Report: Macs Vulnerable to Attack Through Firmware Weaknesses

Timely News as October is National Cyber Security Awareness Month (NCSAM)

A report from Duo Security details a potentially systemic issue that leaves Mac computers susceptible to highly targeted and stealthy attacks.

The report shows Mac users who have updated to the latest operating system or downloaded the most recent security update may not be as secure as they originally thought.

Duo Security’s analysis of more than 73,000 Macs across various industries found the Extensible Firmware Interface (EFI) in many models was not receiving security updates that users thought they were getting. This left users susceptible to previously disclosed vulnerabilities such as Thunderstrike 2 and the recent WikiLeaks Vault 7 data dumps that detail attacks against firmware.

Best Deal

Threats Are Lurking While You Trick or Treat!

Stay safe from cybercrime this Halloween with 35% off VIPRE!

Shop Now

While Apple devices were the focus of the study, experts at the company told The Washington Post that Windows-based machines are even more likely to be at risk, because of the range of manufacturers involved in building PCs.

In 2015, Apple began bundling its software and firmware updates in an effort to ensure users automatically obtain the most current firmware security. This allowed Duo Security to analyze the state of Apple’s EFI security by looking at Mac updates over the past three years.

Duo Security’s key findings are:

  • Users running a version of the Mac OS that is older than the latest major release (High Sierra) likely have EFI firmware that has not received the latest fixes for known EFI issues. This means those systems can be software-secure but firmware-
  • On average, 4.2% of Macs running an EFI firmware version that’s different from what they should be running.
  • At least 16 models have never received any EFI firmware updates. The 21.5” iMac, released in late 2015, has the highest occurrence of incorrect EFI firmware with 43% of sampled systems running incorrect versions.
  • 47 models capable of running 10.12, 10.11, 10.10 did not have an EFI firmware patch addressing the vulnerability, Thunderstrike. 31 models did not have an EFI firmware patch addressing the remote version of the vulnerability, Thunderstrike 2.
  • Two recent security updates issued by Apple (Security Update 2017-001 for 10.10 and 10.11) contained the wrong firmware with the update. This would indicate regression or a lag in quality assurance.

The National Cyber Security Awareness Month (NCSAM) was created in 2003 by the U.S. Department of Homeland Security and National Cyber Security Alliance to ensure everyone has the resources they need to stay safe and secure online. The goal of NCSAM is to increase the awareness of the ever-evolving cyber security landscape and bring attention to different measures people can take to keep their information protected.

Re posted from VIPRE

U.S. Government Bans Use of Kaspersky Security Software in Federal Agencies

The U.S. Government, Best Buy, and Office Depot All Suspend Business with the Software Giant

Kaspersky could lose all its federal contracts within a few months, after the U.S. government issued a stern directive concerning the company’s possible involvement in state-sponsored cyber espionage.

Last week the government issued a binding directive that federal civilian agencies identify Kaspersky software on their networks, and remove it after 90 days, unless otherwise directed.

The Department of Homeland Security (DHS) “is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS said in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

The directive comes months after the federal General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors.

In a recent blog, we noted that the U.S. government was concerned about Kaspersky’s possible ties to Russia’s spying apparatus and the possible spying activities of Kaspersky employees in the United States.

Kaspersky entered the media spotlight earlier this year following the Justice Department’s investigation into whether the Russian government colluded with President Donald Trump’s 2016 campaign.

Last week, Kaspersky said in a statement that it “doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company.”

Save 25%

Switch from Kaspersky

Now that Kaspersky software is no longer being sold by Best Buy and is likely to be banned by the Federal Government, this is the perfect time to stop using your Kaspersky product – and switch to VIPRE Business Advanced Security and save 25%.

Learn More

It also said that the Russian law requiring assistance does not apply to the company.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” Kaspersky said. “The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.”

The department gave Kaspersky 90 days to prove its products are not a security risk or to mitigate the concerns.

“We’ve determined that [Kaspersky software] poses an unacceptable amount of risk based on our assessment,” Christopher Krebs, a senior DHS official told the Washington Post. “If they want to provide additional information or mitigation strategies, our door is open.”

The bad news for the company has rolled over into the commercial space, with retailer Best Buy suspending sales of Kaspersky software, noted an article in thehill.com.

Kaspersky confirmed it had parted ways with Best Buy in a statement emailed to thehill.com.

“Kaspersky Lab and Best Buy have suspended their relationship at this time; however, the relationship may be re-evaluated in the future,” the software firm said. “Kaspersky Lab has enjoyed an almost decade-long partnership with Best Buy and its customer base, and the company will continue to offer its industry-leading cybersecurity solutions to consumers through its website and other retailers.”

Looking to remove Kaspersky from your device? Follow our 7 easy steps to uninstall Kaspersky Software here.

Posted by ORIGINALLY by VIPRE

The Better Business Bureau is warning businesses about bogus emails

The Better Business Bureau is warning businesses about bogus emails claiming to be from the BBB.

The Bureau says these emails are not coming from the BBB and are part of a widespread phishing attack.

The BBB says they’ve received hundreds of inquires about the bogus emails.

The email claims the business is in violation of either the Safety and Health Act, the Fair Labor Standards Act or has a BBB complaint.

The link asks you to download a document for more information, but the BBB says to not click on it, as it may download malware onto your computer.

The BBB says to follow these steps if you get the email:

1. Do NOT click on any links or attachments.
2. Read the email carefully for signs that it may be fake (for example, misspellings, grammar, generic greetings such as “Dear member” instead of a name, BBB internal department names that do not seem familiar, etc.).
3. Be wary of any urgent instructions to take specified action such as “Click on the link or your account will be closed.”
4. Hover your mouse over links without clicking to see if the address is truly from bbb.org. The URL in the text should match the URL that your mouse detects. If the two do not match, it is most likely a scam.
5. Send a copy of the email to phishing@council.bbb.org (Note: This address is only for scams that use the BBB name or logo)
6. Delete the email from your computer completely (be sure to empty your “trash can” or “recycling bin,” as well).
7. Run anti-virus software updates frequently and do a full system scan.
8. Keep a close eye on your bank statements for any unexpected or unexplained transactions.

What is Phishing?

Phishing is often a sophisticated email attempt to trick the recipient into first opening a fraudulent message and then revealing personal and financial information.

A phishing email usually arrives disguised as an email from a legitimate company or known person. Of course, the email is from one of the bad guys.

The bogus email might seek a payment and direct the user to a replica of a banking website, for example, or to a phony payment center of a utility company.

Phishing email also may be crafted strictly to lure a user to a malicious website, where malware would be installed through the user’s browser via an undetected download. The victim could then be monitored by a criminal enterprise in search of sensitive data.

Charity donations, online banking problems, or IRS inquiries are common themes in phishing scams.

Some Internet browsers have phishing and malware detection in their default settings, but not all. Don’t reply to or click links within texts, emails, or pop-up messages requesting personal information.

Some tips to help protect against phishing emails:

  • Do not respond to any unsolicited e-mails of this nature.
  • Do not click on any attachments associated with such emails, as they may contain viruses or malware.
  • If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don’t ask for this information via email.
  • If you are concerned about your account, contact the organization in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address. In any case, don’t cut and paste the link in the message.
  • Don’t email personal or financial information. Email is not a secure method of transmitting personal information.
  • If you initiate a transaction and want to provide your personal or financial information through an organization’s Web site, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”).
  • Use anti-virus software such as VIPRE and keep your computer security up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files.
Support