You are here

Home » Cybersecurity

Cybersecurity

Mitsubishi Electric MELSEC-Q Series PLCs (ICSA-19-029-02)

The NCCIC has published an advisory on resource exhaustion vulnerability in Mitsubishi Electric MELSEC-Q Series PLCs. Numerous products and versions of these products are affected. Successful exploitation of this vulnerability could allow a remote attacker to send specially crafted packets to the device, causing Ethernet communication to stop. Mitsubishi Electric has produced a new version of the firmware. The NCCIC also advises on a series of mitigating measures for this vulnerability.

Tax Identity Theft Awareness Week

Tax Identity Theft Awareness Week is January 28 to February 1. This annual campaign aims to help consumers be more informed about protecting themselves from tax-related identity theft and scams. Tax-related identity theft occurs when someone steals a Social Security number and uses it to claim a tax refund or get a job. The NCCIC encourages consumers to review the Internal Revenue Service (IRS) publication Taxes. Security.

Security Practitioner’s Guide to Email Spoofing and Risk Reduction

An article from Digital Shadows explains email spoofing in detail and provides a practical guide for how an organization can fight this tactic and reduce the risk of successful phishing attempts. The article discusses the traditional approach of bolting on security plugins to the Simple Mail Transfer Protocol (SMTP), while advocating for more advanced measures like implementing the Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM).

The Critical Role of Cybersecurity in Keeping Public Works Infrastructure Operational

Mark Ray, the director of Public Works for Crystal, Minnesota and chairman of the Emergency Management Committee at the American Public Works Association, has written an article describing the importance of maintaining cybersecurity for the systems and devices that are used to support the operations of public works. Besides malicious actors, he notes that threats to equipment may emerge from natural disasters and other unplanned events, necessitating planning for these situations as well. This planning entails considering the physical security of equipment as well.

PHOENIX CONTACT FL SWITCH (ICSA-19-024-02)

improper restriction of excessive authentication attempts, cleartext transmission of sensitive information, resource exhaustion, incorrectly specified destination in a communication channel, insecure storage of sensitive information, and memory corruption vulnerabilities in PHOENIX CONTACT FL SWITCH. Versions 3xxx, 4xxx, and 48xx and versions prior to 1.35. are affected. Successful exploitation of these vulnerabilities may allow attackers to have user privileges, gain access to the switch, read user credentials, deny access to the switch, or perform man-in-the-middle attacks.

Advantech WebAccess/SCADA (ICSA-19-024-01) - Product Used in the Water and Wastewater and Energy Sectors

The NCCIC has published an advisory on path traversal and improper authentication, authentication bypass, and SQL injection vulnerabilities in Advantech WebAccess/SCADA. Version 8.3 is affected. Successful exploitation of these vulnerabilities may allow an attacker to access and manipulate sensitive data. Advantech has released Version 8.3.5 of WebAccess/SCADA to address the reported vulnerabilities. The NCCIC also advises on a series of mitigating measures for this vulnerability.

New “BEC-as-a-Service” Trend Means Just about Anyone Can Launch an Attack

Business email compromise (BEC) scams have proven to be a lucrative venture, and the criminals behind them are looking to add another revenue stream to their successful business model: BEC-as-a-Service. These actors make it easy for their customers to impersonate CFOs and other executives to request urgent wire transfers, payment of fake invoices, and other actions designed to divert their targets’ money into their hands. This is bad news in an environment where BEC attacks already cost organizations billions of dollars.

Rushing to Patch? Here’s How to Prioritize Your Security Efforts

Rather than focusing on applying all new patches as soon as possible, a new report from Kenna Security and the Cyentia Institute suggests organizations tackle security from the vantage point of prioritization. With over 110,000 CVEs published-and roughly 300 new CVEs published per week in 2018-staying current with vulnerabilities as they are uncovered is likely to become overwhelming. Likewise, doing so can overextend IT security professionals.

Test Your Ability to Identify Phishing with Free Test

Google has set up a free, online quiz anyone can take to evaluate their ability to spot a phishing email. The quiz tests visitors on a series of emails to see if they can distinguish telltale signs of phishing. Many of the examples are actually based on real events, such as the massive phishing attempt that hit Google Doc users in 2017 or an email that Russian hackers sent to Hillary Clinton’s campaign manager in 2016. After each email, Google explains how to tell the signs, often by hovering over URLs to check where they lead and checking the spelling of email addresses.

Pages

Subscribe to Cybersecurity