Right off the back of a visit to our wedding venue (4 weeks and counting!) and a few hours before heading to the snow (yes, Australia has snow), I managed to slip in a weekly update earlier today. I've gotta say, the section on Shitexpress is my favourite because there's just so much to give with this one; a service that literally ships shit with a public promise of multiple kinds of animal shit whilst data that proves only horse shit was ever shipped, a promise of 100% anonymity whilst the data set clearly shows both shit-senders and shit-receivers and possibly the most eye-opening of all, the messages accompanying the shit. So, uh, yeah, enjoy! 💩
Many people opt for encrypted messaging services because they like the additional layers of privacy they offer. They allow users to message their closest friends, family, and business partners without worrying about a stranger digitally eavesdropping on their conversation. The same people who message over encrypted services and apps are likely also diligent with securing their internet connections and using a VPN.
Despite all those safeguards, everyday people are left in the lurch when the companies with which they entrust their information are victims of cyberattacks. That was the case for users of the encrypted messaging app, Signal. Due to a phishing attack and subsequent leak of customer phone numbers, people are looking to identify potential consequences, protect themselves from SIM swapping, monitor their identity, and take measures to make sure their information is safe in the future.
A recent cyberattack targeted Signal, an end-to-end encrypted messaging service.1 The attackers exposed about 1,900 phone numbers belonging to Signal users. While other personally identifiable information (PII), message history, and contact lists were spared, valid phone numbers in the hands of a cybercriminal can be enough to wreak havoc on affected users.
It is likely that another recent and successful phishing scheme at Twilio was the entry point for the Signal hackers. (Signal partners with Twilio to send SMS verification codes to people registering for the Signal app.) At Twilio, phishers tricked employees into divulging their credentials.
To rectify the situation and protect users, Signal is contacting affected users and asking them to re-register their devices. Also, the company is urging all users to enable registration lock, which is an additional security measure that requires a unique PIN to register a phone with Signal.
There are many lessons not only companies but everyday people can learn from the Signal and Twilio hacks. Here are some ways you can take action at the first signs of a compromised phone number and to help prevent cyber-events like this from happening to you.
SIM swapping occurs when a cybercriminal gets ahold of your cellphone number and a few other pieces of your PII and registers your phone number to a device and a new SIM card that isn’t yours. If they successfully reregister your phone number, they can then access your data, change account passwords, and lock you out of your most important accounts.
Luckily, since most of us use our phones every day, SIM swapping is usually detected quickly. If your phone isn’t connecting to the network and you’re not receiving calls and texts, it could be a sign that your wireless provider may have reassigned your number to an impersonator. In this case, contact your wireless provider immediately.
To make SIM swapping nearly impossible, always turn on multifactor authentication. Also known as MFA, multifactor authentication is a method many online accounts use to ensure that only the authorized user can gain entry. This could entail sending a one-time code by email or text, prompting security questions, or scanning for fingerprint or facial recognition in addition to asking for the account password. MFA is an additional layer of security that’s quick to implement. The extra few seconds it takes to type in a code or stand still for a facial scan is well worth the frustration is causes cybercriminals.
These days, everyone has dozens of online accounts for everything from banking and shopping to streaming services and gaming. Since you can’t predict which company is going to be breached next, limit the number of possible doors a cybercriminal could break through to access your PII. In the Signal hack, it was their third-party vendor that was likely the cause of the leaked phone numbers. This unpredictability means it’s best to limit sharing your PII with as few accounts as possible. A great practice is to regularly organize your online accounts and deactivate the ones you no longer use.
A phishing attack seems to have been the first domino to fall in the Twilio and Signal incident. It could’ve been prevented if everyone followed this absolute rule: Never share your password! Your employer nor your bank nor the IRS, for example, will ever ask you for your password to an online account. If you receive correspondence asking you to share your password, no matter how official it looks, do not comply.
Phishers often lace their electronic correspondences with an urgent or authoritarian tone, threatening severe consequences if they don’t receive a response within a short timeframe. This is a ploy to get people to act too quickly without thinking through the request. If you receive a message that outlines dire consequences for seemingly small infractions, step away from the message for at least 15 minutes and think it through. Stay calm and follow up through official channels, such as a listed phone number on the organization’s website or a customer service chat room, to iron out the alleged situation instead.
Diligent cybersecurity habits go a long way toward keeping you and your family’s PII out of the hands of malicious characters. However, in the case you trust a company with your information but it’s leaked in a breach, McAfee Total Protection can give you peace of mind. McAfee Total Protection offers premium security in various areas including antivirus, identity monitoring, secure VPN, Protection Score, and Personal Data Cleanup. Its advanced monitoring abilities are faster and offer broader detection for your identity. Plus, McAfee Total Protection can cover you up to $1 million in identity theft restoration.
Keep your eyes peeled for cybersecurity news and breaches that may have affected your PII. From there, take action and leverage McAfee services to help you fill in the gaps.
1The Hacker News, “Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack”
The post Encrypted Messaging Service Hack Exposes Phone Numbers appeared first on McAfee Blog.
Webinar Believe it or not the word 'password' is still being used as the most common password across all industries, including retail and ecommerce.…
Chief Information Officers and other technology decision makers continuously seek new and better ways to evaluate and manage their investments in innovation – especially the technologies that may create consequential decisions that impact human rights. As Artificial Intelligence (AI) becomes more prominent in vendor offerings, there is an increasing need to identify, manage, and mitigate the unique risks that AI-based technologies may bring.
Cisco is committed to maintaining a responsible, fair, and reflective approach to the governance, implementation, and use of AI technologies in our solutions. The Cisco Responsible AI initiative maximizes the potential benefits of AI while mitigating bias or inappropriate use of these technologies.
Gartner® Research recently published “Innovation Insight for Bias Detection/Mitigation, Explainable AI and Interpretable AI,” offering guidance on the best ways to incorporate AI-based solutions that facilitates “understanding, trust and performance accountability required by stakeholders.” This newsletter describes Cisco’s approach to Responsible AI governance and features this Gartner report.
At Cisco, we are committed to managing AI development in a way that augments our focus on security, privacy, and human rights. The Cisco Responsible AI initiative and framework governs the application of responsible AI controls in our product development lifecycle, how we manage incidents that arise, engage externally, and its use across Cisco’s solutions, services, and enterprise operations.
Our Responsible AI framework comprises:
We base our Responsible AI initiative on principles consistent with Cisco’s operating practices and directly applicable to the governance of AI innovation. These principles—Transparency, Fairness, Accountability, Privacy, Security, and Reliability—are used to upskill our development teams to map to controls in the Cisco Secure Development Lifecycle and embed Security by Design, Privacy by Design, and Human Rights by Design in our solutions. And our principle-based approach empowers customers to take part in a continuous feedback cycle that informs our development process.
We strive to meet the highest standards of these principles when developing, deploying, and operating AI-based solutions to respect human rights, encourage innovation, and serve Cisco’s purpose to power an inclusive future for all.
Check out Gartner recommendations for integrating AI into an organization’s data systems in this Newsletter and learn more about Cisco’s approach to Responsible Innovation by reading our introduction “Transparency Is Key: Introducing Cisco Responsible AI.”
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Google says it has blocked the largest ever HTTPS-based distributed-denial-of-service (DDoS) attack in June, which peaked at 46 million requests per second.…
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.
KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”
A copy of the phishing message included in the PayPal.com invoice.
While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.
Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.
Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:
“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”
Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:
The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.
I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.
PayPal said in a written statement that phishing attempts are common and can take many forms.
“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”
It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.
Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?
The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
LinkedIn privacy settings are just as overwhelming as any other social media settings. There’s a lot of menus, a lot buttons to enable, select, accept or reject. To make sure you have control over your information we bring you a step-by-step guide on how to enjoy LinkedIn safely.
The post A step‑by‑step guide to enjoying LinkedIn safely appeared first on WeLiveSecurity
A water company in the drought-hit UK was recently compromised by a ransomware gang, though initially it was unclear exactly which water company was the victim.…
Spam-tracking service Spamhaus reported Tuesday that some of the world's biggest brands are getting loose with their email practices, causing its spam blocklists (SBL) to swell significantly.…
The music video for Janet Jackson's 1989 pop hit Rhythm Nation has been recognized as an exploit for a cybersecurity vulnerability after Microsoft reported it can crash old laptop computers.…
Google has issued 11 security fixes for desktop Chrome, including one bug that has an exploit for it out in the wild.…
A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle's manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.…
A highly pervasive .NET-based crypter that has flown under the radar since about 2015 and can deliver a wide range of malicious payloads continues to evolve rapidly, with almost 10,000 code samples being uploaded to VirusTotal over a 16-month period.…
Webinar Barely a day goes by without news of a ransomware attack somewhere in the media. And these types of cyber security incident can seriously derail financial, social, health and industrial activity, inflicting massive damage and requiring a multiagency response in their aftermath.…
We’ve all heard about the Metaverse. And there’s no doubt it has certainly captured the attention of the world’s biggest companies: Facebook has changed its name to Meta, Hyundai has partnered up with Roblox to offer virtual test drives, Nike has bought a virtual shoe company and Coca-Cola is selling NFT’s there too. (Non-Fungible Tokens – think digital assets).
But if you are confused about exactly what this all means and most importantly, what the metaverse actually is, then you are not alone. I’m putting together a 2-part series for parents that will help us get a handle on exactly what this new digital frontier promises and what we need to know to keep our kids safe. It will also ensure we don’t feel like dinosaurs! So, let’s get started.
I think the best way of describing the Metaverse is that it’s a network of online 3D virtual worlds that mimic the real world. Once users have chosen their digital avatar, they can meet people, play games, do business, design fashion items, buy real estate, attend events, earn money, rear a pet – in fact, almost anything they can do in the ‘real’ world! And of course, all transactions are via cryptocurrencies.
If you are an avid Science Fiction reader, then you may have already come across the term in the 1992 novel ‘Snow Crash’ by Neal Stephenson. In the book, Stephenson envisions a virtual reality-based evolution of the internet in which his characters use digital avatars of themselves to explore the online world. Sounds eerily familiar, doesn’t it?
Still confused? Check out either the book or Steven Spielberg’s movie adaption of Ernest Cline’s Ready Player One. Set in 2045, the book tells the story of people living in a war-ravaged world on the brink of collapse who turn to OASIS, a massively multiplayer online simulation game that has its own virtual world and currency. In the OASIS, they engage with each other, shop, play games and be transported to different locations.
The best and most immersive way to access the metaverse is using a Virtual Reality (VR) headset and your internet connection, of course. VR headsets completely take over users’ vision and replace the outside world with a virtual one. Now, this maybe a game or a movie but VR headsets have their own set of apps which once downloaded, allows users to meditate, learn piano, work out at the gym or even attend a live concert in the metaverse!
Now access to the Metaverse is not just limited to those who own expensive headsets. Anyone with a computer or a smartphone (that is internet connected) can also have a metaverse experience. Of course, it won’t be as intense or immersive as the VR headset experience but it’s still a commonly used route to access the metaverse. Some of these ‘worlds’ suggest users can access their world using smartphones however experienced users don’t think this is a good idea as phones don’t have the necessary computational power to explore the metaverse properly.
As some of the most popular metaverse worlds can be accessed using your computer, why not check out Decentraland, The Sandbox, Somnium or even Second Life. In most of these worlds, users don’t have to create an account or spend money to start exploring however if you want the full experience then you’ll need to do so.
Entering the metaverse doesn’t cost anything, just like going on the internet doesn’t cost anything – apart from your internet connection and hardware, of course! And don’t forget that if you want a truly immersive 3D experience, then you might want to consider investing in a VR headset.
But, if you do want to access some of the features of the metaverse and invest in some virtual real estate or perhaps buy yourself a Gucci handbag, then you will need to put your hand into your virtual pocket and spend some of your virtual dollars. But the currency you will need depends entirely on the metaverse you are in.
Decentraland’s currency MANA is considered to be the most commonly used currency in the metaverse and also one of the best to invest in, according to some experts. MANA can be used to buy land, purchase avatars, names, wearables, and other items in the Decentraland marketplace.
The Sandbox has a different currency, SAND, which is also used to buy items from The Sandbox marketplace. This is the second most popular currency however be prepared to buy the currency of the world you choose to spend your time in.
Now, I totally appreciate that the whole concept of the Metaverse is a lot to get your head around. But if you have a tribe of kids, then chances are they are going to want to be part of it so don’t put it in the too-hard basket. Take some time to get your head around it: do some more reading, talk to your friends about it and check out some of the metaverses that you can access from your PC. Nothing beats experiencing it for yourself!
In Part 2, I will be sharing my top tips and strategies to help us, parents, successfully guide our kids through the challenges and risks of the metaverse. So watch out for that.
Till, next time – keep researching!
Alex x
The post A Parent’s Guide To The Metaverse – Part One appeared first on McAfee Blog.
TikTok has joined Twitter in publishing new US midterm misinformation rules, with considerable crossover in scope and style.…