Cyber Security Roundup for March 2017

Security researchers found there were able to find numerous sensitive documents by searching Microsoft’s Office 365 documents made publically accessible through the Docs.com website. Documents found included business confidential information, passwords and personal data. The issue was not caused by any security vulnerability in O365, but by its users misconfiguring or not understand the access permissions on their Microsoft O365 file storage, inadvertently permitting public access to their confidential data.  Businesses and users need to meet cloud services halfway when it comes to security, that starts obtaining a clear understanding of what security the cloud service does and does not do, so ensure your security homework is done before adopting the cloud.

A patch for a critical vulnerability in Apache (Server) Struts was released this month, the vulnerability, which is being actively exploited by cyber criminals in ransomware attacks, allows the remote execution of commands on the server. Non-Microsoft patches are more likely to be missed, given the patch process of Apache servers is often a manual one. It is essential to check any Apache server software facing the internet is constantly kept up to date, in this case, make sure the Struts framework element as used with Java EE web apps, is running a non-vulnerable version, either Struts 2.3.32 or Struts 2.5.10.1

It is the official 'goodbye Vista' next month as of 11 April 2017, Microsoft will no longer support Windows Vista, which means no further security updates to fix new vulnerabilities, either free or via paid assisted support options. So if you have Windows Vista, either upgrade or apply additional security measures such as application whitelisting to be safe. It is less overhead and cheaper long-term to upgrade to a supported Operating System in my view.

Finally, the UK Government Digital and Culture Minister, Matt Hanock, is pushing for further adoption of the Cyber Essentials scheme, insisting all governance contractors hold a Cyber Essentials certificate. A number of businesses have also agreed to require their suppliers to achieve Cyber Essentials, including Barclays, BT, Vodafone, Astra Zeneca, Airbus Defence & Space and Intel Security.  Hancock said   “We know the scale of the threat is significant: one in three small firms and 65% of large businesses are known to have experienced a cyber-breach or attack in the past year. Of those large firms breached, a quarter was known to have been attacked at least once per month.” Cyber-security is one of the seven pillars of the government's digital strategy, he said. “It's absolutely crucial UK industry is protected against this threat – because our economy is a digital economy.” 

News

• UK Government Push for firms to adopt Cyber Essentials
• Major Spam operation River City Media Suffers Data Leak of 1.4 Billion Records
• Home Depot to pay $25M in Breach Settlement
• Up to 43,000 affected by ABTA (UK travel agent) Data Breach
• Confidential docs, passwords & health data inadvertently shared on Office 365
• VeriFone Investigating Breach of its Internal Corporate Network
• Two Major US technology firms 'tricked out of $100m'
• UK iPhone users fooled by fake Ransomware
• Critical Patch for Apache Struts; Vulnerability is actively being Exploited
• Microsoft release 9 Critical Patches for IE, Edge, Hyper-V, Windows & Flash Player
• No more Security Patches for Windows Vista from 11 April
• WordPress 4.7.3 Patches Half-Dozen Vulnerabilities

Awareness, Education and Threat Intelligence

• One Million Yahoo and Gmail account passwords for sale on the Dark Web
• How the SHA-1 Collision Impacts Security of Payments

Reports

• PC Trends Report Q1 2017 - Outdated Software exposes Millions of PC