You Count on the Internet – Make It Safer Too During Cybersecurity Awareness Month

Read Time:6 Minute, 55 Second

How much do you count on the internet every day?  

Maybe you do armloads of shopping on it. Maybe you skip going to the bank because you can tackle the bulk of your finances online. And perhaps you even pay your doctor a visit with it, instead of taking a trip to their office.  

The way we use the internet has changed. We rely on it for a wealth of important things. Now more than ever, which makes Cybersecurity Awareness Month more important than ever.  

Every October, we proudly take part in Cybersecurity Awareness Month. In partnership with the U.S. Cybersecurity and Infrastructure Agency (CISA) and a host of organizations in the private sector, we shed light on an essential topic—a safer internet. 

The time of the internet as a novelty has long passed. The internet isn’t just nice. It’s essential. To the point that it’s a utility, like power or water. With that, a safe internet is a must. 

Granted, amid news of data breaches and major hacks, it might seem like the notion of a safer internet is out of your hands. After all, what can you do to make the internet a safer place? 

Plenty. 

Extra awareness and a few straightforward actions can make your time online far safer than before. And that’s a common theme here on our blog. Even as new threats appear daily, you live in a time where you have some of the most comprehensive and easy-to-use tools to combat them—and keep yourself safe.  

With that, Cybersecurity Awareness Month comes with a quick five-step checklist you can run through. Set aside some time this month to knock out each item. You’ll find yourself much more secure from hacks, attacks, and identity theft in the wake of data breaches. 

Let’s dive in. 

1. Use strong passwords and a password manager to stay on top of them all. 

Strong, unique passwords offer another primary line of defense. Yet with all the accounts we have floating around, juggling dozens of strong and unique passwords can feel like a task. Thus the temptation to use (and re-use) simpler passwords. Hackers love this because one password can be the key to several accounts. Instead, try a password manager that can create those passwords for you and safely store them as well. Comprehensive security software like ours will include a password manager. 

2. Set your apps and operating system to update automatically. 

Updates do all kinds of great things for gaming, streaming, and chatting apps—like adding more features and functionality over time. Updates do something else. They make those apps more secure. Hackers will hammer away at apps to find or create vulnerabilities, which can steal personal info or compromise the device itself. Updates will often include security improvements, in addition to performance improvements.  

For your computers and laptops: 

On Windows devices, you can set up your operating system to update automatically with a trip to your Start menu. You can also set up Windows to automatically update your apps through the Microsoft Store. 
For macOS devices, you can set up your operating system and your apps to update automatically as well from the Apple menu.  

For your smartphones: 

Much the same goes for the operating system on smartphones too. Updates can bring more features and more security. iOS users can learn how to update their phones automatically in this article. Likewise, Android users can check out this article about automatic updates for their phones. 

For your smartphone apps: 

iPhones typically update apps automatically by default, yet you can learn how to turn them back on here if you’ve set them to manual updates. For Android phones, this article can help you set apps to auto-update if you don’t have them set up that way already. 

3. Know how you can spot a phishing attack. 

Whether they come by way of an email, text, direct message, or as bogus ads on social media and in search, phishing attacks remain popular with cybercriminals. Across their various forms, the intent remains the same—to steal personal or account info by posing as a well-known company, organization, or even someone the victim knows. And depending on the info that gets stolen, it can result in a drained bank account, a hijacked social media profile, or any number of different identity crimes.  

What makes some phishing attacks so effective is how some hackers can make the phishing emails and sites they use look like the real thing, so learning how to spot phishing attacks has become a valuable skill nowadays. Additionally, comprehensive online protection software will include web protection that can spot bogus links and sites and warn you away from them, even if they look legit. 

Some signs of a phishing attack include: 

Email addresses that slightly alter the address of a trusted brand name so it looks close. 
Awkward introductions like a “Dear Sir or Madam,” from your bank. 
Bad spelling and grammar, which indicates the communication is not coming from a professional organization. 
Poor visual design, like stretched logos, mismatched colors, and cheap stock photos. 
Urgent calls to action or threats that pressure you to claim a reward or pay a fine immediately followed by a link to do so. 
Unexpected attachments, such as a “shipping invoice” or “bills,” which hackers use to hide payloads of malware and ransomware. 

Again, this can take a sharp eye to spot. When you get emails like these, take a moment to scrutinize them and certainly don’t click on any links. 

Another way you can fight back against crooks who phish is to report them. Check out ReportFraud.ftc.gov, which shares reports of phishing and other fraud with law enforcement. Taken with other reports, your info can aid an investigation and help bring charges on a cybercriminal or an organized ring.  

4. Multifactor your defense.  

Chances are you’re using multi-factor authentication (MFA) on a few of your accounts already, like with your bank or financial institutions. MFA provides an additional layer of protection that makes it much more difficult for a hacker or bad actor to compromise your accounts even if they know your password and username. It’s common nowadays, where an online account will ask you to use an email or a text to your smartphone to as part of your logon process. If you have MFA as an option when logging into your accounts, strongly consider using it. 

5. Clean up your personal data online.  

How did that scammer get your email address or phone number in the first place? Good chance they bought it off a data broker. 

Data brokerages make up a multi-billion-dollar business worldwide. They gather and sort data linked with millions of people globally—and then sell it. To anyone. That could be advertisers, private investigators, and potential employers. That list includes hackers and scammers as well. With your data, they can skim for your contact info so they can hit you with spammy emails, calls, and texts. Worse yet, they can use that info to help them commit identity theft. 

Good thing you can get your info removed from those sites. And a service like our Personal Data Cleanup can do the heavy lifting for you. It scans some of the riskiest data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites. With select products, we can even manage the removal for you. ​ 

It’s true, you can make the internet a safer place. 

How much time do you spend on the internet each day? Between work, home, and the phone you carry around, it’s around 6.5 hours a day on average. You spend plenty of time on the internet. And important time too as you shop, bank, and tend to your health online. 

Taking a few moments this month to shore up your security will make that time safer. Despite what you might have thought, you’re more in control of that than you think.

The post You Count on the Internet – Make It Safer Too During Cybersecurity Awareness Month appeared first on McAfee Blog.

Read More

Don’t Let Zombie Zoom Links Drag You Down

Read Time:4 Minute, 4 Second

Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.

Image: @Pressmaster on Shutterstock.

At issue is the Zoom Personal Meeting ID (PMI), which is a permanent identification number linked to your Zoom account and serves as your personal meeting room available around the clock. The PMI portion forms part of each new meeting URL created by that account, such as:

zoom.us/j/5551112222

Zoom has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:

zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll

Using your PMI to set up new meetings is convenient, but of course convenience often comes at the expense of security. Because the PMI remains the same for all meetings, anyone with your PMI link can join any ongoing meeting unless you have locked the meeting or activated Zoom’s Waiting Room feature.

Including an encrypted passcode in the Zoom link definitely makes it easier for attendees to join, but it might open your meetings to unwanted intruders if not handled responsibly. Particularly if that Zoom link is somehow indexed by Google or some other search engine, which happens to be the case for thousands of organizations.

Armed with one of these links, an attacker can invite others using the identity of the authorized employee. And many companies using Zoom have made it easy to find recently created meeting links that include encrypted passcodes, because they have dedicated subdomains at Zoom.us.

Using the same method, KrebsOnSecurity also found working Zoom meeting links for The National Football League (NFL), Warner Bros, and Uber. And that was from just a few minutes of searching. And to illustrate the persistence of some of these Zoom links, Archive.org says several of the links were first created as far back as 2020 and 2021.

KrebsOnSecurity received a tip about the Zoom exposures from Charan Akiri, a researcher and security engineer at Reddit. In April 2023, this site featured research by Akiri showing that many public Salesforce websites were leaking private data, including banks and healthcare organizations (Akiri said Salesforce also had these open Zoom meeting links before he notified them).

The Zoom links that exposed working meeting rooms all had enabled the highlighted option.

Charan said the misuse of PMI links, particularly those with passcodes embedded, can give unauthorized individuals access to meetings.

“These one-click links, which are not subject to expiration or password requirement, can be exploited by attackers for impersonation,” Charan said. “Attackers exploiting these vulnerabilities can impersonate companies, initiating meetings unknowingly to users. They can contact other employees or customers while posing as the company, gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.”

Akiri said he built a simple program to crawl the web for working Zoom meeting links from different organizations, and so far it has identified thousands of organizations with these perfectly functional zombie Zoom links.

According to Akiri, here are several tips for using Zoom links more safely:

Don’t Use Personal Meeting ID or Public Meetings: Your Personal Meeting ID (PMI) is the default meeting that launches when you start an ad hoc meeting. Your PMI doesn’t change unless you change it yourself, which makes it very useful if people need a way to reach you. But for public meetings, you should always schedule new meetings with randomly generated meeting IDs. That way, only invited attendees will know how to join your meeting. You can also turn off your PMI when starting an instant meeting in your profile settings.

Require a Passcode to Join: You can take meeting security even further by requiring a passcode to join your meetings. This feature can be applied to both your Personal Meeting ID, so only those with the passcode will be able to reach you, and to newly scheduled meetings. To learn all the ways to add a passcode for your meetings, see this support article.

Only Allow Registered or Domain Verified Users: Zoom can also give you peace of mind by letting you know exactly who will be attending your meeting. When scheduling a meeting, you can require attendees to register with their email, name, and custom questions. You can even customize your registration page with a banner and logo. By default, Zoom also restricts participants to those who are logged into Zoom, and you can even restrict it to Zoom users whose email address uses a certain domain.

Read More

CVE-2015-10124

Read Time:25 Second

A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function add_views/show_views of the file functions.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 0.9 is able to address this issue. The patch is identified as a99667d11ac8d320006909387b100e9a8b5c12e1. It is recommended to upgrade the affected component. VDB-241026 is the identifier assigned to this vulnerability.

Read More