Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

DATE(S) ISSUED:

18/08/2022

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

For full details and actions to protect your devices and systems, follow the link to the Center for Internet Security or reach out to our friendly cyber experts below.

DETAILS:

• macOS Monterey is the 18th and current major release of macOS.

• iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.

• iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
  Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

To discuss cybersecurity protection strategies for your business, reach us here https://www.advance.net.au/contact

Or call us on +618 8238 6500

Alert, but not Alarmed

We are all on the front lines in the fight against cybercrime, both at work and at home.

It's increasingly common for criminals to lock either your work or personal files, then demand a ransom payment in return for unlocking them.

This is called a ransomware attack and there are some very easy steps you can take to protect yourself and your family.

What are the signs of a Ransomware attack?

• Dodgy Emails - Criminals usually try to put Ransomware onto your computer through illegitimate websites, or infected attachments. Be very wary of emails from people you don’t know or didn’t expect, particularly if they contain links to other websites or attachments.

  If you've recently received an email from someone you don't know, or that didn’t look quite right and have already opened the link or attachment, be alert.

• File names - If your file names, or the three letters after them (example.txt) are changing, this could be a sign your files are being locked

• Cant access files - If you are unable to access files this could be a sign they have been locked

• Ransomware Notice - Once a certain number of files are locked, the criminal will display a notice, usually asking for urgent payment, and usually asking for an online currency such as bitcoins.

What should I do if I notice the signs?

• Immediately power off - Once the computer is completely powered off, no more files can be locked, and the ransomware cannot spread to other computers in your home or office

• Remove any network cables - To ensure the ransomware cannot spread once the computer powers on again, remove any network cables. For WIFI laptops, switch any physical WIFI buttons to the off position.

• Contact support - In the workplace, the IT department should be made immediately aware. At home, you will need to contact whoever does your IT support. You may want to call a professional.

• Don't Pay - If you do pay the ransom, you are relying on the criminal's good nature to unlock the files, which is unlikely to happen. Even if it does, you will then be marked as someone willing to pay ransoms and be targeted again in the future.

Is there anything I can do to reduce the risk of this happening to me?

Absolutely, in many cases, these are done for you by the IT team, but at home, you will need to do them yourself:

• Install Patches - Your operating system and any programs you have installed will often need updating or patching. These are very important, as it is the manufacturer fixing problems that criminals may exploit. You should make sure all of your software is regularly patched, and allow the patches to install as soon as possible.

• Anti-Virus - Ensure you have Anti-Virus software installed and running, and that it is up to date

• Backups - While these won’t protect you from getting ransomware, they will make it very easy to recover your locked files without paying a ransom. Where ever possible backups should be stored separately, so criminals cannot erase them if they do gain access to your computer.

• Block Macros - Microsoft Office Macros are a very common way for criminals to gain access to your computer. Having these switched off by default helps protect you against this form of attack

• Administration Privileges - Accounts with administrative privileges can install and run applications (and ransomware). While it's inconvenient to have to switch to a different account each time you want to install new software, it can protect you from a criminal installing ransomware in the background while you are unaware.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Who Am I Really Speaking To?

Email-based scamming has quickly become the leading cause of financial loss Australian businesses and individuals, with criminals now $132,000,000 each year.

This CyberGuide will show you how to protect yourself and your family by identifying the warning signs and commonly used scams.

Email-based scams have grown in popularity recently due to the speed at which criminals can run them, along with the lucrative returns they generate.

What is an Email Scam?

Often called Email Compromise or Business Email Compromise, email scams are where a cybercriminal uses social and technical tricks to make a person think they are exchanging emails or text messages with someone they already know. The cybercriminal then uses the trust of the relationship to have bank details updated, or initiate the transfer of funds, goods or gift cards.

What Are the Common Scams?

The false invoice:

John recently paid his builder for some renovation work. Later he found out that his builder had not received the payment. When they checked, the invoice and bank details John had paid had not been sent by the builder. Instead, it was sent by criminals who had used a fake email address that looked very similar to the builders.

Supplier Impersonation

Jane works in the finance team. She received a routine email from a regular contact at a long-standing supplier advising of a change in their bank details. Jane checks the email address and it is correct and has been used many times in the past, so she makes the change.

In fact, Jane’s regular contact has unknowingly had her password stolen, and criminals have logged in to her email account. The next legitimate payment to the supplier will be sent to the criminal's bank account.

CEO Fraud

Gary is the executive assistant to the CEO and just received a text message from a number claiming to be the CEO’s personal mobile. The message says that his boss is out with some potential new clients and urgently needs some iTunes gift cards to give them to seal the deal. Can Gary please buy some, SMS the codes and expense the cost tomorrow.

Of course, the phone number does not belong to his boss, and his boss did not make the request. Instead, the gift cards will go to the criminals to be sold on the black market.

Employee Impersonation

Linda from the Payroll team has received a request from an employee to have their bank details changed in the Payroll system. What has happened is a criminal has covertly gained access to the employee's user name and password and is trying to divert the employee’s next salary payment to the criminal's bank account.

What are the warning signs to look out for?

• An unforeseen change of bank details - Criminals often target changing bank details because there is no immediate payment involved, so often does not trigger alarm bells.

• An urgent payment request or threats of serious consequences if payment isn't made - urgency is very often used because it makes the intended victim rush and not consider the possibility of a scam.

• Unexpected payment requests from someone in a position of authority - Criminals will often use the authority of the CEO or CFO to get potential victims to skip approvals and due process and rush payments.

• An email address that doesn't look quite right, such as the part after the @ not exactly matching the supplier's normal email addresses. - Criminals will create new email addresses with small changes to impersonate legitimate contacts, such as @Mircosoft.com instead of the @Microsoft.com, or replacing the letter L with the number 1.

• Personal or unrecognised email addresses or phone numbers - Criminals will create hotmail and gmail addresses using the first and last name of the person they are trying to impersonate and trick the potential victim into believing it is a personal email address.

• Personal Information - Criminals will often use social media to gain information about a person they are trying to impersonate and relay it to the potential victim to build trust. Information such as close contacts, home location or current holiday location is used most commonly.

Criminals will often combine multiple of the above techniques, such as waiting for the CEO to post holiday pictures on Facebook, then using a fake email with the CEO's first and last name to request the urgent change of a suppliers bank details.

 What can you do to prevent email scams? 

• Look out for the warning signs and be aware.

• Don’t be afraid to use a phone call to verify identity – Almost 100% of email scams can be prevented with a simple phone call. use your contacts or corporate directory (don't trust the signature in the suspicious email) to call them and double-check they did send the email you received.

• Always check the full email address on suspicious emails, can you spot any minor changes?

• Don't be rushed, take your time, follow all the correct processes and think about the possibility of scammers.

• Report any suspicious emails to your IT and Security teams.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Why multifactor authentication and security policies are big deal

“Another day, another breach” seems to be the common news across Australia at the moment.

Online research suggested that up to 38% of larger corporations have not implemented multifactor authentication across their workforce, leaving a gaping security hole for attackers.

Attackers regularly gain access to Australian Business systems through phishing campaigns, stolen credentials, from weak or previously breached cloud services, and passwords sprays simply to name a few techniques.

The question we get asked regularly is how we can mitigate these risks? 

Multifactor authentication is the first line of defence when it comes to protecting our online business resources and can be further enhanced with security policies and monitoring of these services.

What is multifactor authentication?

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their mobile phone or to provide a fingerprint scan.

Passwords on their own leave an insecure vector for attack and we regularly see breaches related to weak or shared passwords across multiple services. 

When users require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

How to enhance MFA?

In addition to multifactor authentication we recommend businesses ensure they are monitoring all authentication and access attempts.  This can be done via a security information event management system to assist with detection of malicious actors.

It is also important to enforce authentication polices to deny access where it is not needed. For example, certain employees may never need email access from outside the office network or corporate VPN so policies can be enforced to ensure access outside these locations is denied.

What should you do?

Step 1 – Ensure you activate multifactor authentication in your organisation.

Step 2 – Enable conditional access

Step 3 - Adopt a secure password policy in conjunction with an enterprise password management system (i.e. Lastpass)

Need Assistance?

Call Nik Villios or email Advance at sales@advance.net.au

We can help you secure your organisaion from a full audit to authentication and monitoring.

Make sure ‘another day, another breach’ does not become a mantra of your workplace

1. Business Requirements

Establish the business requirements as a clear goal for your project and speak to all the departments across all locations and facilities in the organisation to get an indication on how many employees need access. One of my early projects during business requirements discovery the number of employees needing access increased to 115 from an initial 15 and fortunately the architecture scaled easily for the multi-site distribution of employees.

Be very clear about what you are trying to solve with each requirement and ensure that each stakeholder has had a chance to provide their list of requirements. At a recent project, it became apparent one of the biggest issues a majority of employees were having was needing information locked in a system they had no access to. This led to either using inaccurate or out of date information, or using inefficient methods to access the information through someone with a license. Management hadn’t provided access because the licenses were considered expensive and weren’t aware of the impact the work around methods were having on the organisation.

Prioritise the requirements with your project team and base the order on importance, technical complexity, risk and cost to implement. At a project where we were asked to provide a solution to standardise the handling of proprietary formulas within an organisation, several steps leading up to the conception of these formulas needed to be in place prior to work starting on the actual formulas themselves.
 

2. Current Information Locations

Identify all existing locations where information is stored including documents in file shares and file syncing services like Dropbox and OneDrive, databases including financial, service & CRM information and portals. A quick way to get a concise list is to ask finance for details on the software subscriptions and maintenance they pay or have paid in the past.

Establish the current and annual volume increase as well as types of information stored e.g Proposals, Invoices, Drawings, Customer Service Tickets etc… Modern ECMs like M-Files utilise compression and binary delta algorithms to efficiently store versions of documents, so your annual volume increase for migrated repositories will be considerably less. The site admin at one of my projects stated that after moving to M-Files where the chance of duplication and multiple versions of files was essentially wiped out, they went from network share storage increasing by 1TB per year to the M-Files vault only increasing by 50GB per year.

Determine which of these repositories need to remain in operation and which could be migrated into your ECM and be retired. We usually migrate things like legacy access databases that perform simple tasks like providing unique identifiers (e.g. batch numbers) to the ECM so it then provides the batch number as part of a workflow. You may have situations where it’s critical to preserve a legacy repository like a customer portal that allows service tickets to be raised. Its content can still be made available in the ECM for search capabilities and other purposes while its original functionality is preserved.
 

3. Security Requirements

Review the current levels of security within each repository that that will be accessed via the ECM and map them to one of the scenarios in the table below. The credentials used to access the external repository will be determined by the type of access specified for the connection. As an example, providing public access to Supplier and Customer lists may be necessary for all users in the ECM as this information is useful as metadata for other objects, whereas you may want to limit access to project related data to only the people in the project team. We often provide ‘metadata-driven’ permissions on project based data by including ‘project team’ metadata with the project so security access can be easily managed by the client.

The scenarios to consider when providing access to a repository via an ECM can be split into several categories:

Public

A common authentication is used to connect to the external repository, the ECM then controls access to the content via its internal security e.g Public Network Share

Public with Varying Permissions

Users and groups in the ECM are mapped to users and groups in the external repository to control access to specific content e.g Network Share with ACL restrictions to certain groups

User-Specific

The external repository dictates access rights requiring the ECM users to log into the repository with their own credentials e.g. SharePoint
 

4. Hosting Requirements

Determine if the system will be hosted on-premise, in the cloud or a hybrid to enable planning for hardware, review of service agreements with cloud providers or both. We’ve found to avoid delay in starting projects, development can be done on cloud servers during the process of hardware procurement and deployment, and then transferred once the on-premise environment is ready. It’s also quick and very easy to change cloud server specs to increase performance if needed.

Use the current volume plus expected annual volume increase values (from step 2) to determine what sort of backend the ECM requires as well as to establish storage and backup requirements. M-Files recommend using the embedded database option (Firebird) up to 50,000 objects and Microsoft SQL Server once that has been exceeded. If using Microsoft SQL Server, you also have the option of storing the file data within the database or as separate files. There are pros and cons that I’ll go through in another blog.

Size the hardware based on the number of employees and volume of data to be stored (from step 2), use the business requirements (from step 1) to help. Identify how connection will be made to each external repository (local or cloud) so connectivity can be determined either directly or whether a VPN is required. Where connectivity is difficult, it may be feasible to maintain a local copy that’s refreshed periodically or use technology that provides these capabilities.

5. Access Requirements

Establish the landscape for how employees will access the ECM keeping in mind it will become the central point to reference the connected external repositories. Most ECMs support access through Windows Desktop clients, Web Access and Mobile clients. If the ECM will be available externally, securing access via SSL or VPN is critical. On most of our M-Files deployments, our clients not only want access to M-Files via their mobile phone, but also on their laptops from anywhere! We use their SSL certificate (required for mobile access) and setup what’s called ‘HTTP over RPC’ so their M-Files Desktop Client connects securely whenever an internet connection is present. If you want to know more about setting up HTTP over RPC for M-Files, contact us.

Some ECMs support replication strategies where servers can be hosted in multiple locations and cache or replicate from a central location to provide efficient access to information. We’ve delivered successful projects where M-Files outperformed SharePoint when deployed to a customer’s remote locations as ‘cache’ servers that connect back to the main M-Files server via hardware based VPNs over 3G links. Consideration needs to be given to the technologies available to help meet access requirements.

For more information on M-Files contact us

What should I do with my old hardware?

An all too common trend in the IT industry is to give ex-production hardware a new lease of life running the disaster recovery site. Tight budgets often restrict capital expenditure to areas where real value is visible, and the impacts and results are noticed throughout the organisation. 

These initial savings can be quickly forgotten when an unplanned incident forces the switch over to your disaster recover site. Previous testing may have been successful on the DR equipment during your routine maintenance and test restores, but when a major incident occurs, are you confident that your DR is up to the task?

These are the questions you should ask yourself:

Will the dated hardware run our complete production workload?

How big is the impact on our users?

How long can we operate utilising the DR site before losing business?

How big is the impact on our customers?

It is not unusual for companies to consider that having high-end hardware offsite, doing nothing 98% of the time to be a waste of resources…

The key is to justify the initial expense, leveraging the DR site to provide an additional return on investment. An effective strategy is to live boot a complete clone of the production environment on a separate virtual segment, presenting a fast and accurate test development system.

Utilising Veeam combined with HPE Nimble Secondary Flash Array technology and your favourite hypervisor, you achieve a fast, production ready DR solution. Accompanied with the additional benefit of a fully functional test or development system at your fingertips that can be spun up in minutes.

If you want to learn more about disaster recovery solutions, please contact the team at Advance today.

Are you at risk of leaking data?

We see the headlines on a regular basis, ‘…details of any Australian for sale on darknet’, ‘Personal details of world leaders accidentally revealed…’ These regular occurrences highlight a major problem facing todays businesses, a problem which only continues to grow.

It is hard to measure the cost to a business once an incident has occurred. Damage can go well beyond monetary values and often the biggest damage to a business can be one of reputation, with customer data making up 73% of leaked information (based on publicly disclosed breaches).

An IBM survey suggests that the average estimated cost is around 2.6 million dollars for a business to recover from such an event.

However, the question shouldn’t be ‘how much would it cost to fix’, the question is how do we prevent data leakage?

First let’s get an understanding of the leading causes of data leakage and the types of data involved.

The threat of data leakage can be split into two categories, Internal threats and External threats. As you would have guessed, Internal threats are made up of employees, contractors, business partners and others with insider access. External threats are usually cyber criminals, hacktivists or competitor sponsored attacks. It is necessary to identify that there is some middle ground, where someone inside the company can assist an external threat.

Although we have listed insiders as Internal threats, it is important to note that 96% of insider data leakages are caused by inadvertent actions often relating to malware, stolen devices and or failure to follow internal IT polices.

What’s the Solution?

The good news is that there are many technical solutions and products designed to mitigate these risks, both inside and outside the organisation.

It is imperative to build a sound strategy around data leakage, and below are key requirements for the most important aspect of Data Loss Prevention (DLP)

1. Identify / Prioritise data – Not all data is equal

2. Categorise data – Apply persistent classification tags to the data that allows tracking throughout the organisation

3. Monitor data movement – Identify what processes put data at risk

4. Communication and Policy – Develop polices surrounding DLP and acceptable use of company resources

5. Employee Education – Employees often don’t realise that their actions can result in data leakage. A strong employee educational focus in conjunction with policies and procedures can reduce the insider data leakage risks in an organisation by up to 80%

For more information on Data Leakage or other IT Solutions contact us