Category: Uncategorised

Google Will Now Let Android Users Log In To Some Services Without A Password

Google has been working with Android to roll out password free services to all phones running Android 7 or higher. According to a Google help page, the feature also allows you to log in using whichever method you have set up to unlock your phone, which can include pins and pattern unlock.

Android phones already let you use your fingerprint to authenticate Google Pay purchases and log in to apps.

What’s new here is being able to use that same fingerprint to log in to one of Google’s web services within the Chrome browser.

Google says it plans to add the functionality to more Cloud services in the future.

Using a password manager along with two-factor authentication helps mitigate a lot of these vulnerabilities, but the new method Google is using removes them entirely.

You’ll need to already have your personal Google Account added to your Android device for this to work.

All Android devices running version 7.0 or later are FIDO2-certified, and Google lets you use an Android phone as a 2FA security key to log in to your account using the same technology.

All Apple devices at risk due to unforeseen exploit

Apple has just released an emergency update regarding a large threat on all Iphones and Apple devices.

Currently any non-updated device is liable to an attack which is seemingly unstoppable as all it takes is for you to receive a text. An iMessage is sent to you through your device which triggers an Integer Overflow allowing for Remote Code Execution. Upon receiving this message your phone is compromised and the hackers are able to install spyware and begin stealing all your data.

This vulnerability is known as the FORCEDENTRY exploit, the attack itself comes from a malicious PDF file which contains a JBIG2-encoded stream which is sent through a .gif file extension which is what triggers the vulnerability and installs the hacking group’s Pegasus spyware.

If you have any of the following devices we urge you to update your device as soon as possible:

  • IPhones with iOS versions prior to 14.8
  • Mac computers with operating systems prior to OSX Big Sur 11.6 Security Update 2021-005 Catalina
  • Apple Watches prior to watchOS 7.6.2

If you have any questions or need any help to ensure you have not been compromised please reach out so that we can help you ensure that your data is being kept safe and secured.

Microsoft Is Making Windows 10 Passwordless

Microsoft is planning to make Windows 10 PCs work without passwords.

While the company has been working on removing passwords from Windows 10 and its Microsoft Accounts for a number of months now, the next major update to Windows 10 next year will go one step further.

You’ll soon be able to enable a passwordless sign-in for Microsoft accounts on a Windows 10 device.

So why does Microsoft want people to stop using passwords to log into Windows 10 PCs? It’s really simple: passwords suck.

Windows 10 stores your private key on a device with a Trusted Platform Module, which is a secure chip that keeps a PIN local to your device only.

Microsoft has been slowly trying to convince Windows 10 users to opt into two-factor authentication processes like basic SMS, a separate Microsoft Authenticator app, Windows Hello, or even physical security keys with the FIDO2 standard.

Microsoft is now planning to allow people to remove the password option entirely from the Windows 10 login screen.

How to keep your business on the digital forefront when old IT solutions are holding you back.

Do you have an old ERP (Enterprise Resource Planning) system that you’re struggling to drag into this decade?  

Have you invested 5, 10 or 20 years of business process and logic into that ERP, and stand at the precipice of starting a high risk, expensive transformation project to replace it? 

Most ERP’s are great at their core function. They are critical for data integrity and to provide a single source of truth for businesses. But they get extended and built beyond their original purpose. They lack modern API’s to let you easily integrate new digital platforms and user interfaces. 

We all know how quickly technology changes over the years and the improvements that have been made to how people interact with it. Recently, the cost and difficulty of tools such as Machine Learning and Robotic Process Automation, have reduced significantly, making it more accessible for businesses. 

Off the back of this change, its worth reviewing a strategy of uplifting your existing ERP by adding new digital tools. 

The strategy and discipline to fix this problem is as follows: 

  1. Contain the functionality that you are running out of your old core system. 
  2. Strip it down to the absolute bare bones of what it needs to do. Make sure it is doing NOTHING above and beyond this basic functionality. 
  3. And then take the other pieces that may be embedded into it and that don’t work well and create what is called a micro services strategy. Then, for example, you could utilise a customer sales platform such as Salesforce and build it into your existing ERP platform. 

Taking this structured approach allows you to make your company look and feel and interact like it is the most modern business with all of the best in breed digital enablement capability tools. 

But, you have done it in a fraction of time at a fraction of the cost.  

So, if you feel like you are being constrained by your core IT platforms and that your only alternative is to rip them out and start again.  

Think again.  

Genuinely consider a micro services approach and get an expert to do it for you. 

ARE YOU REALLY PREPARED FOR A CYBERATTACK?

According to the Australian Cyber Security Centre, on average 164 cybercrime reports are made by Australians every single day.  

This is a stark reminder of the real threat that exists, and the question business leaders need to ask themselves is, are we really prepared?  

Imagine this. It’s early in the morning and you receive a call from your CIO telling you the core IT systems are down, and they are looking into it.

Before you can fully process what is happening a journalist is calling your phone seeking comment on your business’s position on the leaking of all of your customers confidential data to the internet.

Your heart is racing and your palms are sweaty as you try to think about how you respond.  

Your first thought might be to contact your staff and alert them, but how do you do that with your email system down?

What about your customers? What about your suppliers? How do you ensure they are made aware as soon as possible? Where do you turn to for help?

What are the companies legal obligations to inform the relevant authorities? Do you inform the police and if so what department do you call?

What do we say publicly? What about our reputation?

You speak to your CIO about restoring company systems ASAP  but that’s been compromised too.

This is not a doomsday scenario; this is the reality for thousands of Australian businesses every year who find themselves on the wrong side of cyber security breach.

This is a horrible situation for people to go through.

Whether we like it or not, hackers are not slowing down, they are evolving, and you need to be prepared.  

Our advice is simple.

You need to speak to the experts and develop your cyber response plan.

Perform a cyber security gap analysis, put the right tools in place, build process and procedures, know what you are going to say to the media, and ensure your company is resilient and better protected against this growing threat with a templated response plan. 

Only then will you be really prepared to react if something goes wrong.

OMIGOD Exploit affects half of Azure

If earthquakes weren’t enough, yet another major security announcement from a major vendor this week.

A series of four vulnerabilities involving software agent Open Management Infrastructure has left Microsoft Azure customers exposed to remote code execution.

The flaws were reported Tuesday by cloud security vendor Wiz, which previously disclosed the ChaosDB Azure vulnerability last month.

Linux reportedly made up over half of Azure instances as of 2019, and Wiz’s post explained that customers utilizing Linux machines are vulnerable if they use any of a list of tools and services that use OMI, including many common ones.

Specifically, customers are exposed to a set of four vulnerabilities: three high-severity privilege escalation vulnerabilities and a critical remote code execution vulnerability, CVE-2021-38647, which has a CVSS of 9.8.

Microsoft patched the four vulnerabilities in its Patch Tuesday release this month, though the fixes will not be automatically applied for Azure customers.

Asked for clarification regarding whether the vulnerabilities are completely fixed and whether customers need to take action, Microsoft declined to comment beyond linking to its security update guide.

“The ease of exploitation and the simplicity of the vulnerabilities makes us wonder if the OMI project is mature enough to be used so widely,” Ohfeld said.

If you are an Acurus customer rest assure we are reviewing and ensuring you are not impacted.

If you want help and advise on how to deal with this please reach out for help.

Once it’s up get others staff to reshare, like, etc.