Apple releases emergency security update
Apple has posted a new emergency patch for its mobile device family. iPhones, iPads, and Apple Watches are all affected by a newly-discovered, “zero-day” vulnerability – all users of these products are urged to act as soon as possible to install the patch. To check whether you have the latest version, select Settings > General > Software Update on your device, and check for the following operating system levels (current as of March 29, 2021):
+ current iPhones and iPads – 14.4.2
+ older iPhones and iPads – 12.5.2
+ Apple watches – 7.3.3
The security flaw affects “WebKit”, which is at the heart of all Internet browsers used on iOS products. The flaw is a “universal cross-site scripting (UXSS)” problem, which could potentially allow a threat actor to access cookies and local data across websites being browsed on a device. Depending on the kind of information cached on your device, or your personal browsing history, sensitive information could be disclosed inadvertently. The urgency for patching is heightened because of the severity of the vulnerability, and the fact that Apple has already reported seeing exploits of the bug in the wild.
This bug marks the seventh zero-day vulnerability patched by Apple in the last five months. Apple patches are cumulative, however, so installing this latest fix will address all outstanding bugs on your devices.
CIO Institute releases cyber recruitment study
A new report from the CIO Institute entitled “What Works in Finding Elite Cybersecurity Talent” provides an executive-level view at how enterprises are successfully addressing the current skills gap between job opportunities and highly-qualified cybersecurity professionals.
Based on surveys and studies with CIOs in the United States and Canada, the report summarizes four key strategies for identifying and developing cybersecurity talent:
+ Identify existing employees – including IT and non-IT personnel – with a high aptitude for elite performance, and develop them into productive cybersecurity professionals
+ Recruit from post-secondary programs that feature graduates with strong, hands-on cyber skills
+ Encourage a pipeline of local talent through discovery initiatives and partnerships with post-secondary programs
+ Use certifications to help rank and evaluate candidates
Sierra Wireless recovering from March 20 cyber attack
Canadian communications manufacturer Sierra Wireless was hit by a ransomware attack on March 20, but is slowly bringing services back online. The initial ransomware attack caused Sierra Wireless to shut down its IoT manufacturing production lines across multiple sites, and affected a variety of other internal operations including its corporate website.
The company acknowledged the attack on March 23, and provided a second update on its website on March 26 when production resumed. As of March 29, the company website remained a single landing page bearing up-to-date information on the status of the recovery: IT teams are still working to bring internal systems back online.
Sierra Wireless was careful to reassure customers that, while the attack affected its day-to-day operations, there was no compromise to the security of its products. The Vancouver-based manufacturer builds a wide variety of communications equipment, including from routers, network gateways, wireless modems, and products and solutions for IoT devices.
“We believe the impact of the attack was limited to Sierra Wireless’ internal IT systems and corporate website, as we maintain a clear separation between our internal IT systems and customer-facing products and services. We believe that our products and connectivity services were not impacted, and that our customers’ products and systems were not breached during the attack. At this point in our investigation of the ransomware attack, we do not expect there to be any product security patches, or firmware or software updates required as a result of the attack,” according to the bulletin on the website.
No statement has been made about the nature of the attack, or any details regarding ransom demands. “Beyond notifying the third-party advisors, our customers and others impacted by the attack, we do not share our protocols for dealing with any ransomware attacks as this is considered highly sensitive and confidential,” according to a spokesperson from the company.
New feature in Slack raises security concerns
At their October 2020 user conference – “Slack Frontiers 2020” – messaging platform Slack announced that a new direct messaging (DM) service was planned that would allow registered Slack users across organizations to chat directly with one another. The company’s longer-term vision was to introduce the DM feature to all users, whether or not they have Slack subscriptions: anyone, anywhere on Slack could engage in a private conversation with anyone else on the platform around the world, provided they responded to a customizable invitation to connect.
Those plans suffered a setback this week with the launch of the new Slack Connect DM product. Almost immediately, concerns were voiced about the potential for abuse and the unexpected security issues that could flow from open communication across and between enterprises. The feature was launched without any straightforward method of blocking harassing or unwanted invitations. Slack Connect DM was designed to bypass any inbox filtering rules or policies in place by sending you an email from its “firstname.lastname@example.org” address with the invitation, with the email containing whatever message the sender decided to attach – good or bad.
Slack was quick to respond to customer concerns and disabled the custom invitation option later the same day of the launch.
“After rolling out Slack Connect DMs this morning [March 24, 2021], we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages,” said Jonathan Prince, Vice President of Communications and Policy at Slack.
“We are taking immediate steps to prevent this kind of abuse, beginning with the removal today of the ability to customize a message when a user invites someone to Slack Connect DMs. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage.”