By Joy Takaesu of The CPA Collective In early March, Microsoft urgently warned all on-premise Exchange Server customers to immediately update due to multiple critical security vulnerabilities known as ProxyLogon. Exchange Online was not affected. By the time the emergency patches were available, the vulnerabilities were already actively being exploited, potentially allowing attackers full access to compromised systems. Even after applying the patches, Microsoft urges customers to check for indications of compromise. Microsoft recently released a one-click mitigation tool meant to help those who have not yet been able to apply the security updates on their Exchange servers. For more details, please see Microsoft’s blogs “One-Click Microsoft Exchange On-Premises Mitigation Tool” and “Pro-
tecting on-premises Exchange Servers against recent attacks.”
number just by signing a falsified letter claiming they had authorization.
As multi-factor authentication becomes increasingly crucial to protecting accounts, more attention is being called to the security issues with using SMS as a verification method. Vice reporter Joseph Cox, in his article “A Hacker Got All My Texts for $16,” arranged with hacker
Security experts still recommend multifactor authentication, even if SMS is required. But when given the option, instead of using SMS, choose an authentication app (e.g., Authy, Duo, Microsoft Authenticator) or hardware-based authentication (e.g., YubiKey).
“Lucky225” to demonstrate a vulnerability where anyone could potentially redirect someone’s texts to their own number, without the victim’s knowledge or permission. There are legitimate services that work by redirecting SMS, but due to the lax verification process, the hacker was able to add Cox’s phone
The IRS updated its Tax Scams/Consumer Alerts website with common scams that taxpayers and professionals should be aware of, including new variations on older scams. For example, scammers may file a fraudulent return using a victim’s information, then contact the victim pretending to be the IRS and demand the refund, or they may threaten to suspend or cancel the victim’s Social Security Number unless they send payment. Scammers may use personal information gained from past breaches to try to convince victims that their claims are legitimate, including the victim’s full or partial SSN. Scammers are also attempting to reach victims through text or social media, using the IRS name and logo to craft deceptively realistic-looking messages. The IRS emphasizes that it “doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.” If you have any questions or comments, please call me at (808) 837-2517, or send e-mail to jtakaesu@thecpacollective.com.
18
KALA APRIL 2021
