Re: over 2000 packages depend on abort()ing libgmp

Read Time:26 Second

Posted by Matthew Fernandez on Sep 19

What is the security boundary being violated here? As a maintainer of
some of the packages implicated here, I’m unsure what my actionable
tasks are. The threat model(s) for my packages does not consider crashes
to be a security violation. On the other side, things like crypto code
frequently use their own non-GMP implementation of bignum arith for this
(and other) reason.

Not trying to brush this off. But I’m just trying to gain an…

Read More

Microsoft Patch Tuesday Fixed Vulnerability (CVE-2022-34718) More Likely To Be Exploited

Read Time:1 Minute, 56 Second

Microsoft has released 63 security patches for this month’s September 2022 release. One of the fixes is for CVE-2022-34718 (Windows TCP/IP Remote Code Execution Vulnerability). Rated critical and deemed “exploitation more likely” by Microsoft, successful exploitation of the vulnerability allows a remote unauthenticated attacker o run code on the vulnerable machine. This has a CVSS score of 9.8.Why is this Significant?This is significant because CVE-2022-34718 ((Windows TCP/IP Remote Code Execution Vulnerability) is a remote code execution vulnerability that is considered “exploitation more likely” by Microsoft as such a fix should be applied as soon as possible. This has a CVSS score of 9.8 out of 10 and is rated critical by Microsoft.Systems with the IPSec service is running are vulnerable to CVE-2022-34718. Systems with IPv6 disabled are not affected. Is CVE-2022-34718 being Exploited in the Wild?No, the vulnerability has not been observed nor reported as being exploited in the wild.Is there Any Other Vulnerability in the September Patch Tuesday that Requires Attention?Microsoft also released a patch for a local privilege escalation vulnerability that affects Windows Common Log File System Driver (CVE-2022-37969). Exploitation of this vulnerability does not require any user interaction; however an attacker needs to have access to the target’s system to carry out the attack. This has a CVSS score of 7.8 and is rated important.Is CVE-2022-37969 being Exploited in the Wild?According to the advisory released by Microsoft, CVE-2022-37969 was exploited as a zero-day as such a fix should be applied as soon as possible.Has Microsoft Released a Patch for CVE-2022-34718 and CVE-2022-37969?Yes, Microsoft has released a patch for CVE-2022-34718 and CVE-2022-37969 on September 13th, 2022 as part of regular MS Tuesday for the month.What is the Status of Coverage?FortiGuard Labs has released the following IPS signature in response to CVE-2022-34718 (available from version 22.393):MS.Windows.TCP.IP.CVE-2022-34718.Remote.Code.Execution (default action set to “pass”)Currently there is no sufficient information available for CVE-2022-37969 that allows FortiGuard Labs to develop coverage. We are monitoring the situation and will investigate coverage when information becomes available.

Read More

Steer Clear of the “Pay Yourself Scam” That’s Targeting Online Bank Accounts

Read Time:7 Minute, 0 Second

An old banking scam has a new look. And it’s making the rounds again. 

Recently Bank of America alerted its customers of the “Pay Yourself Scam,” where scammers use phony fraud alerts and trick their victims into giving them access to their online banking accounts. It’s a form of phishing attack, and according to Bank of America it goes something like this: 

You receive a text message that looks like a fraud alert from your bank about unusual activity. The text may look something like: “Did you make a purchase of $100.00 at ABC merchant?” 
If you respond to the text, you have now engaged the scammer and will receive a call from a number that appears to be from a bank. 
They’ll appear to be a representative from a bank and will offer to help stop the alleged fraud by asking you to send money to yourself with an online payment app. 
The scammer will ask you for a one-time code you just received from a bank. 
If you give them the code, they will use it to enroll their bank account with an online payment app using your email or phone number. 
The scammer now can receive your money into their account. 

The good news is that you can avoid this attack rather easily. If you receive a text or call about a possible fraud alert, don’t respond. (Scammers can easily “spoof” or fake caller ID information nowadays. So even if it appears that the number looks legitimate, it may not be after all.) Instead, contact your bank directly using the contact information on your debit or credit card. This way, you’ll know you’re speaking with the proper representatives about the matter. 

Other ways you can avoid online banking scams 

Of course, this scam isn’t the only scam going. Whether it’s with some form of phishing attack, stealing passwords on public Wi-Fi, or malware that spies on your keystrokes, scammers use plenty of tricks to crack into online bank accounts. Yet with a few precautions and sharp eye, you have several ways you can protect yourself. 

Use comprehensive online protection software 

Online protection software today goes far beyond antivirus. It can protect your privacy, identity, and your online accounts as well. McAfee+ Ultimate provides our most comprehensive coverage with features that monitor the dark web and sketchy data broker sites for your personal information, identity theft and ransomware protection, and identity restoration services should the unexpected happen—all along with our award-winning antivirus protection. In all, it protects you, not just your devices. Together, it offers your strongest line of defense in the face of hackers, scammers, and thieves. 

Scrutinize any messages claiming to be your bank 

Legitimate banks will never pressure, harass, or cajole you into action. If you get a message that strikes an aggressive tone, assume it’s fraudulent. Other things legitimate banks will never do include:  

Banks or other financial institutions don’t call for your PIN or checking account number. Never provide this over the phone. Call your bank directly using the phone number on your debit or credit card or bank statement if you want to confirm.  
Your bank has no reason to email you for account information it already has. If you receive an email asking you to click a link or provide account information, assume it’s fraudulent. Don’t click any links and mark the email as spam.  
If a message appears to be from your bank asking you to sign in or enter your PIN, it’s a scam. Banks never ask customers for this information by text.  
A common theme in phishing emails is the urgent call to action. Cybercriminals want to scare you into acting immediately without thinking. The email says there was suspicious activity on your account, and you should log in immediately to avoid having it frozen or closed. No legitimate business would close a customer’s account without giving reasonable notice. Contact your bank through your normal channels to check your balance and account activity if you aren’t sure.  
Misspelled words and grammatical errors are another red flag. Major corporations have professional editors to make sure the content is correct.  

Use your bank’s official website or app 

Earlier, I mentioned contacting your bank directly to ensure you’re speaking to a proper representative. Another way you can go directly to the source is to use your bank’s website or app to check up on your accounts. Once again, don’t click any links in a text or email. Just go to your bank’s website or app to check your account. You can make sure you have your bank’s official app by visiting the Google Play or Apple’s App Store and looking at the information section to ensure that it was indeed developed by your bank—not a copycat. 

Use strong, passwords and a password manager to stay on top of them all 

Strong and unique passwords for each of your online accounts can help keep hackers at bay. With data breaches occurring so often, updating them regularly is important too. Yet with all the accounts we keep, that can mean a lot of work. However, a password manager can create those passwords for you and safely store them as well. Comprehensive security software will include one, and McAfee also offers a free service with True Key. 

Use two-factor authentication on your accounts  

Two-factor authentication is an extra layer of defense on top of your username and password. It adds in the use of a special one-time-use code to access your account, usually sent to you via email or to your phone by text or a phone call. In all, it combines something you know, like your password, with something you have, like your smartphone. Together, that makes it tougher for a crook to hack your account. If any of your accounts support two-factor authentication, the few extra seconds it takes to set up is more than worth the big boost in protection you’ll get.  

Don’t access your online banking account via public Wi-Fi 

When you log onto public Wi-Fi, potentially anyone can see your internet activity—and that includes things like entering your username and password. For that reason, only log into your bank account with public Wi-Fi if you’re using a virtual private network (VPN).  McAfee Secure VPN protects your privacy by turning on automatically for unsecured networks. Your data is encrypted so it can’t be read by prying eyes. The VPN also keeps your online activity and physical location private and secure from advertisers.  

Check your bank statements regularly 

Keeping an eye on your bills and statements as they come in can help you spot unusual activity on your accounts. A credit monitoring service can do that one better by keeping daily tabs on your credit report. While you can do this manually, there are limitations. First, it involves logging into each bureau and doing some digging of your own. Second, there are limitations as to how many free credit reports you can pull each year. A service does that for you and without impacting your credit score. 

Depending on your location and plan, McAfee’s credit monitoring allows you to look after your credit score and the accounts within it to see fluctuations and help you identify unusual activity, all in one place, checking daily for signs of identity theft. 

Prevention and vigilance are your best defense from online banking scams  

When a fraud notification pops up on your phone, you can almost feel your stomach drop. Hackers and scammers play off that fear. They use it to get you to act—and to act quickly. Taking a moment to scrutinize these messages and following up directly with your bank can help you steer clear of their tricks. Likewise, putting up a strong defense with comprehensive online protection software can make you safer still. In the meantime, keep your eyes open for this “Pay Yourself Scam” and other scams like it. It’s certainly not the first of its kind, and it won’t be the last. 

The post Steer Clear of the “Pay Yourself Scam” That’s Targeting Online Bank Accounts appeared first on McAfee Blog.

Read More

What You Do Now To Protect Your Child From Cyberbullying

Read Time:7 Minute, 4 Second

I can’t tell you how many times over my 25 years of parenting that I’ve just wanted to wrap my boys in cotton wool and protect them from all the tricky stuff that life can throw our way. But unfortunately, that’s never been an option. Whether it’s been friendship issues in the playground, dramas on a messaging app or dealing with broken hearts, it can be really hard watching your kids experience hardship. 

Get Ahead Of The Problem! 

But one thing I have learnt from years of mothering is that if you spend some time getting ahead of a potentially challenging situation then you’ve got a much better chance of minimising it. Or better still preventing it – and this absolutely applies to cyberbullying. 

Is Cyberbullying A Big Problem for Aussie Kids? 

In early 2022, McAfee interviewed over 15,000 parents and 12,000 children worldwide with the goal of finding out how families both connect and protect themselves online. And what they found was astounding: Aussie kids reported the 2nd highest rate of cyberbullying (24%) out of the 10 countries surveyed. American children reported the highest rate. The average for all countries was 17%. Check out my post here with all the details.  

So, to dig deeper into this issue of cyberbullying, McAfee commissioned additional research in August this year to better understand what cyberbullying looks like, where it happens and who the perpetrators are. And the biggest takeaways for Aussie kids: 

Name calling is the most common form of cyberbullying 
Most cyberbullying happens on social media 
Aussie kids have the highest rate of cyberbullying on Snapchat 
56% of Aussie kids know the perpetrator 

You can check out my post here with all the details.  

How To Avoid Your Kids Becoming a Statistic 

So, if you need to grab a cuppa and digest all this, I don’t blame you! It’s a lot. But, as mentioned before, I honestly believe that if we get ahead of the challenges, we have a greater chance of minimising the fall out. So, without further ado – here is my advice on what you can do NOW to minimise the chance of your kids being involved in cyberbullying – either as the victim or the perpetrator. 

1. Talk About Online Respect and Kindness As Soon As They Start Using Devices 

As soon as your kids move on from just watching movies and playing games on their devices, you need to talk about the importance of ‘being nice’ online. A more natural way around this is to extend your parenting advice to include the online world too. For example:  

‘Remember how important it is to be kind to everyone when you are in the playground at kindy – as well as when you are online.’  
‘Always say please and thank you – to your friends in-person and online too.’ 

And don’t forget the importance of role-modelling this too! 

2. Check Your Family Communication Culture 

One of the best things you can do is to create a family culture where honest and genuine two-way communication is a feature of family life. If your kids know they can confide in you, that nothing is off-limits and that you won’t overreact – then they are more likely to open-up about a problem before it becomes overwhelming and ‘unsolvable’. 

3. Understand Your Child’s World 

Parents who have a comprehensive understanding of their child’s life will be better able to detect when things aren’t going well. Knowing who your kid’s friends are, who they ‘sit with’ at lunchtime, their favourite music and their boyfriend or girlfriend needs to be a big priority. I also encourage parents to establish relationships with teachers or mentors at school so they can keep their ‘ear to the ground’. When a child’s behaviour and interests change, it can often mean that all isn’t well and that some detective work is required! 

4. Ensure Your Kids Understand What Bullying Is 

Cyberbullying can have a variety of definitions which can often cause confusion. In McAfee’s research, they used the definition by StopBullying.Gov: 

Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. Cyberbullying can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation. Some cyberbullying crosses the line into unlawful or criminal behaviour.  

McAfee’s definition was then expanded to include specific acts of cyberbullying, such as: 

flaming – online arguments that can include personal attacks 
outing – disclosing someone’s sexual orientation without their consent  
trolling – intentionally trying to instigate a conflict through antagonistic messages 
doxing – publishing private or identifying information without someone’s consent  

Along with other acts, including:  

name calling  
spreading false rumours  
sending explicit images or messages  
cyberstalking, harassment, and physical threats  
exclusion from group chats and conversation 

Now, I appreciate that reading your children several minutes of definitions may not be very helpful. So, instead, keep it simple and amend the above to make it age appropriate for your kids. You may choose to say that it is when someone is being mean online, if your kids are very young. But if you have tweens in the house then I think more details would be important. The goal here is for them to understand at what point they shouldn’t accept bad behaviour online.  

5. Give Them An Action Plan For When They Experience Bad Behaviour Online  

As soon as your kids are actively engaged with others online, they need to have an action plan in case things go awry – probably around 6-7 years of age. In fact, I consider this to be a golden time in parenting – a time when your kids are receptive to your advice and often keen to please. So, this is when you need to help them establish good practices and habits that will hold them in good stead. This is what I would instil: 

If someone makes you feel upset when you are online, you need to tell a trusted adult 
Save a copy of the interaction, perhaps take a screenshot. Ensure they know how to do this. 
Block the sender or delete them from your contacts. 
Report the behaviour to the school, the police or the eSafety Commissioner’s Office, if necessary 

Now, of course not all bad behaviour online will be defined as cyberbullying – remember we all see the world through different lenses. However, what’s important here is that your kids ask for help when they experience something that makes them feel uncomfortable. And while we all hope that it is unlikely that you will need to escalate any interactions to the police or the eSafety Commissioner, knowing what the course of action is in case things get out of hand is essential.  

6. Make Empathy A Priority  

There is so much research on the connection between the lack of empathy and bullying behaviours. In her book Unselfie, Parenting expert Michelle Borba explains that we are in the midst of an ‘empathy crisis’ which is contributing to bullying behaviour. She believes teens today are far less empathetic than they were 30 years ago. Teaching your kids to ‘walk in someone’s else’s shoes’, consider how others feel and have a focus on compassion will go a long way to developing an empathetic lens. You can read more about helping develop empathy in your child here.  

There is no doubt that cyberbullying is one of the biggest parenting challenges of our generation and, unfortunately, it isn’t going to disappear anytime soon. So, get ahead of the problem – teach your kids about kindness from a young age, create an open family communication culture, make empathy a priority in your family and give them an action plan in case things get tricky online. But most importantly, always listen to your gut. If you think things aren’t right with your kids – if they don’t want to go to school, seem emotional after using their devices or their behaviour suddenly changes, then do some digging. My gut has never let me down!     

Take care 

Alex  

The post What You Do Now To Protect Your Child From Cyberbullying appeared first on McAfee Blog.

Read More

#WSPD Creating hope through action with The Jordan Legacy

Read Time:3 Minute, 42 Second

*TW: Mentions Suicide

Our passion for protecting people doesn’t stop with online safety. We deeply care for our people, their families and friends, and our communities.

To recognize World Suicide Prevention on Sept. 10 and help normalize and encourage conversations about mental health year-round, we recently hosted a discussion with McAfee colleagues and suicide prevention activist and owner of The Jordan Legacy, Steve Phillip. During this session Steve discussed his own personal lived experience of suicide and what he’s learned since establishing The Jordan Legacy when it comes to creating an open and safe environment for all.

Tell us a bit about The Jordan Legacy?

“I established The Jordan Legacy in 2020, following the suicide of my 34-year-old son, Jordan, in December 2019. It’s a registered not-for-profit Community Interest Company (CIC), whose mission is to raise awareness about suicide, open the conversation, help remove the stigma surrounding this topic and importantly, engage with communities and workplaces to discuss and identify practical solutions which will help prevent suicide.”

Why is World Suicide Prevention Day (WSPD) important?

“#WSPD is important in highlighting the biggest killer of men and women under the age of 35. According to the W.H.O, we lose 700,000 people globally to suicide every year – that’s one person every 45 seconds. On average, each suicide will impact 135 other people. This means that more than 95 million people are impacted by suicide annually! And while #WSPD is an important day to highlight, it’s fundamental that we recognize that suicide awareness needs to happen 365 days a year.”

Why are there stigmas surrounding mental health and suicide?

“There are several reasons why stigmas surrounding mental health and suicide exist. Generally, it’s due to a lack of understanding and people making assumptions – such as those with a mental health illness could be dangerous, unreliable or unemployable. Cultural backgrounds also play a part in creating stigma – certain cultures see mental illness and suicide as a taboo subject. The language used around mental health and suicide can also create stigma. In the UK, the act of attempting suicide was decriminalized in 1961 and yet the term ‘committed suicide’ is still frequently used, in the same way as commit murder or commit assault.”

How can we open-up a conversation and support someone who might be struggling with their mental health?

“It’s important to ask people how they are with a genuine intent to listen to and understand their reply. Most people who are struggling with their mental health don’t necessarily want you to fix them, but they do want to feel that they’re being listened to. Ask open-ended questions, such as ‘tell me how are you really feeling?’, ‘explain to me how this is impacting on you?’, ‘describe to me, how this is making you feel?”

How can we create hope through action – as family members, friends, and colleagues?

“We need to become a kinder and more compassionate society by recognizing that everyone can, at some point in their lives, struggle with poor mental health. Understanding this, would hopefully cause people to be less frustrated with others who don’t behave as they expect they might. We also need to check-in with family members, friends and colleagues more frequently and ask them ‘how are you really doing?”

How can we look after our own well-being?

“I am one of those individuals who probably works too hard and for too long! However, road cycling is a big escape for me and getting out in the fresh air in the countryside is a huge help. As is my part-time hobby of playing the drums – you can lose a lot of pent-up stress whilst playing along to Nirvana!! It’s so important that you make sure to look after yourself. So, my advice is to find out what works for you – whether that’s going for a walk, talking to a friend, speaking to a counsellor, joining a local group or seeing what resources are available to you through your company’s EAP. And remember most importantly to be kind to yourself.”

If you or someone you know is struggling, please call or text 988 to get support. And remember, you are not alone.

Together we can prevent suicide

The post #WSPD Creating hope through action with The Jordan Legacy appeared first on McAfee Blog.

Read More

A third of enterprises globally don’t prioritize digital trust: ISACA

Read Time:52 Second

Digital trust is crucial for modern business relationships as increasingly, transactions require sensitive information to be shared online. However, a new report from ISACA—the Information Systems Audit and Control Association certification association —highlights significant gaps between what enterprises are doing now and what they should do to earn customer trust in their digital ecosystems.

The report combines insights from 2,755 business and IT professionals worldwide. It defines digital trust as confidence in the integrity of relationships, interactions and transactions among providers and consumers within an associated digital ecosystem.

While 85% of respondents said digital trust is extremely or very important to organizations today, and 63% said digital trust is extremely or very relevant to their job role, only 66% said their organization prioritizes digital trust in line with its level of importance. “This will be a growing concern, as four out of five respondents or 82% believe that digital trust will be more important in five years than it is today,” ISACA noted.  

To read this article in full, please click here

Read More

Protect Your Social Media Accounts from Hacks and Attacks

Read Time:3 Minute, 41 Second

Here’s to the hashtags, the likes, the followers, the DMs, and the LOLs—June 30th marks Social Media Day, a time to celebrate and reflect on how social media has changed our lives over the years. 

Started in 2010 by media and entertainment company Mashable, celebrations have taken on all kinds of forms. Meetups, contests, calls to increase your social circle by one meaningful connection have all marked the date in the past. Yet this year feels like an opportunity to consider just how heavily so many of us have leaned upon social media these past months, particularly in a world where nearly 50% of the global population are social media users to some degree or other. 

What’s more, people worldwide spend an average of 145 minutes a day on social media. With users in the Philippines spending three hours and 53 minutes a day and users in the U.S. spending just over two hours a day, that figure can vary widely, yet it’s safe to say that a good portion of our day features time browsing around on social media. 

With that, Social Media Day is also a good day to give your social media settings and habits a closer look, all so that you can get the most out of it with less fuss and worry. Whether you’re using Facebook, Instagram, TikTok, or whatnot, here are several things you can do that can help keep you safe and secure out there: 

1. Go private

Social media platforms like Facebook, Instagram, and others give you the option of making your profile and posts visible to friends only. Choosing this setting keeps the broader internet from seeing what you’re doing, saying, and posting, which can help protect your privacy. 

2. Say “no” to strangers bearing friend requests

Be critical of the invitations you receive. Out-and-out strangers could be more than just a stranger, they could be a fake account designed to gather information on users for purposes of cybercrime, or they can be an account designed to spread false information. There are plenty of them too. In fact, in Q1 of 2021 alone, Facebook took action on 1.3 billion fake accounts. Reject such requests. 

3. Think twice before checking in

Nothing says “there’s nobody at home right now” like that post of you on vacation or sharing your location while you’re out on the town. In effect, such posts announce your whereabouts to a broad audience of followers (even a global audience, if you’re not posting privately, as called out above). Consider sharing photos and stories of your adventures once you’ve returned.  

4. The internet is forever

It’s a famous saying for a reason. Whether your profile is set to private or if you are using an app with “disappearing” messages and posts (like Snapchat), what you post can indeed be saved and shared again. It’s as simple as taking a screenshot. If you don’t want it out there, forever or otherwise, simply don’t post it. 

5. Watch out for phishing scams

We’re increasingly accustomed to the warnings about phishing emails, yet phishing attacks happen plenty on social media. The same rules apply. Don’t follow any links you get from strangers by way of instant or direct messengers. And keep your personal information close. Don’t pass out your email, address, or other info as well. Even those so-called “quiz” posts and websites can be ruses designed to steal bits and pieces of personal info that can be used as the basis of an attack. 

6. Review your tags

Some platforms such as Facebook allow users to review posts that are tagged with their profile names. Check your account settings and give yourself the highest degree of control over how and where your tags are used by others. This will help keep you aware of how you’re being mentioned by others and in what way. 

7. Protect yourself and your devices

Security software can protect you from clicking on malicious links while on social media, strengthen your passwords so your social media account doesn’t get hacked, and boost your online privacy as well. With identity theft a sadly commonplace occurrence today, security software is really a must. 

The post Protect Your Social Media Accounts from Hacks and Attacks appeared first on McAfee Blog.

Read More