How to get Fortune 500 cybersecurity without the hefty price tag

Read Time:21 Second

Graham Cluley Security News is sponsored this week by the folks at SolCyber. Thanks to the great team there for their support! If the bad guys don’t discriminate when it comes to who they are attacking, how can your business settle for anything less than the very best security? SolCyber has brought to market a … Continue reading “How to get Fortune 500 cybersecurity without the hefty price tag”

Read More

CVE-2013-4170

Read Time:25 Second

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view’s `tagName` to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain (“XSS”). This vulnerability only affects applications that assign or bind user-provided content to `tagName`.

Read More

CVE-2013-4146

Read Time:15 Second

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-3414. Reason: This candidate is a duplicate of CVE-2012-3414. Notes: All CVE users should reference CVE-2012-3414 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Read More

USN-5497-1: Libjpeg6b vulnerabilities

Read Time:39 Second

It was discovered that Libjpeg6b was not properly performing bounds
checks when compressing PPM and Targa image files. An attacker could
possibly use this issue to cause a denial of service.
(CVE-2018-11212)

Chijin Zhou discovered that Libjpeg6b was incorrectly handling the
EOF character in input data when generating JPEG files. An attacker
could possibly use this issue to force the execution of a large loop,
force excessive memory consumption, and cause a denial of service.
(CVE-2018-11813)

Sheng Shu and Dongdong She discovered that Libjpeg6b was not properly
limiting the amount of memory being used when it was performing
decompression or multi-pass compression operations. An attacker could
possibly use this issue to force excessive memory consumption and
cause a denial of service. (CVE-2020-14152)

Read More

It’s Social Media Day! Here’s How to Protect Yourself From Social Engineering Online

Read Time:5 Minute, 22 Second

It’s Social Media Day! How are you celebrating? Reposting your very first profile picture from a decade ago? Sharing your most-loved status update or the photo you’re most proud of? This year, consider commemorating the day by learning more about how to keep your information safe. Enjoy your favorite platform, but be on the lookout for scams, such as social engineering. 

What is Social Engineering 

Social engineering is a cybercrime common to social media sites. It is a tactic where a cybercriminal lurks on people’s social media pages, gleaning personal information that they then use to impersonate them elsewhere. 

With more than half of the global population on social media, you may think that a cybercriminal will never single you out from such a huge pool; however, it is possible.1 Luckily, you only have to make a few, easy changes to your online habits to keep your valuable private information just that: private. Check out these tips to make smart decisions and be more confident about your and your family’s online security. 

Why Do Cybercriminals Care About Social Media? 

Think of the types of posts you share with your dozens – or even hundreds or thousands! – of followers: updates about your life, where you live, work, or favorite travel destinations, your hobbies, pets, family members, etc. All of these details, that only you and those closest to you should know, are a valuable commodity to cybercriminals. Plus, now that social media shopping is growing in popularity, the credit card information linked to accounts is sweetening the deal for cybercriminals. 

Here are a few social engineering scams that are common to social media.  

Credential stuffing

People commonly create passwords based on things, places, and people that are important. Have you ever published a 20 questions-style get-to-know-me post? Those contain a lot of valuable personally identifiable information (PII). With just a few of those details about your personal life, cybercriminals can make educated guesses at your passwords, a tactic called credential stuffing. If they’re able to crack the code to one of your accounts, they’ll then input that password and login variations in several other sites, especially online banking portals, to see if they can gain entry to those too. 

Fake contests 

You’ve won! Send us your banking information and address, and you’ll receive a package in the mail or a direct deposit to your bank account!  

But did you enter a drawing for a prize? Very rarely does anyone win something just by being a follower of a certain page. If you receive a message similar to the above, it’s likely a phisher trying to draw more PII and sensitive banking information out of you. Or, the message may have links within it that redirect to an untrustworthy site. If you regularly enter social media contests, keep a list and only respond to legitimate ones. Also, never give your banking information out over social media, private messages, or email. 

Emotional messages and posts

There are plenty of valid fundraisers and petitions circulating around social media; however, there are just as many social engineering scams that dupe social media users because they inspire a strong emotion in them. For example, there have been several scams around Ukrainian donation sites. Cybercriminals often use fear, anger, or sadness to inspire people to open their wallets and share confidential banking information. 

How to Protect Yourself from Social Engineering

Luckily, all it takes is a few smart habits to stop social engineers in their tracks. Consider the following tips and make these small changes to your social media usage: 

Edit your follower or friend lists

At this point, you’ve probably had several of your social media accounts active for over a decade. That means it’s time to do some cleaning out of your friends and followers lists. It’s best to only accept requests from people you personally know and would actually like to keep in the loop about your life. A friend and follower request from strangers could be cyber criminals in disguise. Also, consider setting your account to private so that your posts are invisible to strangers. 

Slow down and think 

Social engineering hacks often bank on people acting rashly and quickly because of strong emotion, either excitement, fear, sadness, or anger. If you see a post on your newsfeed or receive a direct message that gives you a tight window to respond and asks for PII, slow down and think before acting. Double-check the destination of every link in the message by hovering over it with your cursor and checking the link preview at the bottom of your browser screen. Be careful, because some link previews include slight misspellings of legitimate websites. As a great rule of thumb, be automatically skeptical of direct messages from people you do not personally know. And if a DM from a friend seems out of the ordinary, shoot them a text to confirm they actually sent it. It could be that their social media account was hacked and a criminal is spamming their followers.   

Create strong, unique passwords or passphrases

A password manager will go a long way toward ensuring you have unique, strong passwords and passphrases for every account. Not reusing passwords makes credential stuffing impossible. McAfee True Key stores all your logins and passwords and guards them with one of the strongest encryption algorithms available. All you need to do is remember your master password. It’s a great practice to also enable multifactor authentication whenever a website offers it. This makes it incredibly difficult for a cybercriminal to break into your online accounts with their educated guesses at your password. 

Live More Confidently and Safely Online 

Now that you know what to look for and the best tricks to be safe, you can feel more confident that you’re doing everything you can to protect your online accounts and private information. McAfee Protection Score can also help you take control of your online safety. This service allows you to monitor your current online safety and encourages you to take specific steps to improve it. Now you can enjoy digitally keeping in touch with your friends with peace of mind! 

1Smart Insights, “Global social media statistics research summary 2022 

The post It’s Social Media Day! Here’s How to Protect Yourself From Social Engineering Online appeared first on McAfee Blog.

Read More

Smashing Security podcast #281: Debug ransomware and win $1,000,000, period-tracking apps, and AI gets emotional

Read Time:27 Second

A new version of the LockBit ransomware offers a bug bounty, women uninstall period-tracking apps in fear of how their data might be used against them, and Microsoft’s facial recognition tech no longer wants to know how you’re feeling.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford from The Host Unknown podcast.

Plus don’t miss our featured interview with Bitwarden founder and CTO Kyle Spearrin.

Read More