A quick Saturday digest of cybersecurity news articles from other sources.
Why open source software supply chain management is worse than you think
A Sonatype survey also found a 650% year-over-year increase in supply chain attacks aimed at upstream public repositories.
VMware patch bulletin warns: “This needs your immediate attention.”
“It is a matter of time before working exploits are available,” warns VMware.
Ransomware now accounts for 69% of all attacks that use malware
The most common targets of ransomware in the second quarter of 2021 were governmental, medical and industrial companies along with scientific and educational institutions, says Positive Technologies.
In a bid to minimize these scenarios, a growing number of major companies are adopting “Security.txt,” a proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences. More…
10,000 employees at Stanley Black & Decker go passwordless
Here’s how TruU’s Passwordless Protection could make hybrid work easier and beef up security in the enterprise.
Windowsfx is the Linux distribution Windows users have been looking for
Few operating systems have so closely mimicked Windows as the upcoming Windowsfx 11. Jack Wallen takes a look at the preview of this Linux operating system and comes to a very impressive conclusion.
Over 100 Million Lost to Romance/Crypto Scams in First Seven Months
People in the US lost $133,400,000 to romance scams between January 1st and July 31st of 2021, according to the FBI. The average amount lost was in the tens of thousands of dollars. The scammers trick the victims into thinking they’re investing in cryptocurrencies.
“The scammer’s initial contact is typically made via dating apps and other social media sites,” the FBI says. “The scammer gains the confidence and trust of the victim—through establishing an online relationship—and then claims to have knowledge of cryptocurrency investment or trading opportunities that will result in substantial profits.
The scammer directs the victim to a fraudulent website or application for an investment opportunity. After the victim has invested an initial amount on the platform and sees an alleged profit, the scammers allow the victim to withdraw a small amount of money, further gaining the victim’s trust.”
The FBI explains that once the scammer has a victim on the hook, they’ll keep coming up with more reasons for the victim to send them money.
“After the successful withdrawal, the scammer instructs the victim to invest larger amounts of money and often expresses the need to ‘act fast,’” the Bureau says. “When the victim is ready to withdraw funds again, the scammers create reasons why this cannot happen. The victim is informed additional taxes or fees need paid, or the minimum account balance has not been met to allow a withdrawal.
This entices the victim to provide additional funds. Sometimes, a ‘customer service group’ gets involved, which is also part of the scam. Victims are not able to withdraw any money, and the scammers most often stop communicating with the victim after they cease to send additional funds.”
The FBI offers the following advice to help people avoid falling for these scams:
- “Never send money, trade, or invest per the advice of someone you have solely met online
- “Do not disclose your current financial status to unknown and untrusted individuals
- “Do not provide your banking information, Social Security Number, copies of your identification or passport, or any other sensitive information to anyone online or to a site you do not know is legitimate
- “If an online investment or trading site is promoting unbelievable profits, it is most likely that—unbelievable
- “Be cautious of individuals who claim to have exclusive investment opportunities and urge you to act fast”
Blog post with links:
https://blog.knowbe4.com/over-100000000-lost-to-romance-scams-in-seven-months
Why You Should Steer Clear of Social Media Quizzes
The seemingly benign quizzes asking personal details take advantage of individuals’ willingness to share and could be used to establish passwords, password hints, and more.
We’ve all seen them – quizzes on Facebook asking everything from which Harry Potter character are you, to what state were you born in, to what was your first pet’s name. It seems that none of the people answering these questions saw the scene in the movie “Now You See Me” where the main characters tricked Arthur Tressler into divulging personal information to be used later against him.
According to security vendor Avast, the new wave of social media quizzes may very well be intent on doing the same thing. “They’re meant to seem so light and fluffy that anyone looking for a boredom-killer might be amused by them. And that’s the point. The creators of these quizzes want them to appear meaningless and harmless. They want everyone to engage whimsically with them. Because in truth, many are phishing attempts at your personal data.”
Because of the seemingly innocent (and entertaining) nature of the quizzes, threat actors using such tactics can easily capture information that is often used as the source of passwords or password reset questions.
New-school security awareness training will help keep your users vigilant against such social engineering tactics.
Blog post with links:
https://blog.knowbe4.com/social-media-quizzes-may-be-data-scrapers-building-victim-profiles
Serious Security: Let’s Encrypt gets ready to go it alone (in a good way!)
Let’s Encrypt is set to become a mainstream, self-certifying web certificate authority – here’s why it took so many years.
Are VPNs still the best solution for security?
Cybersecurity professionals rely on VPNs to secure remote endpoints with an organization’s home network. One expert suggests there is a better, simpler and safer approach to accomplish the same thing.
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com