Zyxel's network storage boxes, business VPN gateways, firewalls, and, er, security scanners can be remotely hijacked by any miscreant, due to a devastating security hole in the firmware.

The devices' weblogin.cgi program fails to sanitize user input, allowing anyone who can reach one of these vulnerable machines, over the network or across the internet, can silently inject and execute arbitrary commands as a root superuser with no authentication required. That would be a total compromise. It's a 10 out of 10 in terms of severity.

As its name suggests, weblogin.cgi is part of the built-in web-based user interface provided by the firmware, and the commands can be injected via GET or POST HTTP requests.

If a miscreant can't directly connect to a vulnerable Zyxel device, "there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable device," noted Carnegie Mellon's CERT Coordination Center in its advisory on the matter.

"For example, simply visiting a website can result in the compromise of any Zyxel device that is reachable from the client system."

Here's the affected equipment, which will need patching:

Fixes can be fetched and installed from Zyxel's website. Meanwhile, the NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 models are no longer supported, and thus no patches are available, but are still vulnerable. The security bug (CVE-2020-9054) is trivial to exploit, unfortunately.

"Command injection within a login page is about as bad as it gets and the lack of any cross-site request forgery token makes this vulnerability particularly dangerous," Craig Young, a researcher with security house Tripwire, told The Register earlier today. "JavaScript running in the browser is enough to identify and exploit vulnerable devices on the network."

Speaking of bad, exploit code is already on sale for $20,000 in underground forums, and the patched firmware is delivered via unencryped FTP, which can be meddled with by network eavesdroppers.

"Be cautious when updating firmware on affected devices, as the Zyxel firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature," CERT-CC warned.

"For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a Zyxel device."

If you can't patch your Zyxel device, bin it especially if it's facing the internet.

Sponsored: Quit your addiction to storage

Continued here:
Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now - The Register

The coronavirus outbreak continues to make its way across the globe and health officials are urging Americans to be vigilant and prepare for the possibility of more cases. Currently, the numbers of infected in the U.S. are few, but the situation is fluid. Calm, proactive behavior is the key to staying healthy.

Still, people across America have questions about what to do if the virus reaches their communities. With so much misinformation online, it can be tough to determine the best course of action. Tap or click to learn more about coronavirus fake news.

This is especially true for business owners and employees, who might be concerned about working in the midst of an outbreak. How do you prepare? And what does the spread of the virus mean for your business, your data and your family? Read our guide to see what tools can keep you informed and keep your digital life and business going strong.

Americans are famous for our work ethics, and many of us would rather arm ourselves with caffeine and DayQuil before heading into the office than take a sick day. But when a community disease outbreak occurs, this practice becomes a dangerous health risk to others.

Employers and employees alike should always stay home if theyve got a fever regardless of which illness theyre afflicted with. If youre experiencing symptoms, it means youre likely contagious and can spread the illness to your coworkers.

One sick worker staying home is less impactful to your business than an entire sick workforce. Advise your employees to be mindful of their health, to wash their hands frequently and to cough into their elbows.

The Center for Disease Control and Prevention also recommends businesses cross-train employees to perform other job functions. This can help keep operations going when youre short-staffed.

One of the best ways to do this is via process mapping. This means preparing detailed written guidelines and instructions for employees that would allow them to act in multiple roles at your business.

For example, if you work in publication, you could process-map the copy editing process so a writer could potentially act in the role with no issues.

Process mapping can be done informally, or you can gain certifications that will make the practice more regimented. If youre informally mapping your business processes, collaborate with your team and create shared documents everyone can access.

For a more formal certification, check out this process mapping resource from Business Enterprise Mapping and see if it fits the needs of your business.

The internet is rife with misinformation surrounding the novel coronavirus, and bad actors ranging from government-sponsored trolls to conspiracy theorists are banking on paranoia to generate clicks and profits. If you see an online claim that seems either too good or too bad to be true, it probably is.

There are several fake news stories surrounding the origins of the disease that do not line up with the established facts (or objective reality, for that matter). Be skeptical about the stories circulated by your friends on places like Facebook especially if disease numbers increase over time.

If youre looking for an accurate, up-to-date way to track the spread of the illness, tap or click here to check out this map from John Hopkins University and access more detailed information.

Depending on your industry, it may be worth implementing work from home options for certain employees. Jobs with a heavy emphasis on digital work can easily transition to a home environment. And with help from the right video conferencing and security tools, it can even feel like an ordinary day at the office.

So what tools are right for a work from home setup? Youll want to look into cloud-based solutions for documents and data. Software suites like G Suite or Office 365 give you access to word processors, spreadsheets and slideshows. You can even use these programs to collaborate and share projects between employees.

G Suite is a business-oriented version of Google Drive, which includes popular cloud-based productivity software like Google Docs, Sheets and Slides. Signing up for G Suite also gives you and your employees access to cloud storage and device management for just $6 per user per month. There is also a 14-day free trial.

Users each receive a custom Gmail address to sign into that can be accessed anywhere. All employees need to do is download the Gmail app to gain access to their work emails.

This account is secured through Google, and administrators can set up features like 2FA to protect essential documents and data. Tap or click here to learn more about 2FA.

Tap Get Started in the upper right-hand corner to get G Suite for your business and fill out your contact information. If your business has specific needs youd like to address, click Contact Sales to speak with a Google representative.

Office 365 is Microsofts cloud-based productivity suite. Its an upgraded version of the Microsoft Office suite were all familiar with, and it includes several features that make remote work more productive remote access, teleconferencing and live document collaboration.

Users can access Office 365 via Microsoft accounts created by the administrator who sets up the software. The service is $8.25 per user per month for the basic package and $10 per user per month for the upgraded package that includes custom email domains and teleconferencing.

Visit the site page to choose which business account you want to activate, then follow the onscreen instructions to set up Office 365.

Next up, youll want your employees to have secure access to their files and accounts without putting the companys data at risk. Your employees home internet security might not be as robust as your business, so its a good idea to lock down your apps and system before anyone accesses them remotely.

To protect your data, youll need security options like a VPN and password manager. This makes employee logins more secure and prevents any unauthorized traffic from piggybacking on your employees connections. Tap or click here to find out why VPNs are so important to set up.

Look for VPNs that are strong on privacy, avoid tracking your data and let you browse anonymously. It should also be fast and capable of handling the digital side of your business.

To set up a VPN on Windows, click thestart button(Windows iconat the bottom of your screen on the left). Go toSettingsthen chooseNetwork & Internet, followedby VPNfrom the menu on the left.

Click Add a VPN Connection, then open the drop-down arrow where it saysVPN Providerand select Windows. Type in whatever name you want for your connection.

Next, type in the server name or address your VPN provided. If your VPN gives you a specific VPN type to use, choose that one; otherwise, selectAutomaticand let Windows 10 choose for you.

Look for User Name and PasswordunderType of Sign-In Info. Type in a user name and password youll remember, then selectSave to complete the setup.

To set up a VPN on a Mac, many software designers provide simple apps that will automatically set things up for you. But if youre asked to set up manually, openSystem Preferencesby tapping the apple in the upper left corner of your screen, then selectSystem Preferences and click Network.

Select the+ symbolon the lower-left corner, tap the drop-down menu and selectVPN. Youll then be prompted to add the server name or address your VPN provider gave you. Save changes to complete the setup.

If youre looking for a trustworthy VPN, our sponsor, ExpressVPN, takes a different approach to getting started. All you need to do is download an app and log in with your username and password to install the service.

Youll get a fast, secure VPN system that encrypts your traffic and protects your company from malicious actors online. Get an extra 3 months free of ExpressVPN when you sign up at ExpressVPN.com/Kim.

Now, for password managers, youll want to look for something that can automatically generate complex passwords that cant be easily cracked. Using a strong password manager to generate employee logins will fortify your account system and make it difficult for hackers to take advantage of remote employee access.

We recommend our sponsor Roboform, since it can automatically generate strong passwords and encrypts them during storage. Tap or click here to find out more about Roboform.

Once you generate your employees passwords, make sure they dont save them to their browsers. Internet browsers can be compromised much easier than encrypted documents.

Of course, people cant just work from home with no direction. As an employer, youll want to have access to your workers beyond simple phone calls and text messages. To keep the spirit of collaboration alive, video conferencing and virtual meetings are a must.

Virtual meetings can help employees feel a sense of normalcy, particularly under extraordinary circumstances. It also can help prevent mistakes and misunderstandings much better than phone calls or texts, where subtle facial expressions and intonations can be missed.

Here are some of our favorite virtual meeting tools. These include video conferencing programs, as well as business-oriented instant messaging tools for quick collaboration and discussion.

Zoom is one of the most popular virtual meeting apps on the web and includes video meetings, chat and screen-sharing features. Zooms infrastructure lets users work without the lag and stuttering you might experience in other free software, and has the added bonus of split-screen video conferencing so you can see everyone at once just like an in-person meeting.

Zooms basic package is free of charge and can host up to 100 users, each of whom can hold one-on-one meetings. The Pro package is $15.00 per month per host and lets you access group meetings in split-screen mode.

More expensive packages increase the number of participants youre allowed to have, so be sure to check out the plans and packages to choose the right one for your business. Tap or click here to see more plans and packages.

Skype is a service many of us are familiar with, and its still heavily relied upon in the business world. The free version offers one-on-one meetings and access to tools like screen sharing, but has limited cloud storage and a user cap.

Microsoft Teams, the new name for business-oriented Skype subscriptions, gives you access to larger group calls as well as live document collaboration. Its also included as part of the Office 365 suite we described earlier, or can be used as a free standalone app.

Slack is designed as an all-purpose chatting app that helps your employees stay in touch with one another. Unlike with email, youre limited to your employee network only. This is good because it keeps conversations private, encrypted and secure.

Slack offers a free version for small teams, but teams of up to 15 workers will want to upgrade to the standard version for $6.67 per user per month. Additional upgrades are available depending on the size of your team. Tap or click here to read more about Slacks plans and pricing.

Just like with Microsoft Teams, Google Hangouts is included as a part of your G Suite subscription. Functionally, it works like an instant messenger program but it only includes the members of your workgroup or business.

Google Hangouts is particularly useful due to its availability as a mobile app. If youre signed up for Hangouts, your employees can download the app to their mobile devices. This way, theyll never miss an important update from you or their coworkers.

As the disease spreads around the world, it will be up to us to keep ourselves and our loved ones healthy. By organizing your business so it can run via remote work or at a reduced capacity, youll protect your workers as well as your profits. As the saying goes, an ounce of prevention is worth a pound of cure.

Read the rest here:
How to prepare your business and employees for the coronavirus - Komando

There has been a lot written in recent years about election security and ensuring the integrity of voting systems. While voting machines are important, so too are non-voting election technologies, which was the topic of a session at the RSA Conferencein San Francisco.

Aaron Wilson, Senior Director of Election Security at the Center for Internet Security (CIS), explained that non-voting election systems include things that support elections. Those systems include electronic poll books, election night reporting systems, voter registration systems, and electronic ballot delivery.

"There is a lot to that attack surface, but there are not a lot of standards and regulations," Wilson said.

The Center for Internet Security has developed a guide to help secure those non-voting election systemsthat has 160 best practices to help reduce risk and improve confidence. The overall goal, according to Wilson, isn't necessarily that every election official will do all the steps, but rather they will have a guide that provides questions to ask vendors and IT staff.

Core Recommendations

There are three key areas that Wilson suggested election officials should look at. The first is dealing with Denial of Service (DoS) risks.

"Denial of Service is concerning because you know exactly when to wage the attack against an election system," he said. "If you can take a service down in a moment of critical need it can have significant impact."

Ransomware is also a risk that election officials need to defend against. Wilson said that both DoS and ransomware attacks areessentially about availability and denying access to assets.

The third key area is something Wilson referred to asunauthorized data modification. That's a critical area for non-voting election system integrity, as an unauthorized change can throw an election into doubt.

Among the key recommendations that Wilson provided to reduce the risk of unauthorized data modification are the following:

Verifying Election Technology

Going a step beyond best practices, there is also an ongoing need to verify that systems are in fact operating as intended on a continuous basis. That's where the RABET-V: Rapid Architecture-Based Election Technology Verification framework comes into play.

"RABET-V is an election technology verification process that supports rapid product changes by design," Wilson said.

The RABET-V effort was launched in February 2020 as a pilot program and is available as an open source effort on github.

"It provides a consistent basis from which approval authorities can draw information, resulting in quicker decisions and reduced, amortized overall cost," Wilson concluded.

Link:
#RSAC: Election Security Beyond the Ballot Box - Infosecurity Magazine

Cloudflare, one of the most experienced companies in the internet world, made the 1.1.1.1 DNS protocol a mobile application. We explain how to use 1.1.1.1, which is free, ad-free and offers a faster connection than other applications.

DNS and VPN have come to the rescue of internet users for years, who want to connect to the internet faster, freer and more secure. With the mobilization of the internet, more devices are connected, more information is available on the internet networks. So it is very natural that we have security concerns.

Apart from that, it is not always possible to overcome internet access problems in our country or region. The IP address of the non-profit Asia Pacific Network Information Center (APNIC) (1.1.1.1) comes into play at such times. Agreeing with Cloudflare, a leader in areas such as internet security and server services, APNIC has created one of the most reliable and useful VPN applications on the market.

So how is the 1.1.1.1 application used?Download the app and open it,Read and accept the terms and conditions,When you come to the 1.1.1.1 screen, you will see a big button,Activate this bot,The application will want to install a VPN profile on your phone,Give approval,You will see the key symbol in the notification bar,This symbol means that you are connected to the VPN network.Now you can surf the internet with unlimited VPN quota without seeing ads.

For those who have speed problems, there are 2 options in the application:

1.1.1.1: Standard VPN connection

1.1.1.1 with WARP: Second option for those with speed and privacy issuesWhen you activate the VPN connection for the first time in the application, you actually meet all the conditions to access the sites that are blocked from access. Sometimes, however, some users experience low speed connectivity due to their connection speed and region. If this is the case, you may notice your Enable 1.1.1.1 with WARP feature free, which is a more private internet article below.

You can try to increase your connection speed with the second option of the application with the Activate button next to the warning. WARP, which Cloudflare offers as an additional feature, has been added as an extra feature that is said to improve the connection speed. We tried the second option for you, although it didnt always work, we found it to be much faster than other VPN apps and the standard 1.1.1.1 connection.

So what is WARP +?Standard services of the application are quite sufficient. However, Cloudflare also offers WARP +, which is even safer and faster, to users who wish. Users who wish can invite their friends to earn 1 GB WARP + connection and try this feature of the application. However, as we said, the first 2 options, which are already free, are enough for VPN seekers.

Why is the most reliable application 1.1.1.1, who is behind the application?Cloudflare, a US-based company, offers services related to internet security and domain servers that protect websites against DDoS attacks. Of course, since it is a private company, you can ask why not to use the information obtained over the VPN network.

This is where the agreement that Cloudflare made and which allows us to use 1.1.1.1 application is entering. The company is able to offer this application through an agreement with the non-profit organization Asia Pacific Network Information Center (APNIC). APNIC is just one of the five largest Network Information Centers in the world.

Where does the 1.1.1.1 application store our data?Cloudflare has been a leader in trust in this area for many years, as its core service is a network security company. The company promises to store its data on its own servers for 1.1.1.1 implementation. If you wish, you can reach the Privacy Policy page here. On the relevant page, you can clearly see what data your application has collected. Also on the map above, there are all servers owned by Cloudflare.

As a result, nothing in the internet environment is 100% reliable. However, 1.1.1.1 is one of the most stable and secure options in the market instead of insecure, data breach, advertised and paid applications in application markets. In addition, 1.1.1.1 may share your information with official authorities upon official requests from government agencies.

How to use CloudFlare 1.1.1.1 DNS on Mac and Windows computersWindows 1.1.1.1 settings:Click the start menu,Click on Control Panel,Click Network and Internet,Click Change Adapter Settings,Right click on the Wi-Fi network (or wired network) you are connecting to,Then click on the Properties tab.Select Internet Protocol Version 4 (or Version 6 if desired),Click Properties,Click Use DNS Server Addresses below,Replace these addresses with 1.1.1.1 DNS addresses:

For IPv4: 1.1.1.1 and 1.0.0.1For IPv6: 2606: 4700: 4700: 1111 or 2606: 4700: 4700: 1001Click OK and then Close,Restart your browser.MacOS 1.1.1.1 settings:Open System Preferences,Search DNS Servers and select them from the drop down menu,To add a DNS Server, click the + button and enter 1.1.1.1,Click the + symbol again and enter 1.0.0.1,Click OK and then click Apply.

1.1.1.1 How to make DNS modem settings?Connect to your preferred wireless network,Enter the IP address of your router in your browser,If prompted, enter your username and password,Find DNS server settings on the configuration page of your router,Type the DNS server entry,Change the required places as follows,For IPv4: 1.1.1.1 and 1.0.0.1For IPv6: 2606: 4700: 4700 :: 1111 and 2606: 4700: 4700 :: 1001Save your settingsRestart your browser.

Read the original post:
The Most Reliable, Free and Ad-free VPN Application You Can Use: 1.1.1.1 - Somag News