Over the weekend, Sophos announce it had released a hotfix for Sophos XG firewalls. This hotfix patched an SQL injection attack which allowed attackers to download payloads to the device.
It looks like the hashed usernames and passwords have been stolen from the XG devices. This means all XG owners should reset the passwords for administration and any local VPN users as well.
It appears the attack was done either on the admin portal (port 4444) or the user portal (port 443). Normally the administration portal is closed on the WAN, however, it is normal practice to have the user portal exposed on the WAN.
If your firewall has been compromised, Sophos recommends these steps
Microsoft have released a new operating system designed for the small business. Wait, don’t we already have one of those?
Microsoft Server 2008 Foundation is aimed at businesses with 15 employees or less. It’s an OEM product that only comes with new machines sold by either Dell or HP (at time of writing). Another thing to note are the artificial limitations placed on the OS.
15 users maximum
Limited to 8gb of memory
At the same time it does have one benefit. It’s a very cheap Terminal Server.
The OS is upgradable to other versions of server 2008, but what is the point? I can guarentee that by the time this happens, the hardware will be out of date, or the hardware simply won’t be able to be upgraded significantly to improve the performance of the server with the upgraded operating system.
The biggest problem with Foundation is its lack of Exchange. What business operates without email these days?
I love Microsoft products, but this sounds like a knee jerk reaction to a slow uptake on Windows 2008 Small Business Server and will ultimately fail. Watch this space…
Support your fellow New Zealander and help get rid of this stupid law which comes in to effect later this month. Section 92 gives copyright holders the power to accuse people of copyright infringement without any proof! This law needs to be repelled.
Section 92 of the Copyright Amendment Act assumes Guilt Upon Accusation and forces the termination of internet connections and websites without evidence, without a fair trial, and without punishment for any false accusations of copyright infringement. We should speak out against injustices like Guilt Upon Accusation being done in the name of artists and protecting creativity.
As it turns out, Google did not develop a calendar and contacts synchronization platform all on its own. Rather, it licensed Exchange Server patents from Microsoft, in a deal that company is describing today as an “open” license
This is very important. Microsoft is now sharing protocols. Interesting to see what happens next.