USN-6455-1: Exim vulnerabilities

Read Time:21 Second

It was discovered that Exim incorrectly handled validation of user-supplied
data, which could lead to memory corruption. A remote attacker could
possibly use this issue to execute arbitrary code. (CVE-2023-42117)

It was discovered that Exim incorrectly handled validation of user-supplied
data, which could lead to an out-of-bounds read. An attacker could possibly
use this issue to expose sensitive information. (CVE-2023-42119)

Read More

[KIS-2023-11] SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload Vulnerability

Read Time:14 Second

Posted by Egidio Romano on Oct 26

——————————————————————————-
SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload
Vulnerability
——————————————————————————-

[-] Software Link:

https://www.sugarcrm.com

[-] Affected Versions:

Version 13.0.1 and prior versions.
Version 12.0.3 and prior versions.

[-] Vulnerability Description:

When handling the…

Read More

[KIS-2023-10] SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection Vulnerability

Read Time:15 Second

Posted by Egidio Romano on Oct 26

—————————————————————————-
SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection
Vulnerability
—————————————————————————-

[-] Software Link:

https://www.sugarcrm.com

[-] Affected Versions:

Version 13.0.1 and prior versions.
Version 12.0.3 and prior versions.

[-] Vulnerability Description:

There is a sort of Server-Side Template…

Read More

McAfee 2023 Hacker Celebrity Hot List – Why Hackers Love Ryan Gosling so Much

Read Time:6 Minute, 49 Second

Hackers love Ryan Gosling. In fact, hackers use his name as bait more than any other celebrity. 

With that, the celebrated star of “Barbie” and umpteen other hit films tops our Hacker Celebrity Hot List for 2023. It’s our annual study that reveals which big-name celebrity searches most often link to malware and risky sites. And this year, we’ve evolved the list. It now includes celebs spotted in deepfake and other AI-driven content. 

With Gosling’s high profile this year, it comes as little surprise that he ranked so highly. As we reported earlier this year, “Barbie” was a huge hit for cybercriminals as well. They baited consumers with a rash of ticket scams, download scams, and other attacks that capitalized on the summer hit’s hype.  

Who made the Hacker Celebrity Hot List? 

Months later, searches for Gosling remain high. His portrayal of Ken has scored him a first-ever Billboard Hot 100 song with “I’m Just Ken.” Meanwhile, Ken and Barbie outfits rank among the most popular Halloween costumes for 2023. 

And if you’re wondering, Margot Robbie, who starred as Barbie to Gosling’s Ken, ranked number eight on our list. The full top ten breaks down as follows: 

Ryan Gosling, Golden Globe winner and multiple Academy Award nominee.  
Emily Blunt, critically acclaimed actor and star of this summer’s hit film, Oppenheimer. 
Jennifer Lopez, pop culture icon, critically acclaimed singer, actor, and producer. 
Zendaya, critically acclaimed actor and singer.  
Kevin Costner, Academy Award-winning actor and director, and current star of the hit series, Yellowstone. 
Elon Musk, business magnate and tech entrepreneur.  
Al Roker, the “Today” show’s popular meteorologist, author, and journalist.  
Margot Robbie, actor, producer, and multiple Academy Award and BAFTA award nominee, and the star of this summer’s hit film, Barbie. 
Bad Bunny, multi-platinum album singer, and the first non-English-language singer to be named as Spotify’s most streamed artist of the year.  
America Ferrera, actor and noted supporting star of this summer’s hit film, Barbie. 

What’s at risk when you search for these celebrities. 

The hackers behind these celebrity-driven attacks are after two primary things.  

They want you to hand over personal info so they can use it to commit identity fraud and theft. 
They want to infect your device with malware. That might include spyware that can steal personal info or ransomware that holds your device and its files hostage—for a price. 

Accordingly, they’ll pair celebrity names with terms like audio book, lyrics, deepfake, free ringtone, free movie, free download, MP4, among others—which generate results that lead to sketchy sites. 

In all, they target people who want to download something or get a hold of celebrity-related content in some form. Again, think of the “Barbie” movie scams earlier this year that promoted free downloads of the movie — but of course they were malware and identity theft scams. 

Searching for a celebrity name alone didn’t necessarily lead to a list of sketchy results. Our own Chief Technology Officer, Steve Grobman, described the risks well. “We know people are seeking out free content, such as movie downloads, which puts them at risk. If it sounds too good to be true, it generally is and deserves a closer look.” Yet hackers know how hungry people are for celebrity content, and unfortunately some people will go ahead and click those links that promise celebrity-filled content, despite the risks. 

Who else made the Hacker Celebrity Hot List? 

Further rounding out the list, we found several big names from sports and popular culture. 

Argentine soccer player Lionel Messi comes in at number 18 on the list, who recently made the move to Miami’s Major League Soccer team. Recent retiree and all-time American football great Tom Brady clocked in at number 19, and Travis Kelce, American football tight end for the Kansas City Chiefs, came in at number 22. NBA star Steph Curry at number 23, while Aaron Rogers, another American football legend, came in at number 31. And Serena Williams, a dominant force on the court and in culture, ranked at number 32.  

Reality and pop culture favorites also made the top 50, with Andy Cohen of “Real Housewives” fame taking the number 11 slot, followed by Kim Kardashian at number 24, and Tom Sandoval at number 40 on the list. 

And for the Swifties out there, Taylor Swift ranked 25 on our list this year. 

Also making the list — AI scams. 

Thanks to readily available AI tools, cybercriminals have increased both the sophistication and volume of their attacks. It’s no different for these celebrity-based attacks. 

According to McAfee researchers, one such AI-driven trend is on the rise: deepfakes. For example, Elon Musk. He hit number six on our list, and our researchers found a significant volume of malicious deepfake content tied to his name — often linked with cryptocurrency scams.   

Taking a sample set of the top 50 list, McAfee researchers discovered between 25 to 135 deepfake URLs per celebrity search. While there are instances of malicious deepfakes, many celebrity deepfakes fall into recreational or false advertising use cases right now. However, there is growing evidence that future deepfakes could turn deceptive — deliberately passing along disinformation in a public figure’s name. 

Staying safe while searching for celebs — and in general. 

You have every reason, and every right, to search for and enjoy your celebrity content safely. A mix of a sharp eye and online protection can keep you safe out there. 

Go with outlets and websites you can trust. When it comes time to get your celebrity news, look for names you know. Reliable sources that have been around. The reality is that it’s not tough for hackers and scammers to quickly spin up their own (completely bogus) “celebrity news” sites. In fact, it’s rather easy, thanks in part to AI that can generate phony articles that otherwise look real.  

Stick with legitimate streaming and download services. Whether you want to spin something from Taylor Swift’s latest album (Taylor’s version, of course) or stream movies from your favorite stars, use known and legitimate services. Yes, sometimes that means paying. Or putting up with a few ads. The illegal alternatives might be riddled with malware or ask for personal info that ends up right in the hands of hackers. 

Don’t “log in” or provide other info. If you receive a message, text, or email, or visit a third-party website that asks for info like your credit card, email, home address, or other login info, don’t give it out. Particularly if there’s a promise for “exclusive” content. Such requests are a common tactic for phishing that could lead to identity theft. 

Tell what’s real and what’s fake with online protection software. Comprehensive online protection software can keep celebrity scams and other scams like them at bay. First, our new McAfee Scam Protection uses smart AI to detect and warn you of scam texts and links sent your way, so you can tell what’s real and what’s fake. Second, web protection looks out for you while you search—identifying malicious links and even blocking them if you still click one by accident. Together, this is part of the full device, identity, and privacy protection you get with us. 

Whether it’s Ryan, J-Lo, or Bad Bunny – you can stay safe when you search. 

Hackers and scammers love riding the coattails of celebrities. By hijacking big names like Ryan, J-Lo, and Bad Bunny, they dupe plenty of well-meaning fans into downloading malware or handing over their personal info. 

Of course, that’s no reason to stop searching for those celebs. Not at all. Go ahead and enjoy your shows, music, and movies—and all the news, gossip, and tea surrounding them. That’s all part of the fun. Just do it with a sharp eye and the proper protection that has your back. 

The post McAfee 2023 Hacker Celebrity Hot List – Why Hackers Love Ryan Gosling so Much appeared first on McAfee Blog.

Read More

CVE-2020-17477

Read Time:15 Second

Incorrect LDAP ACLs in ucs-school-ldap-acls-master in UCS@school before 4.4v5-errata allow remote teachers, staff, and school administrators to read LDAP password hashes (sambaNTPassword, krb5Key, sambaPasswordHistory, and pwhistory) via LDAP search requests. For example, a teacher can gain administrator access via an NTLM hash.

Read More

Secure Your Black Friday & Cyber Monday Purchases

Read Time:5 Minute, 21 Second

As we gear up to feast with family and friends this Thanksgiving, we prepare our wallets for Black Friday and Cyber Monday. Black Friday and Cyber Monday have practically become holidays themselves, as each year, they immediately shift our attention from turkey and pumpkin pie to holiday shopping. Let’s look at these two holidays and how their popularity can impact users’ online security, and grab a great Black Friday holiday deal from McAfee.

About the Black Friday Shopping Phenomenon

You might be surprised that “Black Friday” was first associated with a financial crisis, not sales shopping. The U.S. gold market crashed on Friday, September 24, 1869, leaving Wall Street bankrupt. In the 1950s, Black Friday was associated with holiday shopping when large crowds of tourists and shoppers flocked to Philadelphia for a big football game. Because of all the chaos, traffic jams, and shoplifting opportunities that arose, police officers could not take the day off, coining it Black Friday. It wasn’t until over 50 years later that Cyber Monday came to fruition when Shop.org coined the term as a way for online retailers to participate in the Black Friday shopping frenzy.

In conclusion, the origins of “Black Friday” are indeed surprising and far removed from the image of holiday shopping extravaganzas that we associate with the term today. These historical roots offer a fascinating perspective on the evolution of consumer culture and the significance of these shopping events in modern times.

Growth Over the Years

Since the origination of these two massive shopping holidays, both have seen incredible growth. Global interest in Black Friday has risen year-over-year, with 117% average growth across the last five years. According to Forbes, 2018’s Black Friday brought in $6.2 billion in online sales alone, while Cyber Monday brought in a record $7.9 billion.

While foot traffic seemed to decrease at brick-and-mortar stores during Cyber Week 2018, more shoppers turned their attention to the Internet to participate in holiday bargain hunting. Throughout this week, sales derived from desktop devices came in at 47%, while mobile purchases made up 45% of revenue and tablet purchases made up 8% of revenue.

So, what does this mean for Black Friday and Cyber Monday shopping this holiday season? In 2023, Adobe Analytics anticipates that Cyber Monday will maintain its status as the most significant shopping day of the season and the year, spurring a historic $12 billion in spending, reflecting a year-over-year increase of 6.1%. Online sales on Black Friday are expected to increase by 5.7% year over year, reaching $9.6 billion, while Thanksgiving is projected to grow by 5.5% year over year, amounting to $5.6 billion in spending.

If one thing’s for sure, this year’s Black Friday and Cyber Monday sales are shaping up to be the biggest ones for shoppers looking to snag some seasonal bargains. However, the uptick in online shopping activity provides cybercriminals the perfect opportunity to wreak havoc on users’ holiday fun, potentially disrupting users’ festive experiences and compromising their online security. In light of this, it is crucial to take proactive measures to safeguard your digital presence. One effective way to do so is by investing in top-tier online protection solutions. McAfee, a renowned leader in the field, offers award-winning cybersecurity solutions designed to shield you from the ever-evolving threats in the digital landscape. Explore the features of our McAfee+ Ultimate and Total Protection and be informed of the latest cyber threats with McAfee Labs

→ Dig Deeper: McAfee 2023 Threat Predictions: Evolution and Exploitation

Spot Those Black Friday and Cyber Monday Shopping Scams

With the surge in online shopping during Black Friday and Cyber Monday, cybercriminals are also on high alert, crafting sophisticated scams to trick unsuspecting shoppers. One common form of scam you’ll come across during this time is fraudulent websites. These sites masquerade as reputable online retailers, luring customers with too-good-to-be-true deals. Once shoppers enter their personal and financial data, the criminals behind these sites gain access to the sensitive information, paving the way for identity theft.

Phishing emails are another popular mode of scam during these shopping holidays. Shoppers receive emails that appear to be from legitimate stores advertising incredible deals. The emails typically contain links that direct users to a fraudulent website where their information can be stolen. It’s essential to approach every email suspiciously, checking the sender’s information and avoiding clicking on unsolicited links.

→ Dig Deeper: How to Protect Yourself From Phishing Scams

How to Protect Yourself from These Scams

Thankfully, there are steps you can take to protect yourself when shopping online during Black Friday and Cyber Monday. First, always ensure that the website you’re shopping from is legitimate. Check for the padlock icon in the address bar and “https” in the URL, as these are indicators of a secure site. Steer clear of websites that lack these security features or have misspelled domain names, as they could be fraudulent.

McAfee Pro Tip: When browsing a website, there are several essential cues to consider when assessing its safety. As mentioned, one such indicator is the presence of “https” in the website’s URL. But there are also other tell-tale signs, such as fake lock icons, web copy, web speed, and more. Know how to tell whether a website is safe.

Furthermore, never provide personal or financial information in response to an unsolicited email, even if it appears to be from a trusted source. If the offer seems tempting, visit the retailer’s official website and check if the same deal is available there. Finally, consider installing a reputable antivirus and security software, like McAfee, that can provide real-time protection and alert you when you stumble upon a malicious website or receive a phishing email.

Final Thoughts

Black Friday and Cyber Monday are prime opportunities for consumers to snag once-a-year deals and for cybercriminals to exploit their eagerness to save. However, being aware of the prevalent scams and knowing how to protect yourself can save you from falling prey to these ploys. Always strive to shop smart and stay safe, and remember that if an offer seems too good to be true, it probably is.

The post Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blog.

Read More