Security & Safe Computing Updates
Millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands, a team of security researchers has discovered.
AT (ATtention) commands, or the Hayes command set, is a collection of short-string commands developed in the early 1980s that were designed to be transmitted via phone lines and control modems. Different AT command strings can be merged together to tell a modem to dial, hang up, or change connection parameters.
The story continues at https://www.bleepingcomputer.com/news/security/smartphones-from-11-oems-vulnerable-to-attacks-via-hidden-at-commands/
Back to School: COBALT DICKENS Targets Universities
Despite indictments in March 2018, the Iranian threat group is likely responsible for a large-scale phishing campaign that targeted university credentials using the same spoofing tactics as previous attacks. Continue the story at https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
Given our Adobe licenses, there may not be a lot of use of ghostscript on campus, but if you're using it anyway, there are a number of vulnerabilities identified yesterday. See https://www.kb.cert.org/vuls/id/332928 for details. From the CERT page:
Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
UPDATE: See the end of the article for information on how to delete and disable much of Google's tracking information
Is your mobile device spying on you? It may be doing just that! Let's look at the two major mobile arenas, Apple iPhones and Google Android phones.
Apple explains how Siri listens for "Hey, Siri" without eavesdropping and how it keeps Siri usage anonymous. Siri uses a buffer, or a chunk of audio that's continually recorded over, to listen for the "Hey, Siri" trigger phrase. Once the trigger is heard, it records the user's question or command. This recording is sent to Apple with an anonymous identification number that isn't tied to an individual's Apple ID. More on the Apple story here: https://nakedsecurity.sophos.com/2018/08/13/siri-is-listening-to-you-but-shes-not-spying-says-apple/
Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to. An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you've used privacy settings that say they will prevent it from doing so. Computer Science researchers at Princeton University confirmed these findings at the AP's request. More on this story is here: https://www.securityweek.com/google-tracks-your-movements-it-or-not
The bottom line - check your device's privacy settings, both overall and on a per-app basis. Set them to levels that you feel comfortable with. If you find that the app doesn't adhere to your settings, complain to the app's authors and consider using an alternate app that provides a similar function.
UPDATE: How to Find and Delete Where Google Knows You've Been
The first thing to do, regardless of device, is to login to myactivity.google.com and go into "Activity Controls." Disable "Web & App Activity" and "Location History" to stop Google from storing location markers on your Google account. Some services won't work well (or at all) without these features, such as Google Assistant or a Google Home speaker. Additional details are in this AP News article: https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494/How-to-find-and-delete-where-Google-knows-you%27ve-been
Social engineering is a term you often hear IT pros and cybersecurity experts use when talking about Internet threats like phishing, scams, and even certain kinds of malware, such as ransomware. But its definition is even more broad. Social engineering is the manipulation or the taking advantage of human qualities to serve an attacker’s purpose. It preys on a number of human traits to gain an advantage: curiosity, fear, desire, doubt, empathy and sympathy, ignorance, naivete', inattentiveness, and complacency. This blog entry from Malwarebytes helps you recognize potential attacks and counter them. https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2018/08/social-engineering-attacks-what-makes-you-susceptible/
In the recent "Sextortion" campaign, attackers used one of the victim's actual compromised passwords to try to convince the victim that they had access to the victim's system and had recorded video of them watching pornography. The hacks were false; in reality, the attackers used old data breaches and had only passwords, names, and email addresses with which to work. Nonetheless, the threat of potential exposure of claimed browsing habits was an enticing lead-in to "give me some money". Five key takeaways to avoid being caught by phishing:
- Avoid clicking on links and attachments in email
- Urgency should be a giant red flag
- Don't re-use passwords
- Don't respond to spam or phishing emails
- Don't pay off extortionists
Read more at https://krebsonsecurity.com/2018/08/the-year-targeted-phishing-went-mainstream/
Other universities are reporting a new phishing effort that starts with an email message from the university president containing a malicious PDF. The PDF has a link that goes to a fictitious "Microsoft Reader" that requires credentials to access. In our case, the credentials would be CatID of course.
Subject: [ACTION REQUIRED] <university> Revised and Updated Business Integrity & Policy Guidelines For All Employees
Please forward any examples of this or similar messages to security@uni.edu and phishing@uni.edu
Because I routinely recommend KeePass as a good choice for a standalone password safe, I think it's important to bring this fake KeePass site to your attention.
A French security researcher has stumbled upon an adware delivery scheme that involves clone websites that use legitimately-looking domain names to trick victims into downloading famous apps, but which are actually laced with adware.
The first of these websites was discovered three days ago by Ivan Kwiatkowski. This website was located at keepass.fr, a domain name trying to pass as the app's official site located at keepass.info.
The complete article is available at https://www.bleepingcomputer.com/news/security/fake-websites-for-keepass-7zip-audacity-others-found-pushing-adware/
Pages
- ITTC 36
- (319) 273-5555
