A quick Saturday digest of cybersecurity news articles from other sources.
The Computer Programmer Who Ran a Global Drug Trafficking Empire
A new book uncovers the intricacies of Paul Le Roux’s cartel and how it fueled the opioid epidemic ravaging the U.S. today. This fascinating story is covered in detail on the Smithsonian website. Or read Evan Ratliff’s new book The Mastermind. I did, and the story is fascinating.
Kids’ GPS watches are still a security ‘train wreck’
Anyone could have accessed the entire database, including a child’s location, on Gator watches and other models that share its back end.
Brilliant New Social Engineering Phish – “Please DocuSign: Funding for Your Business”
A friend was sent this email and he forwarded it to me. It’s a brilliant new social engineering phishing scam. It will sail through all your spam / malware filters and email protection devices, because it’s entirely legit by using the DocuSign infrastructure. Prime example of an info grabbing phish that does not use a malicious payload.
Got My Own Social Security Scam Call
They are definitely out there. I wrote about this three weeks ago, and a few days ago, in my voicemail, was part of an automated robocall from scammers claiming to be from the Social Security Administration. Here is the transcription of the call. These are all CRAP and totally bogus. Do not fall for them.
Taking your name and your Social Security number, the issue at hand is very time sensitive the very second you receive this message. I need you to return the call as soon as possible on my department number, which is +1-240-390-7683. I repeat, it’s +1-240-390-7683. If I don’t receive your call, your social security number will be suspended (funny!) to avoid all legal consequences. Call me and so on as possible because this is your last chance for the resultant of this serious case. Again, this message is for you. And this is Officer Lisa Williams from Social Security Administration. Goodbye, and have a blessed day.
Chrome Protects From Typo-Squatters and Fat Fingers
Ever fat-finger (mistype) a web address and end up on a Russian porn site? Or clicked on a near-miss URL (typo-squatting) in a phishing email and end up on a illegal prescription drug website? Chrome has a new feature that advises when you may be going to the wrong website.
Multiple Vulnerabilities in WordPress Could Allow for Remote Code Execution
OVERVIEW: Multiple vulnerabilities have been discovered in WordPress, the most severe of which could allow a WordPress author to execute code remotely on the underlying server. WordPress is a web-based publishing application implemented in PHP. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution with privileges of the affected application.
THREAT INTELLIGENCE: A Proof-of-Concept has been developed by the researchers who discovered this vulnerability to demonstrate the issues.
SYSTEMS AFFECTED: WordPress 5 versions prior to 5.0.1 and WordPress 4 versions prior to 4.9.9
Upgrade your WordPress version to 5.0.3
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com