Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
For those of you that are frequent readers of my monthly newsletters, you have heard me talk about setting your computers, smart phones, tablets, Internet-of-Things devices, etc. to auto-patch themselves. As long as you reboot your devices occasionally, they will take care of things without your intervention. However, Microsoft has broken that line of thinking with their May Windows operating system updates.
As usual, there are fixes in this month’s Microsoft patches that close actively exploited vulnerabilities from the Internet. That means that a cybercriminal group has found a hole in Windows (usually all versions of Windows), and they are using that hole to infect computers, spread ransomware attacks, etc. This is why it’s so important to patch your systems every month. The problem with Microsoft’s May patches is that they contain an important patch that is not turned on by default, so even though you patched, you didn’t really patch.
The issue is around how your computer starts up. There is a piece of your computer known as “firmware”, and this is the link between the physical hardware that makes up your computer, and the operating system, or software, that makes your computer able to do useful things like let you log into it and open other programs to use spreadsheets or look at cat videos or what have you. This firmware is sometimes referred to as the BIOS of a computer, or the UEFI for newer computers. Imagine if a cybercriminal found a way to infect the firmware of your computer so that the bad guy’s virus loads before the operating system does. That would be bad, and that is what Microsoft is trying to fix this month.
There is a piece of malware called BlackLotus, and it infects UEFI firmware, even if other safety measures such as “secure boot” are enabled. It has been used in the wild (meaning it has been infecting computers in the real world) since October 2022, and as soon as it gets into a machine, reformatting the hard drive won’t help. Reimaging the computer with a fresh copy of Windows won’t help. Replacing the motherboard is the only sure-fire way to get rid of it, and that is close to the same thing as just buying a whole new computer. Thankfully it isn’t easy to get infected with BlackLotus, as a cybercriminal needs physical access to a computer (which protects 99.999% of us from this threat) OR they need to have control of a computer where the account running the computer is a local administrator. This is where the “real world” threat comes in, because far, far too many users are using local administrator accounts for everyday use of their computer. This is very convenient because it lets users install their own software and hook up to their own printers and change the configuration of their computer and all sorts of other things. If a user falls for a malicious email and gets their computer infected with a virus, typically the virus inherits the permissions of the user. If the user is a local administrator, so is the virus, and then BlackLotus can be installed remotely. This is bad.
Back to the Microsoft May patches. Microsoft has found a way to defeat BlackLotus installations, but there is a big catch: Any “bootable media” that a user might use to start up their computer from, say, a USB drive or a DVD ROM drive will no longer work after Microsoft’s BlackLotus patch is applied. If your computer came with a feature to return it to a “factory default” setting, that will likely no longer work after the patch is applied. If you created a “recovery drive” using Microsoft’s built-in feature to do this, it won’t work anymore. To make matters worse, Microsoft’s own installation media won’t work to rebuild a computer as of the time of this writing, but Microsoft is “working on a resolution and will provide an update in an upcoming release.” Finally, turning on the BlackLotus fix requires restarting your computer twice, and there has to be a 5-minute pause in between reboots. What happens if you don’t want a full 5 minutes? I have no idea – Microsoft doesn’t say why the 5-minute delay between reboots is important.
This isn’t the first time that Microsoft has released an “opt-in” patch. The fix for a bug from 2013 that is still being actively exploited requires a manual fix that almost no individual user of a computer has the skillset to implement. The same thing happened for an important Windows server patch from July 2017. It’s frustrating to see how inadequate our current system of fixing known vulnerabilities in computer systems really is. On occasion, cybersecurity bugs such as BadUSB come up where there is no reasonable fix because the problem is with the hardware itself (think of this like trying to make non-flammable gasoline), but in this case, the problem is that implementing the patch breaks a lot of old ways of doing things, and even Microsoft isn’t ready to help users fix the things that the patch breaks.
In the short term, turning on the BlackLotus patch feels like it could do more harm than good. I would recommend NOT using a local administrator account on your PC for everyday use. Also be sure to use a strong antivirus program and keep it up to date. Stay tuned for future developments on this issue.
Until next month, stay safe!
Upcoming Speaking Events
Here is a list of the cities that I will be in for 2023. Please feel free to reach out if you have an event in mind.
May 29th-June 2nd, Las Vegas, NV
June 16th-22nd, Dublin, Ireland
July 17th-18th, Orlando, FL
August 19th-20th, Honolulu, HI
September 1st-3rd, Eau Galle, WI
October 2nd, Brainerd, MN
October 22-24th, New Orleans, LA
Is this a good thing? "The PSTI Act gives the Secretary of State the power to specify security requirements relating to "relevant connectable products". Such products include smartphones, smart home assistants and wearable fitness trackers, and the requirements will affect..."
TCE Strategy has clients jumping all over this. If you have Cisco routers that are Internet facing, you need to check their iOS version NOW! Cisco IOS 12.0-12.4 and 15.0-15.6 and IOS XE 2.2-3.17 are all vulnerable.
Cybersecurity Tip of the Month
Lock Screen Settings
Spending more time working from the office? Is springtime finding you working in your favorite coffee shop more often? Here are some tips for good practices around securing your devices with your lock screen. Consider locking your workstation whenever you are going to be away from it—there are keyboard shortcuts to do this quickly on both Macs and Windows computers and the time it takes to log back in is well worth the added layer of security.
-Windows: There are a couple quick and easy ways to lock Windows using your keyboard. You can press the Ctrl+Alt+Del keys together. A screen of options should appear. When it does, click “Lock”. An even quicker way to lock your screen is to press the Windows and L keys at the same time. Your computer should lock instantly. Some other things to enable are facial recognition (if possible on your computer), a strong 6-digit pin, strong password for logging in, and a setting to lock after a certain period of inactivity. If your Windows computer has facial recognition, you can also set it to automatically lock when you walk away.
-Mac: First, it’s a good idea to check your settings and ensure your Mac requires a password immediately after entering sleep or screensaver mode. You can quickly lock your screen with the shortcut CTRL+CMD+Q (be careful not to press CMD+Q as this will shut down the application you are using which could be a problem if you have unsaved work). You can also quickly go to the Apple menu and click Lock. As with Windows, enabling facial recognition, a strong 6-digit pin, strong password, and setting your Mac to lock after a certain period of inactivity help provide additional security.
-iPhone/iPad: iPhones and iPads can easily and quickly be locked using the lock button located on the right side or top of the device. Again, be sure to enable facial recognition or Touch ID if these features are present on your device and have a strong 6-digit pin for logging in. Also check your settings so that auto-lock is enabled after a few minutes of inactivity.