Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service.
Daily Archives: December 7, 2023
New Report: Over 40% of Google Drive Files Contain Sensitive Info
The Metomic research also suggested 34.2% of the files were shared with external contacts
BlackSuit ransomware – what you need to know
A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia.
And earlier in the year, a zoo in Tampa Bay was targeted by the same hacking gang.
Learn more about the BlackSuit ransomware in my article on the Tripwire State of Security blog.
USN-6541-1: GNU C Library vulnerabilities
It was discovered that the GNU C Library was not properly handling certain
memory operations. An attacker could possibly use this issue to cause a
denial of service (application crash). (CVE-2023-4806, CVE-2023-4813)
It was discovered that the GNU C library was not properly implementing a
fix for CVE-2023-4806 in certain cases, which could lead to a memory leak.
An attacker could possibly use this issue to cause a denial of service
(application crash). This issue only affected Ubuntu 23.04. (CVE-2023-5156)
Finally! Facebook and Messenger are getting default end-to-end encryption. And not everyone is happy…
Meta’s Head of Messenger announced that the company has begun to roll out end-to-end encryption (E2EE) for personal chats and calls.
Read more in my article on the Hot for Security blog.
PyDrive2-1.18.0-1.fc39
FEDORA-2023-8e70979de3
Packages in this update:
PyDrive2-1.18.0-1.fc39
Update description:
Update to 1.18 and security fix for CVE-2023-49297
PyDrive2-1.18.0-1.fc38
FEDORA-2023-21d2191c73
Packages in this update:
PyDrive2-1.18.0-1.fc38
Update description:
Update to 1.18 and security fix for CVE-2023-49297
UK Government Warns of Russian Cyber Campaigns Against Democracy
The NCSC identified the threat group responsible as Star Blizzard, linked to Russia’s FSB Center 18
PyDrive2-1.18.0-1.fc40
FEDORA-2023-392085b92b
Packages in this update:
PyDrive2-1.18.0-1.fc40
Update description:
Automatic update for PyDrive2-1.18.0-1.fc40.
Changelog
* Thu Dec 7 2023 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 1.18.0-1
– Update to 1.18.0 – Closes rhbz#2253086 rhbz#2253467
What Is Credential Phishing?
You guard the keys to your home closely, right? They have their own special spot in your bag or in your front pocket. When your keys go missing, does a slight pit of unease grow in your gut?
Our homes store many sentimental and valuable treasures within their walls. The same goes for your online accounts. Think of your login and passwords as the keys to the cozy home of your date of birth, Social Security Number, full name, and address. When you lose those keys and they fall into the hands of a criminal, the break-ins to your online home can be costly.
In a scheme called credential phishing, online scammers seek to steal the keys to your online accounts: your login and password combinations. Just like you’d protect the keys to your house, so should you guard your online account credentials closely.
What Is Credential Phishing?
Credential phishing is a type of online scam where a cybercriminal devises tricks to gain one type of valuable information: username and password combinations. Once they eke this information from their targets, the thief is able to help themselves to online bank accounts, online shopping sites, online tax forms, and more. From there, they could go on a shopping spree on your dime or pilfer your personally identifiable information (PII) and steal your identity.
There are two common ways a criminal might try to steal online account credentials. The first is through a phishing attempt that asks specifically for usernames and passwords. They may impersonate a person or organization with authority, such as your boss, a bank representative, or the IRS. Phishing attempts often threaten dire consequences if you don’t reply promptly. Handle emails, texts, and social media direct messages that demand urgency with care. If it’s truly important, your bank will find another way to get in touch with you. Additionally, be aware of your notification preferences and communication channels with important organizations. For example, the IRS only contacts people by mail.
A second way credential phishers may try to steal your passwords is through fake login pages. You may get redirected to a fake login page by clicking on a risky link hidden in a phishing message or on a malicious website. An example of credential phishing and fake login pages in action happened to customers of a password storage company. Customers received phishing emails that contained a link to a “login page” that was actually a malicious subdomain that sent the details straight to scammers.1
The One Rule to Foil Credential Phishers
There’s one very simple rule to avoid a phisher stealing your credentials: never share your password with anyone! No matter how authoritative a phone call, text, or email sounds, a legitimate business nor an IT professional nor your boss will ever ask you for your password and username combination.
If you suspect a phishing attempt, do not reply or forward the message. Additionally, do not click on any links. Artificial intelligence content creation tools like ChatGPT can make phishing messages sound convincing, as AI tools often compose messages without typos or grammar mistakes. But if anything in the tone or content of the message strikes you as suspicious, it’s best to delete it and forget about it.
The Importance of Strong Passwords, MFA & Ultimate Secrecy
Ultimate secrecy is a great first step in keeping your credentials a mystery. Practice these other password and online account safety best practices to keep your PII safe:
Choose a strong password. When you create a new online account, the organization is likely to have minimum character count and password difficulty requirements. Remember that a strong password is a unique password. Reusing passwords means that if your credentials are stolen for one website or if one company experiences a data breach, a criminal could use your login and password on hundreds of sites to break into multiple accounts. If you have a hard time remembering all your unique passwords, a password manager can remember them for you!
Enable multifactor authentication. Multifactor authentication (MFA) is an extra layer of protection that makes it nearly impossible for a credential thief to break into your account, even if they have your password and username. MFA requires that you prove your identity multiple ways, often through a one-time code sent to your phone or email address, or a face or fingerprint scan.
Be on the lookout. If you notice any suspicious activity on any of your online accounts, change your password immediately.
Add Another Key to Your Online Protection
To add extra security to your online comings and goings, consider investing in McAfee+, which includes McAfee Scam Protection. McAfee Scam Protection is an AI-powered tool that blocks risky links in your emails, texts, and on social media. This is helpful just in case you accidentally click on a link that would’ve brought you to a fake login page or to another risky site. The more you use Scam Protection, the smarter it gets! And should your credentials and PII ever fall into the wrong hands, McAfee+ has credit and identity monitoring tools that can alert you to suspicious activity.
Consider McAfee as the home security system for your online life. When you log off and lock up, you can relax knowing that McAfee will alert you to breaking-and-entering attempts.
1Cybernews, “LastPass employees and customers targeted in ‘pervasive’ phishing campaign”
The post What Is Credential Phishing? appeared first on McAfee Blog.