Category Archives: Alert

Security alerts

PHP Users Beware

Normally I would send this out as a client alert, but given the enormity of this, I think it needs wider distribution.

PHP is the “P” in the LAMP web server stack as in Linux, Apache, MySql and PHP.  PHP is the scripting language turned programming language that many web servers run on.

January 1, 2019 is a date that needs to be etched into your (virtual) daytimer.  It is the date on which support for older versions of PHP will end.


Version 5.6 of PHP will no longer get security patches as of December 31 – about 10 weeks from now.  Version 7.0 will stop getting patches in about 8 weeks.

If you are running Version 5 of PHP after the end of the year, ZDNet asks “do you feel lucky?”

W3Techs says that 78% of websites using PHP are using Version 5.

Of course you have to consider whether upgrading your website to a supported version of PHP will break anything, so you do have to test things, but, in general, it will probably work.

So, the question to ask is are you running an old version of PHP?  Many sites are.  If you are, do you have plans to upgrade?

If you don’t plan to upgrade, the only question to ask is


Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Voice Hacking is on the Rise

Hacking is a moving target.  And continues to move.

As banks consider using biometric authentication in the place of passwords, hackers are thinking about that too.

Researchers at Black Hat demonstrated that they could synthesize your voice well enough to fool personal digital assistants.

Already there are products on the market from Adobe, Baidu, Lyrebird, Cereproc and others that can do voice spoofing to one degree or another.

Consider this – you have a voice activated system that is trained to recognize your voice – or a person that knows you and would recognize you.  But it is not you.  It is a piece of software that is pretending to be you,

Over the next few years expect the price of this software to go down dramatically.

A hacker could, for example, embed your voice (or something that pretends to be your voice) in a video or audio clip that he or she tricks someone into playing to compromise something.  Just one possible scenario.

Think of this as a complement to the deep fake videos we are already seeing where software puts the head of a, say, political candidate onto the body of a porn star.  That is pretty easy today.

Deep fake audio is next.

So what should security professionals, developers, business executives and end users consider?

If something, like biometric authentication, seems too good (or too secure) to be true, it likely is too good. 

Consider the risks.

Use it as only one part of the authentication process.

For high risk processes, use two or even three factors.

Sorry.  When security meets convenience, convenience usually means poor security.

Just sayin’!

Information for this post came from Entrepreneur.


Facebooktwitterredditlinkedinmailby feather

Attacks Against Office 365 Continue

Since Office 365 is the dominant office productivity suite, knocking Google on it’s butt, it is not a surprise that hackers are going after it hard.  To compare, I didn’t find great numbers and Google probably does not want me to do this comparison, but Office has 120 million paid users as of 2017 and Google has about 3 million paid users.  It is obvious why hackers go after Office.  To be fair, Google has a boatload of free users, but since those are predominantly consumers and really small businesses, the amount and quality of data to steal makes those free users a much less compelling target.

About a month ago, scammers were using emails with text in zero point type to bypass Microsoft’s security tools.  Apparently, Microsoft must of thought, if you can’t see it (after all zero is small), it can’t be a problem.  Not so.

Then hackers figured out a way to split URLs into pieces to fool Microsoft.

Now that Microsoft has closed those loopholes (the sheer beauty of cloud software – make a fix and in a few seconds, 120 million users are protected), the hackers have moved on.

So what are the hackers doing now?

In this attack, the victim receives an email with a link to collaborate on a Sharepoint document.  Of course, this email is a scam.  When the user clicks on the link in the invitation, the browser opens a Sharepoint file.

Inside the Sharepoint file is a button to open a linked One Drive file.  That link is malicious and at that point the game is over.  The hacker has the user’s Office credentials, since that is required to open the One Drive file and has installed malware on the victim’s computer.

Unfortunately, for a number of reasons, there is no easy way to block this attack.

So what should you do?

First, if you have two factor authentication turned on (everyone should!), then stealing your password is a much less effective attack.

Next, be suspicious.  Check the address link, ask why you are getting this collaboration request.  Check OUT OF BAND if the person who you think sent the request actually did send it (like talk to the person on the telephone using that antique VOICE feature).

Third, hover over links first and look at the underlying address.  If you can’t see the address or it doesn’t look right, stop and talk to your security team.

User training is key here and there are some very cost effective solutions out there.

And, of course, if you have questions, contact us.

Information for this post came form The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.


Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .


Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 3, 2018

Old Hacks Never Die

Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it.  This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.

The simple solution is  not to do it and hand the media to your information security team to review. Source: Krebs on Security.


23 and Me Licensed All Customer’s DNA to Big Pharma

In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.

23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means.  The deal lasts for four years.  I am not sure what happens after four years – do they have to give back everyone’s DNA?  Probably not.

And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.

23 and Me says that you can opt out of letting them sell your DNA when you sign up.  Apparently I opted out.  You can also change that option at any time but it is not obvious how to do that.  It is buried in the research tab after you sign in.  I assume that change is not retroactive.  If you didn’t opt out, GSK has a copy of your DNA.  Source: Motherboard.

More Woes for CCleaner

Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.

Piriform sold CCleaner to security firm Avast a few months ago.  Right after the sale CCleaner was found to be distributing a malware laced version of the software.  Over a million copies of the infected software were downloaded but it only targeted a handful of victims.  That was done by an attacker.

This problem is self inflicted.  The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.

Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue.  They are rethinking the wisdom of doing this and will release a new version of the software.  Real soon.  Source: ZDNet.

Idaho Inmates Hack Prison Issued tablets

Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions.  Some of those functions cost money and that is where the rub comes in.  The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks.  Now JPay is trying to get their money back.  At least it is not taxpayer money.  Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

The Hidden Landmine When Buying (or Even Renting) a Home

All of us are used to using the Internet, right?

What if you moved into your new home and after you paid for it and moved in you found out there was no Internet service available?

One business in New York was told that Charter Communications, the local cable provider, would be happy to connect them.  Only problem was that the business needed to pay Charter $138,000 first.  Charter being a nice company, offered to pay $5,000 towards that, so the company would only owe them $133,000 and change.

This story is repeated over and over across the country.

People are often told by the local Internet Service Provider that they can get service only to find out when they actually try that it is not available.

I am going to use my personal situation to illustrate the case.

I live about 30 minutes from downtown Denver, Colorado.

Where I live there is no cable at all, so cable Internet is not an option.

The phone company offers DSL at the WHOPPING speed of one and a half megabits per second.  Not 1.5 gigabits, 1.5 megabits.  Under FCC rules, that doesn’t even qualify as broadband Internet.

Only problem is that there is no available capacity and the phone company has no plans to add capacity.

Worse yet, if you are one of the super lucky folks to have this speedy service and you sell your house, the person who buys it doesn’t get your connection.  The connection goes back into inventory and you, the new buyer, go to the end of the list.  You may get Internet in a few years; hope you can wait.

There is also no cell service where I live, so no cell calls, no text messages, no cellular Internet.  The cell companies all offer a little box called a femto cell that simulates a cell tower to give you service.  Works great, actually, as long as you have some other form of Internet connection to carry the signal from your house back to the cell carrier.

Granted I live in a sort of rural area about 25 miles from downtown Denver, but the guy who was presented with the $133,000 bill  – he was in New York City.

And sometimes, if you CAN get service, the wait time for a connection can be 6 months to a year.

That leaves you (or me) with two options:

  1. Satellite Internet.

Satellite Internet is a horrible last resort.  You basically pay by the bit and if you go over your limit, they slow down your service to a crawl or shut you down.  Worse yet, many things like Internet telephones (VoIP), VPNs for connecting to your business and those cell extenders do not work on satellite Internet.

So, while they are horribly expensive, slow and don’t work for many things, they are pretty much universally available as long as you have a clear view of the sky.

2. Point to Point Microwave.

That is what I have.  It used to be horrible, but over the last few years, it has gotten much better.  All my software works and the particular plan that I have has a cap, but it is large and there are other plans that don’t have a cap.  It is however, pretty expensive ($70 a month for only 20 megabits/second – way faster than I had with Qwest, but 1/10 the speed of cable and that includes voice and long distance).

The only problem with P2P microwave is that you have to be within the range of a receiving tower and you have to have a clear line of sight to that tower.

My provider has two towers in the area.  The only one that I have line of sight to will not run faster than 20 mb/second.  The other tower, that one of my neighbors can see (he is higher up that me) supports 50 mb/second.  The provider says that it is not likely that I will ever see 50 mb/second on my tower.

What this means is that Netflix crashes regularly.  I don’t have any little kids who gobble up bandwidth like no one’s business.  If you wind up with service like this, plan on rationing Internet.  Your kids will be thrilled.

So what do you do, especially if the Internet providers are, apparently, bold face liars?

Unfortunately, you are not in the driver’s seat.

One thing that you can do is place the order as opposed to just asking and see if the order goes through.  Just make sure you can cancel it before the install in case you don’t actually get the house.  The problem with this is that you may not find out that they cannot provide service until the day of installation.  That happened when my son bought his house.  They came out and said.  Ooops. Sorry.

Another thing to do is to research options.  In many places there are not a lot of options:

  • Cable
  • Phone company
  • Independent Internet providers
  • Point to point microwave
  • Satellite
  • Cell (really bad idea – slow, unreliable and expensive)

See HOW MANY of these options are available and what each one costs, what the limits are and what things that you want to do won’t work.

Make sure that at least 2 or 3 acceptable options, while distasteful, are available.  That way, at least, if you have to resort to option 2 or even option 3, you at least know that you can get something.

Assume that you will not have Internet for a while when you move in.  Maybe a few days; maybe a few weeks; maybe even a few months.  I managed the IT of a business that was much closer to downtown Denver and it took us 6 months to get Internet.  Try running a business for 6 months without Internet.  If that is a problem, plan an alternate.  Unfortunately, the alternate may not be attractive.  Maybe you can work at your office, if one is available.  Whatever.


Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather