During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session. This vulnerability affects Thunderbird < 78.7.
Yearly Archives: 2022
CVE-2020-15679
An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360).
Don’t click too quick! FBI warns of malicious search engine ads
The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information.
Read more in my article on the Tripwire State of Security blog.
FBI: Cyber-Criminals Are Purchasing Search Engine Ad Services to Launch Attacks
The FBI warns that cyber-criminals are impersonating brands through purchasing ad services in order to lure users to malicious websites
OpenImageIO-2.3.21.0-1.fc36
FEDORA-2022-e63bc3eca2
Packages in this update:
OpenImageIO-2.3.21.0-1.fc36
Update description:
Update to 2.3.21.0.
Security fix for CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198 CVE-2022-41988 CVE-2022-4199.
France Fines Microsoft $64m for Imposing Ad Cookies to its Bing Users
In its largest fine of 2022, France’s privacy watchdog has fined US tech giant €60m for foisting advertising cookies on users
firefox-108.0.1-3.fc36
FEDORA-2022-3a000dac3a
Packages in this update:
firefox-108.0.1-3.fc36
Update description:
New upstream version (108.0.1)
New upstream release (108.0)
Critical Microsoft Code-Execution Vulnerability
A critical code-execution vulnerability in Microsoft Windows was patched in September. It seems that researchers just realized how serious it was (and is):
Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.
But unlike EternalBlue, which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.
[…]
Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of “important.” In the routine course of analyzing vulnerabilities after they’re patched, Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.
Cybersecurity for seniors this holiday season: all generations are a target
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Gift for cyber well being
During the holiday season, it is essential to take extra precautions when it comes to cybersecurity. Cybercriminals may be more active than usual, looking for ways to exploit unsuspecting users. Protect yourself and your loved ones, ensure that you and they are up to date with the latest security software, and be mindful of potential scams.
Furthermore, only visit trusted websites and know the risks before making technological purchases. Cyber security can seem complicated, but anyone can protect themselves from common cyber threats with the correct information. Additionally, be aware of the various scams aimed at senior citizens during the holidays, such as fake holiday deals, phishing emails, fake charities, sweepstakes, or even threats to disconnect a senior’s utilities. Taking these extra precautions can help ensure a safe and secure holiday season.
The pandemic has highlighted the need for an intergenerational cyber awareness program to help seniors and their grandchildren stay safe online. Using a grandchild’s name for a password may be cute, but it’s not always the safest option. Educating them and their grandchildren about the risks and best practices of using technology is essential to promote cyber well-being for seniors. A conversation between generations can be a powerful tool for increasing cyber security and safety. By providing age-appropriate lessons, we can create a strong bond across generations and make sure that everyone can stay safe online
No matter your age, staying informed about cyber security is essential today. Elder fraud is becoming increasingly common, with scams taking different forms, such as fraudulent phone calls, phishing attempts through email and social media, or shopping scams. It is essential for everyone to be aware of the risks associated with the online world and to be responsible digital citizens.
To make this easier, it takes a “cyber village” to help raise savvy cyber citizens. For example, I have been able to explain the importance of cyber to my grandparents. They enjoy using iPad and social media to stay connected and are a great example of how anyone can become a responsible digital citizen.
Be aware of the potential dangers of oversharing online, particularly on social media. Personal details such as your name, family member’s name, home address, telephone numbers, and even answers to your secret question when you set passwords should be kept private. Be wary if you’re ever contacted online by someone who requests this information. It is best to ignore unsolicited requests for personal information, including Social Security numbers, bank account numbers, and passwords.
Be on the lookout for any suspicious deals, discounts, or coupons that may be sent to you via email. It is essential to be aware of phishing scams, which often involve requests for you to act urgently to take advantage of a deal or prize. Also, be mindful of attachments containing malicious content, as they can infect your computer with a virus. Be vigilant and know how to spot any malicious baits confidently.
A password manager can be your friend: Change the default password if you have a device that will connect to the Internet. A device is not just your phone or laptop; everything from your Internet router, TVs, and home thermostats to Wi-Fi is included. What does a strong password look like? Use a phrase instead of a word. “Passphrases” are easy to remember but difficult to guess. If the field allows, use spaces as special characters for added strength, making the phrase easier to type.
Longer is stronger for passwords. The best passwords are at least ten characters and include some capitalization and punctuation. Typing the passphrase becomes a habit (usually within a few days). Some additional strategies include misspelling, a nursery rhyme, a movie quote, or song lyrics with a twist.
Don’t fall for free Wi-Fi: Be smart about where and how you connect to the Internet for banking or other communications involving sensitive personal information. Public Wi-Fi networks and computers at places such as libraries or hotel business centers can be risky if they don’t have up-to-date security software. The process starts now with teaching our family, especially older generations, how to interact with new technologies safely
When in doubt, reach out! Beware of scammers, especially during the holidays. A stranger may claim an urgent emergency involving your grandchild and ask for thousands of dollars by declaring a critical emergency involving a child or grandchild, posing as a kidnapper demanding ransom or grandchildren in distress.
Also, no tech support company will call you. If anyone pressures you to buy a computer security product or says, a subscription fee is associated with a call, hang up. If you’re concerned about your computer, call your security software company and ask for help. Watch out for copycat websites too.
During the holidays, you’ll see an increase in-store sales emails. Be sure to verify the sender’s address, hover over links before clicking to see the URL address, and only enter information into websites with URLs that start with “HTTPS.” Also, beware of fake delivery notifications. Once you place an online order that requires shipping, you’ll usually receive delivery notifications telling you when your order has shipped and your expected delivery date. However, some of these notifications can be phishing scams that hide behind legitimate business names to get your private information. To avoid falling victim to these scams, make sure you receive tracking information so that you can easily find your items
Have you done your cyber exercises? It’s important to remember that passwords should be kept secret, just like your special cookie recipe. Even though these tips may not be new for the holidays, reviewing and applying them to your normal activities is still essential. During the holiday season, when the cousins come to visit or when you make your famous cookie recipe, things can get a little bit busier. So, to ensure that your festive season isn’t ruined, here are the top 10 tips to help you stay cyber-secure:
I avoid using free Wi-Fi and use a VPN or my mobile phone as a hotspot when going online.
I disable auto-connect on my devices and keep track of my laptop, smartphone, tablet, and accessories such as USB drives, especially while on the go.
I don’t leave my devices unattended in public places and avoid using the same password for different accounts.
I change my passwords regularly and ensure they are at least ten characters long, involve a mix of upper- and lower-case letters plus symbols and numbers, and avoid the obvious. I also change the default passwords on my connected devices, such as Wi-Fi routers and printers.
I never write my passwords down or share them with others, and I avoid clicking on suspicious links or links I’m unsure of.
I don’t open suspicious emails or attachments and never click on ads that promise free money, prizes, or discounts.
I am wary of strange or unexpected messages, even from people I know, and I don’t answer personal questions when using a text or voice chat online gaming session.
When using social media, I limit the personal information I post and only add people I know.
Before I act, I search for information about a proposed offer and never send money or personally identifiable information to unverified people or businesses.
I use reputable antivirus software and ensure I regularly update them, and I never share financial account information or allow anyone access to my accounts.
Sources
https://www.safewise.com/faq/senior-safety/senior-internet-protection/#Basic_Online_Safety
https://www.cyber.nj.gov/informational-report/stay-cyber-safe-this-holiday-season