CISA published a new advisory warning organizations about China-based, state-sponsored cyber-attacks
Daily Archives: June 8, 2022
CVE-2020-14125
A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service.
#RSAC: How the US Government and Industry Work Together to Stop Cyber-Attacks
Government and law enforcement officials joined with Microsoft outlined how they took down the most impactful nation-state attackers
So Many CVEs, So Little Time: Zero In and ‘Zero Click’ into the Current Vulnerability Landscape
Among the thousands of vulnerabilities disclosed so far in 2022, we highlight five and explain why they matter.
With over 6,000 vulnerabilities disclosed this year, cyber security teams have faced, as usual, a challenge to keep up, especially as a number of these software bugs have captured significant media attention. In this article, we’ll provide guidance and clarity on five vulnerabilities that gained the spotlight in the news to help you better understand why they had an impact and why they all should be on your radar screen. As you will read, these vulnerabilities share common traits, and a closer examination of them offers insights into the breadth and depth of the current vulnerability landscape.
CVE
Description
VPR*
Google Javascript V8 Chrome Engine Vulnerability
9.5**
Dirty Pipe – Linux Kernel Vulnerability
9.8**
Zero-click – Microsoft RPC Vulnerability
9.6**
Spring4Shell – Spring Core Framework Vulnerability
9.8
F5 BIG-IP Vulnerability
9.7
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 8 and reflects VPR at that time.
** Tenable’s Vulnerability Priority Rating (VPR) scores were first made available for the CVE ahead of National Vulnerability Database (NVD) original details disclosure date.
Note: We refer in this blog post to “ahead of NVD” as the various actions that Tenable took before details for a given vulnerability were made available by NVD. Specifically:
Ahead of NVD coverage – Tenable released a plugin for the first time before NVD published any details for the CVE.
Ahead of NVD VPR – Tenable provided VPR scores before NVD scored the CVE and provided related CVSS v2/v3 scores.
Zero in: Vulnerability Prioritization
A VPR/CVSS v3 comparison is summarized in the table below for the considered vulnerabilities.
CVE
NVD Disclosure Date
VPR
NVD CVSS v3 score
CVE-2022-1096
N/A
9.6
(as of blog post publication date)
N/A
CVE-2022-0847
March 10, 2022
9.4
(as of March 9, 2022)
7.8
CVE-2022-26809
April 15, 2022
9.2
(as of April 14, 2022)
9.8
CVE-2022-22965
April 1, 2022
9.5
(as of April 1, 2022)
9.8
CVE-2022-1388
May 5, 2022
9.2
(as of May 6, 2022)
9.8
As you will read in more detail in the remainder of the blog post, Tenable provided VPR coverage ahead of NVD for most of the critical vulnerabilities highlighted to help prioritize Vulnerability Management discoveries.
CVE-2022-1096 | Google Chrome
Highlights: Ahead of NVD VPR / Ahead of NVD Coverage / Zero-day Vulnerability / Exploited in the Wild
On March 23, Google announced a zero-day vulnerability in the Google JavaScript V8 Chrome engine potentially impacting billions of users. Reserved with the CVE-2022-1096 identifier on the NVD, it is a type-confusion vulnerability affecting Chrome’s core.
As Google reported, it has been confirmed that this security flaw has been exploited in the wild. Upon successful exploitation, the security flaw allows attackers to execute arbitrary code on the affected asset.
Although the vulnerability was publicly disclosed by Google, its details haven’t yet been published in the NVD, whilst having a VPR score of 9.5 (as of the date of publication of this blog post). Tenable also provided Nessus plugin coverage ahead of NVD as of March 25.
Exploitation and how Tenable helps
As of today, there are no public proof-of-concept (PoC) exploits available, although the vulnerability has been exploited in the wild. Google released an emergency update with a security fix in Chrome 99.0.4844.84. A patch is also available for Chromium-based Microsoft Edge. Other Chromium-based browsers include Opera, Samsung Internet and Amazon Silk to mention some. Recommended action: update as per availability.
CVE-2022-0847 | Linux Kernel
Highlights: Ahead of NVD VPR / Ahead of NVD Coverage
Reported on February 20 and reserved in the NVD as CVE-2022-0847, this vulnerability also known as Dirty Pipe affects the Linux kernel 5.8, and allows attackers to overwrite data in arbitrary read-only files upon successful exploitation.
Although it was disclosed in the NVD on March 10, Tenable provided ahead of NVD plugin coverage as of March 7. Also worth noting is that a VPR of 9.8 better reflects the need of consideration for prioritization of this vulnerability in contrast to using CVSS v2 and v3 scores as per NVD, which are 7.2 and 7.8 respectively.
Exploitation and how Tenable helps
A PoC exploit for this vulnerability has been released and a patch is available for this vulnerability.
CVE-2022-26809 | Microsoft
Highlights: Ahead of NVD VPR / Ahead of NVD Coverage / Zero-Click
With more than a million potentially impacted machines, this vulnerability is likely eliciting bad WannaCry memories among many security teams.
On April 12, Microsoft announced a remote code execution (RCE) vulnerability affecting Microsoft RPC. Reserved as CVE-2022-26809 in the NVD, this vulnerability, known as “Zero Click,” allows an unauthenticated, remote attacker to perform a remote code execution by sending “a specially crafted RPC call to an RPC host”. Zero Click attacks can compromise a device without the owner’s actions such as opening links or downloading apparently legitimate files. Such attacks are sophisticated and completely bypass user interaction.
The vulnerability was added to the NVD on April 15. Tenable provided ahead of NVD plugin coverage on April 12.
Exploitation and how Tenable helps
On April 20, Microsoft provided guidance for mitigation. A patch is available for this vulnerability. Worth noting that on the day of releasing this article, this vulnerability has not been exploited and no PoC exploit has been made available yet. For more information on this vulnerability and Tenable product coverage, check out our Microsoft Patch Tuesday alert from Tenable Research.
CVE-2022-22965 | Spring Core Framework
Highlights: Ahead of NVD Coverage / Zero-day Vulnerability
Discovered on March 30, this vulnerability is better known as Spring4Shell. Reserved as CVE-2022-22965 in the NVD, it is an RCE vulnerability affecting the Spring Core Framework.
It was disclosed in the NVD on April 1st. Tenable provided ahead of NVD plugin coverage as of March 31.
Exploitation and how Tenable helps
Exploit for this vulnerability is known and there’s a patch available. For more information on this vulnerability and Tenable product coverage, read our Cyber Exposure Alert from the Tenable Security Response Team.
CVE-2022-1388 | F5 BIG-IP
Highlights: CISA-Known Exploit / Exploited in the Wild
Announced on May 4 and reserved as CVE-2022-1388 in the NVD, this authentication bypass vulnerability affects the REST component of BIG-IP’s iControl API. This vulnerability allows undisclosed requests to possibly bypass iControl REST authentication.
Exploitation and how Tenable helps
A PoC has been released for this vulnerability and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited vulnerabilities. A list of Tenable plugins to identify this vulnerability can be found here. A patch is available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team.
Conclusion
This article provided awareness of some critical vulnerabilities that security teams should have pinned on their maps, as they pursue proper and proactive cyber hygiene in their IT environments.
These five vulnerabilities are admittedly only the tip of the overall vulnerabilities iceberg, but they represent the variety of challenges and complexities in the current vulnerability landscape. They are examples of critical vulnerabilities that a proactive security team must be aware of and prepared for so that they can protect their organizations from attacks.
Indeed, the highlighted vulnerabilities do not have the same impact across the board and the nature, concerns and remediation complexity of each of them varies wildly, from the insider threat concern behind Dirty Pipe to critical bug fixes where a patch can be easily applied. Other cases, such as the Linux kernel vulnerability, might require significant downtime. These are all elements that we suggest you factor into your remediation approach.
It is worth mentioning how Tenable provided VPR scores and plugin coverage ahead of NVD coverage for most of the highlighted vulnerabilities. To shed some light on the area: the process of defining vulnerabilities in the NVD can be a lengthy one due to its by-design formalization rules. At Tenable, we aim to offer a proactive approach to vulnerability management and fast-response detection and we advise that you do too.
Learn More
Download Tenable’s 2021 Threat Landscape Retrospective
Attend the webinar: Tenable Research 2021 Recap and Defender’s Guidance for 2022
Read the blogs:
https://www.tenable.com/blog/the-2021-threat-landscape-retrospective-targeting-the-vulnerabilities-that-matter-most
https://www.tenable.com/blog/behind-the-scenes-how-we-picked-2021s-top-vulnerabilities-and-what-we-left-out
Follow our Cyber Exposure Alerts
How to Know If Your Mobile Finance Apps Are Safe
Mobile banking and finance apps have become increasingly popular in recent years. These apps provide a quick and convenient way to see checking and savings account balances and make and receive payments.
It’s no surprise that many people use these third-party apps to manage their finances. In 2021, the U.S. saw 573.1 million finance app downloads, a 19% increase from the previous year.
However, despite its benefits, mobile banking isn’t immune to risks. This article will discuss the safety and security of mobile finance apps and give you a few pointers to protect yourself while using these apps.
Is mobile banking safe?
Yes, mobile banking is a pretty safe way to manage your finances; however, there can still be some risks associated with it, including fraud and scams.
If you’re careful, there are plenty of ways to protect yourself while using this incredibly easy banking method.
6 tips to improve mobile finance app security
Here are a few tips to help you improve the safety of your online financial accounts.
Ensure you’re downloading the official app
A bank’s website will often include links to their mobile apps that provide related mobile banking services, along with details about the app’s features and how users can use it. You should use a trusted platform when installing the app, like the App Store for iPhone or iOS users or the Google Play Store for Android users.
You should also take time to go through reviews and related information about the app before downloading it to ensure its legitimacy. If you have any doubts, clarify the issue with your bank before downloading what could be a fake banking app.
Set a strong password
While this may seem obvious, the reality is that many people don’t pay enough attention to their passwords. To create a strong password, you should use a combination of uppercase and lowercase letters, numbers, and special characters in no particular order or pattern.
In addition, security experts recommend long, complex passwords to exponentially increase the time it takes to crack them. It also helps to have unique passwords for each of your accounts.
If you’re concerned about remembering and managing multiple passwords, you can use a reputable and secure password manager like McAfee True Key to store your passwords.
Use two-factor authentication when possible
Many services nowadays offer two-factor or multifactor authentication. This function refers to the additional layers of security against hackers. On top of a traditional username-password login, users are required to identify themselves with a code that’s sent to their cellphone or email.
By confirming the user’s identity this way, organizations eliminate a degree of uncertainty. While it isn’t foolproof, two-factor or multifactor authentication helps increase security. It’s worth checking if your finance app offers this feature.
Avoid public Wi-Fi when using finance apps
Public Wi-Fi networks are convenient in urgent situations; however, they often come with a warning saying the network is unsecured. This means that the network is unencrypted, making it easy for hackers to access your personal information. The best practice is to avoid using public Wi-Fi networks, especially when carrying out any form of financial transaction.
If you need to make purchases or send and receive money while on the move, though, you’ll want to consider a virtual private network (VPN) like McAfee Secure VPN. The VPN provides a secure network even when using public Wi-Fi by hiding your IP address and encrypting your data.
Get email/text alerts for potential fraud
The easiest way to protect your finances is to keep a vigilant eye on all of your transactions. However, security notifications from your bank are a great added measure. Most credit card companies allow you to turn on transaction alerts for various services, such as balance transfer requests, international purchases, and exceeded credit limits, which can help you recognize any suspicious activity on your account.
It’s also important to remember that financial institutions will never contact you over the phone or through email to ask for your banking information. If you receive such a message, it’s most certainly a scam. A common way people get duped is through calls or emails claiming they’ve won a prize and need to share personal account details to receive the money. Never share your bank account details, passwords, or one-time codes with strangers.
Always check with your bank to confirm any activity that seems out of the ordinary. In addition to alert notifications, banks can also send helpful tips to protect your account against fraud.
Use McAfee Security for Mobile
McAfee Security for Mobile is an award-winning cybersecurity tool that helps address the issues mentioned above and more. It’ll scan your device for malware, suspicious websites, and unsecured Wi-Fi networks so you can use social media or shop online with complete peace of mind.
It also comes with other features, like system cleaning services that clean junk from your phone’s storage. These features can boost battery life and help locate your phone if it’s ever stolen or misplaced.
Are mobile banking apps as safe as online banking?
Mobile and online banking both have their benefits and drawbacks, but which is the safer option? Experts often have varied opinions on the matter.
Some people believe it might be easier to download malware on a computer unknowingly, as it’s tricky to judge the authenticity of a website or malicious links. Users typically download apps from reputed app stores when using mobile devices, which lowers the risk.
On the other hand, professionals believe that both methods are equally safe. The choice depends on the network available to the user, as private networks are significantly less susceptible to hacking than public ones. Some users may prefer computers to mobile phones simply because they find it easier to perform tasks on a bigger screen.
See how McAfee Security for Mobile keeps your device safe
Both internet and mobile banking are convenient and offer a quick way to manage your personal finances, as you don’t have to travel to a physical bank or carry large amounts of cash in your wallet.
However, while mobile banking is generally considered a safe method of managing your finances, it can have some vulnerabilities that scammers may try to take advantage of.
Following the tips mentioned above — like using a private network, not sharing personal details with anyone, and using a comprehensive mobile security tool like McAfee Security for Mobile — can make all the difference.
The tool’s security features include safe browsing, a secure VPN, and antivirus software. This means you can use your mobile finance apps confidently knowing McAfee is looking out for you.
The post How to Know If Your Mobile Finance Apps Are Safe appeared first on McAfee Blog.
Wedding Planning App Users Hacked Before the Big Day
Say you’re getting married. You and your partner have booked the venue, made the seating arrangements, trained your dog to be the ring bearer – and everything is running smoothly. You’ve used a trusty wedding planning website to make everything a breeze. Nothing could ruin this day for you! Except, there’s an uninvited guest. They’re not crashing the wedding and making an awkward toast, but they’ve crashed into your wedding planning website account and now have access to your information.
There are many things that could go wrong during wedding planning – some of them out of anyone’s control. Maybe the caterer canceled last minute, or the live band is stuck in traffic. Other things may be easily avoided, but you don’t necessarily see them coming. Like a hacker accessing your wedding website and making fraudulent bank transfers right before your big day.
The Wedding Crasher
Zola, a wedding planning site allowing couples to create websites, budgets, and gift registries, confirmed that hackers had managed to access the accounts of some of their users, The Verge reported. Once these accounts were infiltrated, hackers used the linked bank accounts or funds held inside the site to make cash transfers. The main method these cybercriminals used was purchasing gift cards through the user’s account and sending them to their email addresses to avoid being easily traced.
These criminals did not hack the Zola website itself but hacked their users’ accounts with a method called credential stuffing. This is a strategy where hackers take email and password combinations involved in previous breaches of other websites and use them to log into other online profiles.
You may not even know that your information had been breached previously and that cybercriminals now had your logins for a number of different accounts. Luckily, there are ways to protect yourself and your information from credential stuffing tactics to stop hackers in their tracks.
Tell Credential Stuffing to Go Stuff It
Just because you’ve hypothetically grown up and are ready for lifelong commitments doesn’t mean you’ve outgrown those old trusty email addresses and passwords (hello, “basketball4life23”). There’s a level of nostalgia that comes with using the email account that you made in middle school, or maybe you just haven’t gotten around to changing it. However, keeping those old email addresses and logins are doing you more harm than good. Want to make sure that hackers aren’t able to credential stuff your accounts? Here are some trusty tips to keep your information safe.
Track down and close old accounts
The best way to know that your old accounts aren’t coming back to haunt you is to make sure those ancient logins are dead and gone. If you don’t remember all the accounts you’ve made and no longer use, don’t sweat it! There are settings through your internet browser that will show you all the accounts and passwords you have saved. A password manager also keeps track of all your credentials, so you don’t have to wrack your brain to try and remember every account you’ve ever made. Once you’ve gone through all your old online accounts you no longer use, close them for good! Though this step will require some time and patience, it’s always better to put in the effort and know your information is safe than to risk it.
Create strong and unique passwords
Only having to remember one password for every account may make logging in easier, but ensuring that each of your accounts is unique and secure is worth the extra effort. Having a strong and unique password for each of your accounts helps protect them from credential stuffing and other threats. Varying your passwords across online accounts will assure you that if one of them is breached, the others will remain safe. A password manager can also help with this step, because many of them, such as True Key, can generate strong, random, and unique passwords for every account.
Update credentials when necessary
Keep an eye out to make sure that if a website or company you have an account with is breached, you are updating your credentials so that hackers can’t access them. If you see that there has been a hack and your information is vulnerable, immediately update your logins and passwords on that account to keep yourself safe.
Use multifactor authentication
Using multifactor authentication adds an extra layer of protection to your accounts. This safety measure requires more than one method of identity verification to access the account, helping to prevent criminals from gaining access to your password-protected information.
Don’t let cybercriminals get the jump on you! Take the necessary steps to protect your accounts and your personal information. Though combing through your old accounts and deleting them or coming up with a new and unique password for every site login isn’t a glamourous activity, you’ll enjoy greater peace of mind that your accounts are safe, leaving you free to enjoy life’s best moments.
The post Wedding Planning App Users Hacked Before the Big Day appeared first on McAfee Blog.
How to Recognize an Online Scammer
The great thing about the internet is that there’s room for everyone. The not-so-great part? There’s plenty of room for cybercriminals who are hungry to get their hands on our personal information.
Fortunately, internet scams don’t have to be a part of your online experience. In this article, we’ll tell you about some of the most common internet schemes and how you can recognize them to keep your identity safe.
5 tips to help you recognize an online scam
Scams are scary, but you can prevent yourself from falling for one by knowing what to look for. Here are a few tell-tale signs that you’re dealing with a scammer.
They say you’ve won a huge prize
If you get a message that you’ve won a big sum of cash in a sweepstakes you don’t remember entering, it’s a scam. Scammers may tell you that all you need to do to claim your prize is send them a small fee or give them your banking information.
When you enter a real sweepstakes or lottery, it’s generally up to you to contact the organizer to claim your prize. Sweepstakes aren’t likely to chase you down to give you money.
They want you to pay in a certain way
Scammers will often ask you to pay them using gift cards, money orders, cryptocurrency (like Bitcoin), or through a particular money transfer service. Scammers need payments in forms that don’t give consumers protection.
Gift card payments, for example, are typically not reversible and hard to trace. Legitimate organizations will rarely, if ever, ask you to pay using a specific method, especially gift cards.
When you have to make online payments, it’s a good idea to use a secure service like PayPal. Secure payment systems can have features to keep you safe, like end-to-end encryption.
They say it’s an emergency
Scammers may try to make you panic by saying you owe money to a government agency and you need to pay them immediately to avoid being arrested. Or the criminal might try to tug at your heartstrings by pretending to be a family member in danger who needs money.
Criminals want you to pay them or give them your information quickly — before you have a chance to think about it. If someone tries to tell you to pay them immediately in a text message, phone call, or email, they’re likely a scammer.
They say they’re from a government organization or company
Many scammers pretend to be part of government organizations like the Internal Revenue Service (IRS). They’ll claim you owe them money. Criminals can even use technology to make their phone numbers appear legitimate on your caller ID.
If someone claiming to be part of a government organization contacts you, go to that organization’s official site and find an official support number or email. Contact them to verify the information in the initial message.
Scammers may also pretend to be businesses, like your utility company. They’ll likely say something to scare you, like your gas will be turned off if you don’t pay them right away.
The email is littered with grammatical errors
Most legitimate organizations will thoroughly proofread any copy or information they send to consumers. Professional emails are well-written, clear, and error-free. On the other hand, scam emails will likely be full of grammar, spelling, and punctuation errors.
It might surprise you to know that scammers write sloppy emails on purpose. The idea is that if the reader is attentive enough to spot the grammatical mistakes, they likely won’t fall for the scam.
8 most common online scams to watch out for
There are certain scams that criminals try repeatedly because they’ve worked on so many people. Here are a few of the most common scams you should watch out for.
Phishing scams
A phishing scam can be a phone or email scam. The criminal sends a message in which they pretend to represent an organization you know. It directs you to a fraud website that collects your sensitive information, like your passwords, Social Security number (SSN), and bank account data. Once the scammer has your personal information, they can use it for personal gain.
Phishing emails may try anything to get you to click on their fake link. They might claim to be your bank and ask you to log into your account to verify some suspicious activity. Or they could pretend to be a sweepstakes and say you need to fill out a form to claim a large reward.
During the coronavirus pandemic, new phishing scams have emerged, with scammers claiming to be part of various charities and nonprofits. Sites like Charity Navigator can help you discern real groups from fake ones.
Travel insurance scams
These scams also became much more prominent during the pandemic. Let’s say you’re preparing to fly to Paris with your family. A scammer sends you a message offering you an insurance policy on any travel plans you might be making. They’ll claim the policy will compensate you if your travel plans fall through for any reason without any extra charges.
You think it might be a good idea to purchase this type of insurance. Right before leaving for your trip, you have to cancel your plans. You go to collect your insurance money only to realize the insurance company doesn’t exist.
Real travel insurance from a licensed business generally won’t cover foreseeable events (like travel advisories, government turmoil, or pandemics) unless you buy a Cancel for Any Reason (CFAR) addendum for your policy.
Grandparent scams
Grandparent scams prey on your instinct to protect your family. The scammer will call or send an email pretending to be a family member in some sort of emergency who needs you to wire them money. The scammer may beg you to act right away and avoid sharing their situation with any other family members.
For example, the scammer might call and say they’re your grandchild who’s been arrested in Mexico and needs money to pay bail. They’ll say they’re in danger and need you to send funds now to save them.
If you get a call or an email from an alleged family member requesting money, take the time to make sure they’re actually who they say they are. Never wire transfer money right away or over the phone. Ask them a question that only the family member would know and verify their story with the rest of your family.
Advance fee scam
You get an email from a prince. They’ve recently inherited a huge fortune from a member of their royal family. Now, the prince needs to keep their money in an American bank account to keep it safe. If you let them store their money in your bank account, you’ll be handsomely rewarded. You just need to send them a small fee to get the money.
There are several versions of this scam, but the prince iteration is a pretty common one. If you get these types of emails, don’t respond or give out your financial information.
Tech support scams
Your online experience is rudely interrupted when a pop-up appears telling you there’s a huge virus on your computer. You need to “act fast” and contact the support phone number on the screen. If you don’t, all of your important data will be erased.
When you call the number, a fake tech support worker asks you for remote access to your device to “fix” the problem. If you give the scammer access to your device, they may steal your personal and financial information or install malware. Worse yet, they’ll probably charge you for it.
These scams can be pretty elaborate. A scam pop-up may even appear to be from a reputable software company. If you see this type of pop-up, don’t respond to it. Instead, try restarting or turning off your device. If the device doesn’t start back up, search for the support number for the device manufacturer and contact them directly.
Formjacking and retail scams
Scammers will often pose as popular e-commerce companies by creating fake websites. The fake webpages might offer huge deals on social media. They’ll also likely have a URL close to the real business’s URL but slightly different.
Sometimes, a criminal is skilled enough to hack the website of a large online retailer. When a scammer infiltrates a retailer’s website, they can redirect where the links on that site lead. This is called formjacking.
For example, you might go to an e-commerce store to buy a jacket. You find the jacket and put it in your online shopping cart. You click “check out,” and you’re taken to a form that collects your credit card information. What you don’t know is that the checkout form is fake. Your credit card number is going directly to the scammers.
Whenever you’re redirected from a website to make a payment or enter in information, always check the URL. If the form is legitimate, it will have the same URL as the site you were on. A fake form will have a URL that’s close to but not exactly the same as the original site.
Scareware scams (fake antivirus)
These scams are similar to tech support scams. However, instead of urging you to speak directly with a fake tech support person, their goal is to get you to download a fake antivirus software product (scareware).
You’ll see a pop-up that says your computer has a virus, malware, or some other problem. The only way to get rid of the problem is to install the security software the pop-up links to. You think you’re downloading antivirus software that will save your computer.
What you’re actually downloading is malicious software. There are several types of malware. The program might be ransomware that locks up your information until you pay the scammers or spyware that tracks your online activity.
To avoid this scam, never download antivirus software from a pop-up. You’ll be much better off visiting the website of a reputable company, like McAfee, to download antivirus software.
Credit repair scams
Dealing with credit card debt can be extremely stressful. Scammers know this and try to capitalize off it. They’ll send emails posing as credit experts and tell you they can help you fix your credit or relieve some of your debt. They might even claim they can hide harmful details on your credit report.
All you have to do is pay a small fee. Of course, after you pay the fee, the “credit expert” disappears without helping you out with your credit at all. Generally, legitimate debt settlement firms won’t charge you upfront. If a credit relief company charges you a fee upfront, that’s a red flag.
Before you enter into an agreement with any credit service, check out their reputation. Do an online search on the company to see what you can find. If there’s nothing about the credit repair company online, it’s probably fake.
What can you do if you get scammed online?
Admitting that you’ve fallen for an online scam can be embarrassing. But reporting a scammer can help stop them from taking advantage of anyone else. If you’ve been the victim of an online scam, try contacting your local police department and filing a report with the Federal Trade Commission (FTC).
Several other law enforcement organizations handle different types of fraud. Here are a few examples of institutions that can help you report scams.
The National Center for Disaster Fraud (NCDS) handles fake scams involving natural disasters and other national crises.
The Internet Crime Complaint Center (IC3) handles scams involving malware, fake websites, and fraudulent emails.
You can report international scams through econsumer.gov.
You can report Social Security scams through the Office of the Inspector General website.
You can report scammers who pretend to be the IRS through the Treasury Inspector General for Tax Administration website.
You can report tax-related identity fraud to the IRS.
Discover how McAfee can keep you and your info safe online
Fraudsters shouldn’t stop you from enjoying your time online. Just by learning to spot an online scam, you can greatly strengthen your immunity to cybercrimes.
For an even greater internet experience, you’ll want the right tools to protect yourself online. McAfee’s Total Protection services can help you confidently surf the web by providing all-in-one protection for your personal info and privacy. This includes identity protection — which comes with 24/7 monitoring of your email addresses and bank accounts — and antivirus software to help safeguard your internet connection.
Get the peace of mind that comes with McAfee having your back.
The post How to Recognize an Online Scammer appeared first on McAfee Blog.
golang-1.18.3-1.fc36
FEDORA-2022-c73d08129f
Packages in this update:
golang-1.18.3-1.fc36
Update description:
go1.18.3 includes security fixes to the crypto/rand, crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the compiler, and the crypto/tls and text/template/parse packages.
USN-5472-1: FFmpeg vulnerabilities
It was discovered that FFmpeg would attempt to divide by zero when using Linear
Predictive Coding (LPC) or AAC codecs. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-20445, CVE-2020-20446,
CVE-2020-20453)
It was discovered that FFmpeg incorrectly handled certain input. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-20450)
It was discovered that FFmpeg incorrectly handled file conversion to APNG
format. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-21041)
It was discovered that FFmpeg incorrectly handled remuxing RTP-hint tracks.
A remote attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-21688)
It was discovered that FFmpeg incorrectly handled certain specially crafted
AVI files. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 21.10. (CVE-2020-21697)
It was discovered that FFmpeg incorrectly handled writing MOV video tags. An
attacker could possibly use this issue to cause a denial of service, obtain
sensitive information or execute arbitrary code. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-22015)
It was discovered that FFmpeg incorrectly handled writing MOV files. An
attacker could possibly use this issue to cause a denial of service or other
unspecified impact. This issue affected only Ubuntu 18.04 LTS. (CVE-2020-22016)
It was discovered that FFmpeg incorrectly handled memory when using certain
filters. An attacker could possibly use this issue to cause a denial of service
or other unspecified impact. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-22017, CVE-2020-22020, CVE-2020-22022,
CVE-2020-22023, CVE-2022-22025, CVE-2020-22026, CVE-2020-22028, CVE-2020-22031,
CVE-2020-22032, CVE-2020-22034, CVE-2020-22036, CVE-2020-22042)
It was discovered that FFmpeg incorrectly handled memory when using certain
filters. An attacker could possibly use this issue to cause a denial of service
or other unspecified impact. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2020-22019, CVE-2020-22021,
CVE-2020-22033)
It was discovered that FFmpeg incorrectly handled memory when using certain
filters. An attacker could possibly use this issue to cause a denial of service
or other unspecified impact. This issue only affected Ubuntu 21.10.
(CVE-2020-22027, CVE-2020-22029, CVE-2020-22030, CVE-2020-22035)
It was discovered that FFmpeg incorrectly handled certain specially crafted
JPEG files. An attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 21.10. (CVE-2020-22037)
It was discovered that FFmpeg incorrectly performed calculations in EXR codec.
An attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-35965)
It was discovered that FFmpeg did not verify return values of functions
init_vlc and init_get_bits. An attacker could possibly use this issue to cause
a denial of service or other unspecified impact. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2021-38114,
CVE-2021-38171)
It was discovered that FFmpeg incorrectly handled certain specially crafted
files. An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 21.10 and Ubuntu 22.04 LTS. (CVE-2022-1475)
USN-5473-1: ca-certificates update
The ca-certificates package contained outdated CA certificates. This update
refreshes the included certificates to those contained in the 2.50 version
of the Mozilla certificate authority bundle.