privilege Escalation bug and the second an Authenticated SQL Injection bug.

The bad news is that there are currently more than 800,000 websites running the outdated and vulnerable version of the plugin.  The good news is that the development team behind the All-in-One plugin responded very quickly and delivered an update to their product on December 7th of this year (2021) which addresses both issues.

The reason these flaws are so dangerous lies in the fact that all an attacker needs to be able to successfully execute an attack that leverages them is an authenticated account. That is generally a relatively easy thing to get.  It doesn’t have to have a lot of rights or privileges so a low-level permission group like “Subscriber” is sufficient.

Using that as a starting point it would be easy for an attacker to escalate his or her own privileges and cause all sorts of damage to the site itself or exfiltrate data from it.  Not good.

In any case there’s a simple solution ready and waiting.  Just check to see what version of the All-in-One plugin you’re using. If you don’t already have it download and install the 4.1.5.3 patch.  Stay safe out there.  There may yet be a few additional surprises in store for us in what remains of the year.

0
Posted on Author Atlantic Computer Services Categories Blog

Large GoDaddy Data Breach Involves WordPress Customer Email Adresses

Are you a GoDaddy customer? Do you maintain a WordPress blog with the company?

If so be advised that the company recently announced a breach of their network. An as yet unidentified third party accessed GoDaddy’s Managed WordPress hosting environment.

Based on the investigation to date the intrusion began on September 6, 2021. While taking advantage of a vulnerability the company was unaware of at the time the unknown attacker was able to gain access to a variety of information.

The information taken includes:

  • The email addresses and customer numbers of more than 1 million Managed WordPress customers (both active and inactive)
  • The original WordPress Administrative password that was set at the time of provisioning
  • For active customers, the SFTP and database usernames and passwords
  • And for some customers (exact number unknown at this time), the SSL private key

The company has retained the services of an independent third-party security firm to assist them with their investigation. That investigation is ongoing but the company has already reset the SFTP and database passwords for all impacted users. They are in the process of issuing and installing new certificates for customers who had their SSL private keys exposed.

The company is in the process of contacting all impacted users. If your email address was exposed, you will definitely want to keep a sharp eye out for phishing attacks targeting your email address.

As is the case any time an event like this occurs the company apologized and stressed that they take customer data security very seriously. No additional information is available at this time but bear in mind that the investigation is still ongoing.

It’s unfortunate but not altogether unsurprising. A company as large as GoDaddy with millions of customers is an attractive target for almost any hacker. Stay vigilant out there. This won’t be the last major breach we see this year.

0
Posted on Author Atlantic Computer Services Categories Blog

Microsoft Windows 7 And 8 OneDrive Support Is Ending

Are you a OneDrive user running Windows 7, Windows 8, or Windows 8.1? If so be aware that on January 1st, 2022 your OneDrive desktop application will reach end of support.

The company offered the following by way of explanation:

“In order to focus resources on new technologies and operating systems and to provide users with the most up-to-date and secure experience beginning January 1, 2022, updates will no longer be provided for the OneDrive desktop application on your personal Windows 7, 8, and 8.1 devices.

Personal OneDrive desktop applications running on these operating systems will stop syncing to the cloud on March 1, 2022. After March 1st, 2022 your personal files will no longer sync and should be uploaded/accessed directly on OneDrive for web.”

The good news is that your OneDrive files aren’t going anywhere. So you don’t have to worry about finding a new cloud-based file storage system. This is definitely more than a minor inconvenience and yet another reason to strongly consider upgrading your PC and your OS to something more modern.

As things stand the clock is ticking for extended support for the OSes mentioned above. It won’t be long before you lose the protection offered by periodic security updates. Before that happens you need to be thinking in terms of steps to protect yourself and all your data regardless of where it lives.

Although it is highly inconvenient for people running those older Operating Systems it’s completely understandable that Microsoft is taking this stance. Though the company has deep pockets it also has a sprawling catalog of products to maintain. At a certain point they simply have to say goodbye to older applications. Upgrade before the clock runs out.

0
Posted on Author Atlantic Computer Services Categories Blog

Warn Your Employees About The New DocuSign Phishing Campaign

Phishing attacks tend to focus on executive level targets. They focus on high ranking targets who have considerable system access.

That appears to be changing. A recent trend tracked by researchers from Avanan has revealed that nearly half of all phishing emails analyzed in recent months were crafted to impersonate non-executives.

Additionally more than three quarters of them (77 percent) targeted employees on the same level.

This is something of a departure and it allows those who orchestrate phishing campaigns to target a significantly larger pool of potential victims. The reason behind the shift in focus is easy enough to understand.

The Avanan researchers summarize it as follows:

“Security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. At the same time, non-executives still hold sensitive information and have access to financial data. Hackers realized, there is no need to go all the way up the food chain.”

Increasingly hackers and scammers are coming to rely on spoofed DocuSign emails to gain access.

If you’re unfamiliar with it DocuSign is a legitimate platform used to digitally sign documents. In this case a scammer creates a dummy DocuSign document and emails a request to a low to mid-level employee to update direct deposit information or something similar.

By all outward appearances the DocuSign request looks completely legitimate but there is one important difference. An actual DocuSign email won’t ask the recipient for login credentials. The spoofed ones do. Naturally this is done so that the hackers can harvest those credentials.

Given the crush and volume of daily business emails the difference is easy to overlook which explains why this approach has enjoyed an uncannily high degree of success.

Be sure your employees are aware of this latest threat and stay on their guard against it. One moment of carelessness could wind up being costly indeed.

0
1 5 6 7 8 9 23