FEDORA-2023-b4b9b38f23
Packages in this update:
perl-CryptX-0.080-1.fc38
Update description:
Update to 0.080
Fix CVE-2019-17362 in bundled libtomcrypt
perl-CryptX-0.080-1.fc38
Update to 0.080
Fix CVE-2019-17362 in bundled libtomcrypt
perl-CryptX-0.080-1.fc37
Update to 0.080
Fix CVE-2019-17362 in bundled libtomcrypt
perl-CryptX-0.080-1.fc39
Update to 0.080
Fix CVE-2019-17362 in bundled libtomcrypt
20 government agencies have failed to reach the incident response maturity level required by law, the GAO found in a new report
With the rush of Black Friday and Cyber Monday shopping comes a rush of another kind. Millions of fake delivery texts sent by scammers – designed to steal your personal info or saddle your phone with malware.
From late November through early January, scammers slip into the holiday mix and catch online shoppers unaware with fake delivery texts. They pose as postal services, delivery companies, and retailers, sending texts that alert their potential victims of some delivery issue or other.
The stories these scammers spin vary, yet the classics include:
A package destined for you couldn’t be delivered.
You owe taxes or other fees before your package can be delivered.
A shipping update, with the promise of offering more detailed tracking info.
In every case, the con game is the same. The scammer wants you to tap the link they’ve included in your text.
From there, that link whisks you to a malicious site designed to do you harm. That might involve installing malware like ransomware, spyware, or viruses. It might also steal your personal and financial info by asking you to fill out a form. Or both.
But you can absolutely beat these scams. A combo of knowing what to look for and some helpful tools can steer you clear of these scams and the headaches that follow.
A little background shows why hackers send so many during the holidays — and it starts with the reported $38 billion that U.S. consumers spent from Black Friday through Cyber Mondayi. Think of it this way, that’s $38 billion worth of stuff coursing through the mail and delivery services.
The U.S. Postal Service (USPS) alone will deliver an estimated 800 million packages between Thanksgiving and New Year’s Dayii. Overall, the USPS will process 15 billion pieces of mail. And then there’s the millions more shipped by UPS, FedEx, and Amazon’s delivery services.
That offers scammers plenty of opportunities. With all those packages moving around, they count on people responding to their fake delivery texts. Scammers make good money when even a small percentage of people tap the links in those texts.
That flood of bogus texts has understandably put people on their guard. Our own recent research shows that 36% of Americans said they were a victim of an online shopping scam during the holiday season. That’s more than one in three people, making it likely that you know someone who’s been taken in. Of those who fell for holiday scams online, nearly half said it cost them $100 or more. Strikingly, one in four victims said it cost them $1,000 or more.
The top two online scams people reported include:
Text messages about purchases they didn’t make (57%).
Fake missed delivery or fake problem with delivery notifications (56%).
Complicating matters more this year – AI. We’ve been talking a lot about that in our blogs this year, and with good reason. Scammers now have AI-driven tools that help them fire up fake emails, malicious sites, and text messages with a few clicks. In fact, a new phishing site is created every 11 seconds, and Americans receive an average of 12 fake messages or scams dailyiii.
As a result, 31% of people we surveyed said that it’s getting tougher to tell a real message from a fake one. And that includes delivery notifications by text.
With that, let’s cover what you can look out for.
As with any fake text, scammers do their best to look legitimate. All in the hope that their victims will tap that malicious link. Here’s how they try to disguise themselves:
They pose as large, legitimate organizations.
In the U.S., the “big four” organizations that scammers like to impersonate are the U.S. Postal Service (USPS), FedEx, UPS, and Amazon. With that, they can cast a rather wide net because they’re responsible for so many deliveries this time of year. Of course, scammers won’t limit themselves to posing as those organizations. Just about any company will do.
They do their best to make their links look legitimate too.
Companies typically have a standard set of web addresses and phone numbers that they use for contacting customers. For example, Amazon states that legitimate Amazon addresses have a dot before “amazon.com” such as https://pay.amazon.com for Amazon Pay. Scammers try to spoof these addresses, often with addresses that look like the real thing but aren’t. They might use “fed-exdeliverynotices.com” rather than the legitimate fedex.com. In other cases, scammers might use a totally unrelated dot-com address, like in this phony DHL delivery notice below:
Note how the scammer slipped in “dhl” after the dot-com address, all in a ruse to make the link look more legitimate by using the DHL name, a legitimate shipping company.
They use urgency to get you to act.
Scammers rely on stress and high emotions to lure in their victims. And during the gift-giving season, an alert about a package delivery can do the trick. Scammers (falsely) claim that you won’t get your package without tapping that link and taking some sort of next step.
They drop typos and grammatical errors into their texts. Sometimes.
Once, red flags like these let you know you were staring down a scam. That’s still the case, yet AI has changed that. Scammers now use common AI tools to cook up their texts, which are far less likely to contain common typographical and grammatical errors. Still, look for any kind of writing that looks or reads a bit “off.” Trust your gut. That’s a warning sign.
You have several ways you can avoid the headaches and harm that these texts can lead to.
Don’t tap on links in text messages: If you follow one piece of advice, it’s this. Companies use their standard addresses and phone numbers to contact customers. Follow up on their websites to see what they are. The USPS, UPS, FedEx, and Amazon each have pages dedicated to sharing that info.
Confirm directly: If you have concerns, get in touch with the company you think might have sent it. Manually type in their website and enquire there. Again, don’t tap any links.
Use the shipping company’s or retailer’s app: the USPS, UPS, FedEx, and Amazon all have legitimate apps available in Apple’s App Store and Google Play. You can also count on those to track packages and verify info about your shipments.
Clean up your personal data: Scammers must have gotten your number from somewhere, right? Often, that’s an online data broker — a company that keeps thousands of personal records for millions of people. And they’ll sell those records to anyone. Including scammers. A product like our Personal Data Cleanup can help you remove your info from some of the riskiest sites out there.
Get scam protection: Using the power of AI, our new McAfee Scam Protection can alert you when scam texts pop up on your phone. And as a second line of defense, it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more. You’ll find it in our McAfee+ products — along with up to $2 million in identity theft coverage and restoration support if the unfortunate happens to you.
Consider being a part of the solution. Many companies have dedicated email addresses and web pages for fraud protection. This helps them identify scams along with their behaviors and trends. In turn, they can alert their customer base of current scams and help them track down the scammers.
Further, in the U.S., you can also report scam texts to the Federal Trade Commission (FTC) at https://www.ReportFraud.ftc.gov. Similarly, they use and share reports with law enforcement partners to help with investigations.
By taking a deep breath and scrutinizing that seemingly alarming delivery message, you can avoid getting taken in by scammers and hackers this time of year. Using official websites and apps to track your packages goes a long way toward putting you at ease that all’s well with your shipment. Or letting you know that there’s truly an issue with a package.
You also have comprehensive online protection software like ours in your corner. It protects more than your devices. It protects your privacy and identity too — from text scams like these and a host of other scams and attacks as well. In short, it can help you tell what’s real and what’s fake out there.
The post Is That Delivery Text Real or Fake? How to Shop and Ship Safely this Season appeared first on McAfee Blog.
It was discovered that HAProxy incorrectly handled URI components
containing the hash character (#). A remote attacker could possibly use
this issue to obtain sensitive information, or to bypass certain path_end
rules.
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.
Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.
Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.
AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.
The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.
This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.
Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.
Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.
In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.
We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?
This essay originally appeared in Slate.
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Information security requirements and standards are in a constant state of evolution. Recent issues, such as COVID-19 and the growing global reliance on mobile devices and remote work solutions, have played important roles in this ongoing transformation. At the same time, the increasing sophistication of cyber attackers has added new layers of complexity to the cybersecurity landscape. In this article, I will explore the importance of implementing fraud detection systems as a crucial measure to mitigate the impact of both traditional and emerging fraudulent schemes.
The landscape of user behavior has undergone significant shifts, primarily driven by external factors such as the COVID-19 pandemic. This factor led to an increase in online transactions, coupled with reduced income streams for many individuals, resulting in decreased spending in specific user categories. Additionally, local conflicts, like the war in Ukraine and Israel, influence spending patterns in particular regions.
The implementation of restrictive measures and the resulting increase in stress levels have provided cyber crooks with more opportunities to exploit social engineering techniques through acts of intimidation. One prevalent scam involves fraudsters posing as bank security officials to deceive unsuspecting individuals.
Another concerning trend is the rise of legitimate channels that drive people to scam schemes via mainstream advertising platforms like Google and Facebook.
Furthermore, the economic hardships some people face have led them to seek alternative income sources, driving them to engage in various forms of online criminal activities. Some individuals become involved in schemes where they act as money mules or work in illegal call centers.
It is challenging for financial institutions to guarantee absolute safety. Malicious individuals can present counterfeit identification to authorize transactions that were initially denied by the anti-fraud system. While financial institutions strive to know as much as possible about their clients and run transactions carefully, they are constrained by data retention limitations (typically several months) and the need to respond within seconds, as stipulated by Service Level Agreements. So, again, achieving complete certainty about every transaction remains a huge problem.
Detecting suspicious activities becomes even more challenging when malicious employees request details about a specific client or transaction, as this falls within their routine work tasks. Some fraud detection systems use computer webcams or video surveillance cameras to monitor employee behavior. Modern surveillance systems have become more intelligent, leveraging artificial intelligence and historical data to perform comprehensive risk assessments and take action when unusual employee behavior is detected. However, these cameras may not always be effective in identifying deceitful behavior when employees remain almost motionless.
Fraud detection systems are designed to detect and prevent various forms of fraudulent activities, ranging from account hijacking and identity theft to fraudulent financial transactions. Initially adopted by financial institutions in the early 2010s in response to large-scale attacks on e-banking systems, fraud detection systems have since found their way into various sectors, including e-commerce, client loyalty programs, gaming services, contextual advertising platforms, and insurance. They play a pivotal role whenever online transactions and trade occur. While the concept of fraud detection systems is well-established, there are different types of products with unique characteristics that cater to specific needs and challenges.
The core functionality of fraud detection systems involves the examination of online transactions and user actions to assess the level of fraud risk. Typically, fraud detection systems consist of standard and system-specific rules, filters, and lists against which each action is checked. AI and ML technologies embedded within these systems significantly enhance their performance by analyzing client data and identifying patterns indicative of fraudulent behavior.
Fraud detection solutions can be broadly categorized into two main types: transaction fraud detection systems and browser fraud detection systems.
Transaction fraud detection systems
Transaction fraud detection systems employ behavioral and technical indicators as well as machine learning algorithms to assess the risk associated with each transaction. Typically, these systems rely on predefined rules and filters that activate based on specific algorithms or triggers. Various markers are employed to flag suspicious transactions, including unusually large or frequent transactions, transactions in atypical locations, etc. For instance, a user’s account may be temporarily frozen if they initiate multiple identical actions, which is an example of a behavior-based evaluation relying on technical signs.
One of the most critical aspects of transaction fraud detection is their attempts to detect targeted social engineering attacks. In such cases, high-level behavioral indicators are indispensable for preventing or slowing down illicit operations.
The system leverages machine learning to process extensive data and identify hidden correlations between user actions that could signal fraud. Historical data on blocked operations, such as unauthorized fund transfers, is used to train the system to recognize patterns leading to denied transactions. This enables the system to independently detect and halt transactions showing signs of fraud.
Browser fraud detection systems
Browser fraud detection systems do not analyze actual transactions but instead collect various technical details about the user’s session. This includes information about the device, connection channel, and user behavior, such as keystrokes, touchpad/mouse movements, and more.
Browser fraud detection systems are good at detecting credential theft resulting from phishing attacks or data breaches. They can also identify fraudulent accounts at the initial stage when a fraudster attempts to sign up.
To effectively identify and combat financial fraud, it is recommended to establish a comprehensive cross-channel real-time fraud detection and prevention system capable of instantly identifying illicit transactions. Such a system should leverage a combination of techniques, including machine learning technologies through a risk assessment module and rule-based methods via a policy module.
The fraud assessment process should be based on user and event profiles, which generate a set of characteristics that can be used by a probabilistic model to determine risk levels. This model can take the form of a custom-built Bayesian tree, where nodes represent probability scores for various combinations of features and events. By incorporating the policy module and its customized rules, organizations can define their unique business scenarios and combine the resulting risk evaluation with various indicators drawn from user profiles and other sources.
Choosing the most suitable fraud detection system involves assessing your organization’s specific needs and risks. Different types of fraud detection systems examine distinct datasets, and the ideal approach may involve a combination of both transaction-focused and browser-based solutions. To save funds, some organizations, such as those offering personal accounts without internal payment systems, may find that a browser fraud detection system is enough for their requirements.
When evaluating fraud detection solutions, consider the following criteria:
Price transparency: Evaluate the cost of the fraud detection system, including deployment, fine-tuning, administrator training, and related expenses. Ensure the overall cost does not exceed the potential losses it is designed to prevent.
Testing and objective indicators: Assess the system’s functionality in terms of risk level determination and objective indicators that provide actionable insights. Look for specific criteria, such as the detection of VPN server usage during website access or the system’s ability to remotely access devices. These tangible indicators offer a more accurate assessment of the system’s effectiveness.
Machine learning and AI capabilities: Consider the extent to which the fraud detection system incorporates machine learning and artificial intelligence algorithms. ML and AI can be crucial in identifying risks by analyzing extensive data sets and uncovering hidden patterns and regularities indicative of fraudulent activity. Systems with advanced AI capabilities can adapt and improve their detection methods over time.
Data privacy: Examine whether the system requires the collection of confidential or personal client data. A robust fraud detection system should minimize the need for collecting such data or employ privacy-enhancing techniques. This not only reduces the risk of data breaches but also eliminates the need for obtaining client consent to process personal data by third parties.
While no single fraud detection system can provide foolproof protection against all types of cyberattacks, the primary objective of an efficient security solution is to raise the complexity and cost of executing a fraudulent attack to the point where fraudsters opt for easier targets. Many products on the market meet the criteria outlined above. Still, the performance of a specific fraud prevention system depends on its internal algorithms, which are typically proprietary and not disclosed by developers.
To make an informed choice, organizations should consider running comparative pilot projects using several fraud detection solutions tailored to their specific needs and risks. Again, fraud detection solutions are highly effective and efficient tools for combating fraudulent activities. I advise thoroughly researching, comparing, and adopting a system that aligns with your organization’s unique fraud prevention requirements. By staying proactive and vigilant, organizations can significantly improve their defenses against evolving threats.
Notorious Russian APT28 group is actively exploiting CVE-2023-23397 to hijack Exchange email accounts
Online Safety Act’s mandate for age verification to access pornography could be a security and privacy disaster, think tanks warn