Stay one step ahead of cyber criminals with regular news and tips from the Intersys cyber security newsletter.
On our radar this month :
- The latest critical vulnerabilities
- 25 most dangerous software weaknesses
- More on the MOVEit hacking scandal
- The magic of 3 random words passwords
- The Data Protection and Digital Information bill — why it matters
Updating your software with security patches is vital. So why aren’t more people doing it?
That is a question for the behavioural psychologists. We’ll stick to what we know and keep hammering home the importance of making these updates.
Because if you do stay updated, you’ll protect your organisation from the MOVEit ransomware hack and the latest WordPress plugin vulnerability, to name but two threats in the news.
Believe us – that is a very good thing.
Here’s the latest updates.
Using WordPress? You’d better read this
An unpatched plugin for WordPress is giving criminals access to thousands of
websites. The culprit is the WordPress Ultimate Member plugin, which is used to
create user profiles and communities on WordPress sites.
A juicy (for the criminals) 200,000 WordPress websites are at risk of attack. It’s
suspected that hackers are actively exploiting this plugin to create new user
accounts with admin privileges to completely take over control of victims’
websites.
A new version of Ultimate Member has been released to address the security
loophole. More details here.
25 most dangerous software weaknesses
What if you could view a list of the very worst, most worrying software weaknesses in one place?
The ones that devastate systems, data and operations?
Thanks to Independent Security advisers Mitre for allowing us all to do just that with their Top 25 Most Dangerous Software Weaknesses of 2023.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that, “An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.”
Our security experts are poring over this one, for the benefit of our clients.
You should check it out too. Here’s the link:
https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html
MOVEit hack story still has legs
The MOVEit hack continues to develop. Quick recap: Russian ransomware gang CL0P have been exploiting vulnerabilities in the file transfer tool MOVEit to breach organisations and demand ransom payments.
Now high-profile victims such as the BBC, British Airways and Boots have been joined by Shell, AON, Cambridgeshire County Council, Dublin Airport, Siemens Energy and many more organisations.
Meanwhile, the US government has announced a reward of up to $10m for information on the culprits.
If you use MOVEit, a patch is available for the vulnerability below:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
Why we’re still loving ‘three random words’ passwords
A recent update by the National Cyber Security Council (NCSC) revealed that its ‘three random words’ password post is one of its most popular in the past five years.
This post revealed a simple password-creation technique where you pick a memorable string of random words, such as felinecoffeeglasses.
In the latest update, it reiterated that the three random words principle is easy to understand and helps to create a strong, unique password.
The NCSC did include some context and caveats, though. It said its method is useful largely because people refuse to use or remember ‘complex’ passwords, or use them incorrectly. With this being the case, three random words is a strong alternative.
It also pointed out that password managers are the best option, but people don’t like using them or even know about them. In their absence, again, three random words does the job.
We would agree with their assessment, but also add that two-factor authentication (2FA) or multi-factor authentication (MFA) are paramount. And a final thought: we can’t wait for passwordless authentication…
Here’s the NCSC post:
https://www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words
And here’s our own post about passwordless authentication.
Why the Data Protection and Digital Information (DPDI) Bill matters to us all
Business owners will want to keep a close eye on the emerging DPDI bill. It’s a devilishly complicated and all-encompassing bill, bringing many areas around data protection under its wing. But there are several questions we should all want answered.
Will it:
- Simplify Data Protection rules for UK businesses?
- Help to improve the website experience for visitors?
- Retain the EU Adequacy Decision, a set of EU rules agreed with other territories that ensure data flows safely and smoothly across borders?
The bill, which will modify and update UK GDPR, the Data Protection Act 2018 and other regulations, aims to find a balance between protecting user data and helping businesses conduct marketing ethically without having to jump through sometimes farcical hoops. (Think long-winded cookie policies on every homepage). However, some see it as a ‘leaky valve’ compared to strict European laws on data protection.
The EU Adequacy Decision element is particularly important. If we fail to meet its guidelines, UK businesses could see severe disruption in data sharing with other territories.
Our MD, Matthew Geyman, will be writing in detail about this bill on LinkedIn, so please look up his profile and follow. It will be well worth the read.
Here’s Matthew’s LinkedIn deets:
linkedin.com/in/matthewgeyman
New SonicWall and Fortinet vulnerabilities
A slew of security flaws have been discovered in SonicWall and Fortinet network security products. More details here.
And finally, in next month’s newsletter we’ll be looking at:
• AI Spam – from fake news and reviews to spammy websites, we’ll lift the lid on the growing problem.
• Ransomware pay-outs – a surge in ransomware payments reached $450m this year. What’s driving this boom?