Microsoft addresses Azure flaw, advice on configuring VPNs, Eduroam WiFi issue and more.

Welcome to Cyber Security Today. It’s Friday October 1st. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.

Security experts urge organizations to use cloud applications as much as possible to avoid being victimized by not patching on-premise software. However, cloud apps can have other weaknesses. A report this week from Secureworks says its researchers discovered a flaw in Microsoft’s Azure Active Directory service for single-sign-on. Single sign-on allows users to automatically log into Azure Active Directory when they log into a company computer. The flaw, which has been fixed, could have allowed an attacker to successfully launch an undetected brute force password attack on the cloud service. Initially Microsoft said it wasn’t a flaw. However, the day after the Secureworks blog was published Microsoft took action.

Two lessons: Cloud services aren’t perfect, and IT administrators have to make sure employees use different passwords for each of their internet services to avoid being victimized by stolen password attacks.

Since an increasing number of employees began working from home because of the pandemic IT departments have been rushing to install virtual private network devices, or VPNs. These allow staff to securely connect to the office. However, threat actors have been leveraging vulnerabilities in these devices to break into corporate systems. This week U.S. government cybersecurity agencies issued a paper on how to chose and harden VPNs. There’s a link to it here.

In July I told you about an investigation by Amnesty International into the use by some governments of commercial spyware called Pegasus to go after reporters and activists. Threat actors are capitalizing on this. According to researchers at Cisco Systems’ Talos threat intelligence service, someone has set up a fake Amnesty International web page that offers an anti-virus tool to protect devices against Pegasus. However, this fake tool really installs malware. The campaign is aimed at taking advantage of people’s fears about technology. If you want to go to a real Amnesty International site, use a search engine and not a link someone has sent by email or text.

Movie theatre cash registers went wild yesterday at the launch of the new James Bond movie, No Time to Die. Unfortunately crooks hope to cash in, too. Cybersecurity firm Kaspersky warns that there are lots of phony websites streaming what they claim is the film. What they really do is spread malware to steal victims’ data and bank passwords. Scams like this always emerge around big movie, concert or sports events. Don’t die on your eagerness to get a deal.

Universities and colleges around the world using the Eduroam WiFi network could be putting their students, teachers and researchers at risk. That’s according to a cybersecurity company called Wizcase. Its report says a simple network misconfiguration could allow hackers to spoof the network with a lookalike name and capture peoples’ login usernames and passwords. The problem is a wrong configuration decision made by network administrators. As a result, if users’ Windows or Android devices are set to automatically connect to the WiFi network they could unwittingly log onto a fake network. This is particularly possible if people ignore a popup warning that something is wrong and go ahead and log into the network anyway.

Wizcase notified Eduroam nine months ago about this, so universities have had lots of time to correct the problem. If the WiFi hotspot at the institution you attend uses Eduroam, find out if the network has been modified. If not, disable the autoconnect feature to the Eduroam access point.

One lesson is that providers of any service or product have to give clear instructions to customers on how to securely configure what they use.

Finally, later today the Week in Review podcast will be available. This edition features a discussion with Dinah Davis of Arctic Wolf about Cyber Security Awareness Month, which starts today.

Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

This content was originally published here.