curl-8.2.1-5.fc39

Read Time:10 Second

FEDORA-2024-6dab59bd47

Packages in this update:

curl-8.2.1-5.fc39

Update description:

fix Usage of disabled protocol (CVE-2024-2004)
fix HTTP/2 push headers memory-leak (CVE-2024-2398)

Read More

The Rising Threat of Social Media Harassment. Here’s How to Protect Yourself.

Read Time:6 Minute, 39 Second

Some conversations on social media can get … heated. Some can cross the line into harassment. Or worse. 

Harassment on social media has seen an unfortunate rise in recent years. Despite platforms putting in reporting mechanisms, policies, and even using AI to detect and remove harmful speech, people are seeing more and more harassment on social media. 

Yet even as it becomes more prevalent, nothing about it is usually. Or acceptable. No, you can’t prevent social media harassment. Yet you can protect yourself in the face of these attacks. 

Online harassment statistics continue to climb. 

In 2023, research showed that 52% of American adults said they experienced harassment at some point online. That’s up from 40% in 2022. Also in 2023, 33% said they experienced it in the last year, a jump of 10% from 2022.i 

The same trend follows for teens, where 51% of them said they experienced harassment in the past year, compared to 36% in the year prior.ii 

Earlier research conducted in the U.S. tracked a significant rise in harassment online between 2014 and 2020. This included the doubling or the near doubling of the most severe forms of online harassment.iii 

Our own research in 2022 also noted a rise of another kind — worry about online harassment. Globally, 60% of children said they were more worried that year about social media harassment (cyberbullying) compared to the year prior. Their parents showed yet more concern, with 74% of them more worried that year about their child being harassed than the last.iv 

The human cost of social media harassment. 

Stats are one thing, yet behind each figure stands a victim. Harassment takes a hard toll on its victims — emotional, financial, and sometimes physical. That becomes clear the moment you look at the forms it can take. 

Social media harassment includes: 

Flaming — Online arguments that can include personal attacks. 
Outing — Disclosing someone’s sexual orientation without their consent. 
Trolling — Intentionally trying to instigate a conflict through antagonistic messages. 
Doxing — Publishing private or identifying info without someone’s consent.
Cyberstalking — Collecting info and tracking the whereabouts of a victim in a threatening way.
Identity Theft — Stealing a victim’s accounts or posting messages posing as them online. 

It includes other acts, such as: 

Name-calling. 
Spreading false rumors. 
Sending explicit images or messages. 
Threats of physical harm. 

In practice, the results can get ugly. Scanning press releases from various state attorneys general, you’ll find unflinching accounts of harassment. Like a targeted, three-year cyberstalking campaign against a victim and that person’s parents, coworkers, siblings, and court-mandated professionals.v Another, where the harasser attempted to defame his victim through a fake LinkedIn profile — and further doxed his victim by publicly posting source code the victim had written worth millions of dollars.vi 

All of this serves as a reminder. Harassment can quickly turn into a crime. 

How to protect yourself from harassment on social media. 

The unfortunate fact remains that you can’t prevent social media harassment. Some people simply find themselves driven to do it. You can take several steps to shield yourself from attackers and deny them the info they need to fuel their attacks. 

Secure your accounts. 

Account security should be a high priority for you, your loved ones, and anyone else. That’s especially true during periods of harassment. Every account you have should be secured with a complex password — at least 12 to 14 characters long, with numbers, capital letters, lowercase letters, and symbols. And with two-factor authentication. 

Two-factor authentication is especially important when it comes to account security. The reason is simple: a lot of harassers are tech-savvy, and enjoy taking over a victim’s account to make offensive comments in their name and damage their reputation. 

Two-factor authentication prevents account takeovers like this. It requires a user to know the password and username for an account, along with another way they can prove they are who they say they are. Often that involves a code sent to their smartphone that they can use to verify their identity. At McAfee, we recommend you use two-factor authentication on any account that offers it. 

Control who can follow you. 

Social media platforms offer plenty of ways you can lock down your privacy, even as you remain “social” on them to some degree. Our Social Privacy Manager can help you be as private as you like. It helps you adjust more than 100 privacy settings across your social media accounts in only a few clicks, so your personal info is only visible to the people you want to share it with. By making yourself more private, you deny a potential harasser an important source of info about you, in addition to your friends, family, and life overall. 

Limit what you share online. 

Limit how much info you share about yourself on social media websites. Addresses, phone numbers, and locations shouldn’t be shared in posts and shouldn’t be included in biographies. Attackers can use this type of info to make false threats and, in some cases, falsify crimes to elicit a police response — this is a technique called “SWATTING” and it’s quite serious.vii  

In some instances, harassers gather info about their victims on data brokers or “people finder” sites. Some of this info can get pretty detailed, and these sites will sell it to anyone. You can clean up that info, however. Our Personal Data Cleanup scans data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites — or remove it for you, depending on your plan. 

Harassed on social media? Here are the steps to take. 

Report the harassment to the social media platform. 

If you find yourself targeted, don’t respond. That’s what the harasser wants. Use your social media platform’s tools to block and then report the harasser. Many platforms have web pages dedicated to harassment that walk you through the process.  

Report harassment to the authorities.  

First off, if you feel that you are in immediate danger, contact your local authorities for help. 

In many cases, harassment is illegal. Slander, threats, damage to your professional reputation, doxing, and many of the examples mentioned earlier can amount to a crime. There are options for victims, legally speaking. If you feel a harassment campaign has crossed the line, then it’s time to contact the authorities. Bring proof of harassment. Take screenshots of everything and submit them as part of your complaint. 

Talk with trusted family members and friends. 

We’ve seen just how damaging and painful harassment can be. Let trusted people in your life know what’s happening. Lean on them for support. And have them help you find any resources you might need in the wake of harassment, such as counseling or even legal assistance. You might find this tough to do, yet realize that you’re not at fault here. Any ugliness you’re dealing with comes from the hands of a harasser. Not yours. Close family and friends will recognize this.

[i] https://www.adl.org/resources/report/online-hate-and-harassment-american-experience-2023 

[ii] https://www.adl.org/resources/report/online-hate-and-harassment-american-experience-2023 

[iii] https://www.pewresearch.org/internet/2021/01/13/the-state-of-online-harassment/ 

[iv] https://media.mcafeeassets.com/content/dam/npcld/ecommerce/en-us/docs/reports/rp-cyberbullying-in-plain-sight-2022-global.pdf 

[v] https://www.justice.gov/usao-wdwa/pr/everett-man-indicted-cyberstalking-and-threatening-former-romantic-partner 

[vi] https://www.justice.gov/usao-ednc/pr/federal-jury-convicts-cyberstalker-who-used-fake-linkedin-profile-harassment-campaign 

[vii] https://www.theguardian.com/technology/2016/apr/15/swatting-law-teens-anonymous-prank-call-police 

 

The post The Rising Threat of Social Media Harassment. Here’s How to Protect Yourself. appeared first on McAfee Blog.

Read More

Smuggling Gold by Disguising it as Machine Parts

Read Time:24 Second

Someone got caught trying to smuggle 322 pounds of gold (that’s about 1/4 of a cubic foot) out of Hong Kong. It was disguised as machine parts:

On March 27, customs officials x-rayed two air compressors and discovered that they contained gold that had been “concealed in the integral parts” of the compressors. Those gold parts had also been painted silver to match the other components in an attempt to throw customs off the trail.

Read More

Why CISA is Warning CISOs About a Breach at Sisense

Read Time:3 Minute, 47 Second

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.

New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”

“We are taking this matter seriously and promptly commenced an investigation,” Dash continued. “We engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.”

In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the sparse alert reads. “We will provide updates as more information becomes available.”

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company’s code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.

Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisent customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.

It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.

The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time — sometimes indefinitely. And depending on which service we’re talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.

Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they’ve previously entrusted to Sisense.

Earlier today, a public relations firm working with Sisense reached out to learn if KrebsOnSecurity planned to publish any further updates on their breach (KrebsOnSecurity posted a screenshot of the CISO’s customer email to both LinkedIn and Mastodon on Wednesday evening). The PR rep said Sisense wanted to make sure they had an opportunity to comment before the story ran.

But when confronted with the details shared by my sources, Sisense apparently changed its mind.

“After consulting with Sisense, they have told me that they don’t wish to respond,” the PR rep said in an emailed reply.

Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, said a company entrusted with so many sensitive logins should absolutely be encrypting that information.

“If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted,” Weaver said. “If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable.”

Read More