Newsletter Archives

• 9th Chrome Zero day being patched

  Posted on December 2, 2022 at 21:15 CST by Susan Bradley • Comment in the Forums

  Just a kind reminder, it’s that time of the year where depending on which hemisphere you are in it’s either a bit nippy, a bit tropical or a bit warm. But regardless of where you are located, it’s also that time of the year to ensure that whatever browser you use is fully up to date.

  Chrome is releasing a fix for the 9th zero day patch of the 2022 year. An exploit has been used in the wild. It’s unsure if this bug has been used in targeted attacks or widespread. The details are being withheld until we all get patched up.  Which also means that Edge will get it’s update soon. While you are there, make sure Firefox and any other browser you use is up to date especially given this is holiday surfing time.

  I was just online finding a recipe for a grilled cheese sandwich that looked really good and also saw the alert about the zero day.  Let’s be careful out there while we find good recipes for grilled cheese sandwiches!

  Security Patch Lady Posts

• Hacking into your friends

  Posted on October 8, 2022 at 18:37 CDT by Susan Bradley • Comment in the Forums

  The email came from someone I know. I could tell from how it was worded that it wasn’t truly from him, that someone was pretending to email from his account. But I played along anyway just to see what the scam was all about.

  The email asked….

  Hi please do you shop from Amazon?

  Thanks,

  Interested to see what the scam was about I answered, “Yes”.

  Back came the email….

  Good To hear from you I’ve been trying to purchase a $200 AMAZON E-Gift card in $100 denomination by email , but it says they are having issues charging my card. I contacted my bank and they told me it would take a couple of days to get it sorted. I intend to buy it for my niece whose birthday is today. Can you purchase it from your end for me? I’ll refund it to you once my bank sorts the issue out. Let me know so I can send you her email.
  Thanks

  Gift card scams are not new.

  In a FTC news release last year they said “In the first nine months of 2021 alone, nearly 40,000 people reported $148 million stolen using gift cards. And because the vast majority of frauds are not reported to the government, this reflects only a fraction of the harm these scams cause”

  So how did my friend get hacked? More than likely he has either reused his password on the email account or he got tricked (phished) into entering it on a web site. From there the attacker can log in and pretend to be him and email people in his contact list.  The scammer can then redirect any inbound email so when someone responds, like I did, to his email, the scammers then send back a responding email.

  I contacted a nephew of my friend to alert him that he needs to reset his email password and review is account and computer for issues.

  Sometimes they are out to get you. And during October’s cyber security month, it seems like even more so.

  Security Patch Lady Posts

• Dumb security questions – what have you seen?

  Posted on September 9, 2022 at 16:40 CDT by Susan Bradley • Comment in the Forums

  I was setting up access to a financial account which requested security reset questions…. some of them are …. well….

  Where were you on New Years 2000?

  Uh…what if you weren’t born yet? (one of the folks in the office answered that.. now I feel OLD!  I was here at the office booting computers making sure they worked)

  Who was your first babysitter?

  Uh… I was a baby?  How would I know? Grandma, maybe?

  What was the name of your third grade teacher?

  Uh…. I honestly am not sure…

  So what’s the dumbest security questions you’ve seen?

  Security Patch Lady Posts

• Zero days in browsers

  Posted on September 6, 2022 at 21:20 CDT by Susan Bradley • Comment in the Forums

  

  Now while Chrome has more foundation in security than Internet Explorer did, it’s a reminder that if you are someone who also holds back on updating your browsers and do them manually, you are at risk.

  Just a kind reminder, while I always recommend you defer updates for the operating system, I DON’T recommend the same for browsers.

  Just a few days ago Chrome patched it’s 6th zero day this year. Ensure that you are on 105.0.5195.102 (click on settings, help and ensure you are up to date). Edge is also based on Chrome and thus updates soon after. Other browsers built on the Chrome base include Opera, Vivaldi.Brave, Opera Neon, Comodo Dragon, SRWare Iron (among others).

  Security Patch Lady Posts

• The people who keep you safe

  Posted on September 3, 2022 at 00:22 CDT by Susan Bradley • Comment in the Forums

  

  Tonight I’m seeing a reminder of the people that impact the security on the Internet and you may not have been aware of who they are and what they did.  Peter Eckersley of the Electronic Frontier Foundation was also a key supporter of Let’s Encrypt to push free SSL certificates for all web sites to promote more security and privacy.

  From Crunchbase:

  “Peter Eckersley is Chief Computer Scientist for the Electronic Frontier Foundation. He leads a team of technologists who watch for technologies that, by accident or design, pose a risk to computer users’ freedoms—and then look for ways to fix them. They write code to make the Internet more secure, more open, and safer against surveillance and censorship. They explain gadgets to lawyers and policymakers, and law and policy to gadgets.

  Peter’s work at EFF has included privacy and security projects such as the Let’s Encrypt CA, Panopticlick, HTTPS Everywhere, and the SSL Observatory; helping to launch a movement for open wireless networks; fighting to keep modern computing platforms open; helping to start the campaign against the SOPA/PIPA Internet blacklist legislation; and running the first controlled tests to confirm that Comcast was using forged reset packets to interfere with P2P protocols.”

  Security Patch Lady Posts

• Do you use a different browser for…..?

  Posted on May 29, 2022 at 18:36 CDT by Susan Bradley • Comment in the Forums

  With many things ranging from banks to your local router using web interfaces to log into them, do you…..

  Close all other web site tabs when you are managing your router?

  Use a different browser that you reserve for highly secure tasks?

  Use in private browsing when managing sensitive sites and devices?

  Don’t save sensitive passwords in your browser?

  What do you do to keep the password of your router a bit more protected?

  Your browser brand for doing online banking should be a different browser than what you use for Twitter and other general web activity, which should be a different browser than what you use for managing things on your network.

  From Will Dormann on Twitter

  Security Patch Lady Posts

• How to use two-factor authentication the right way

  Posted on May 9, 2022 at 02:43 CDT by Lance Whitney • Comment in the Forums

  SECURITY

  

  By Lance Whitney

  Two-factor authentication is still one of the best ways to protect your accounts. But there are right and wrong ways to use it.

  More websites and companies now offer two-factor authentication (2FA) to better protect your logins and accounts. The idea is to use a second form of authentication so that you’re not solely dependent on your password. The goal is to prevent your account from being accessed and compromised in case your password is ever leaked or stolen. And here’s how that can happen.

  Read the full story in our Plus Newsletter (19.19.0, 2022-05-09).

  Security Multifactor Authentication, Newsletters, Security

• Are you prepared?

  Posted on April 23, 2022 at 22:25 CDT by Susan Bradley • Comment in the Forums

  It’s Saturday night or Sunday morning where you are and I’d like to challenge you to test that you can restore a file that has been damaged, deleted or removed or worse yet, you got hit by ransomware.

  So first step is to move a file to a different location on your computer. Next launch your backup software. Launch the recovery window and see if you can restore that file.

  Ransomware is now being used by commercial attackers and they are using zero days to gain access into systems.

  One-third of all hacking groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups, according to Mandiant’s research. During the last decade, only a very small fraction of zero-days were deployed by cybercriminals. Experts believe the rapid change has to do with the illicit, multibillion-dollar ransomware industry.

  For businesses, they are going after VPN software, Exchange on premises software among other vulnerabilities.

  So I challenge you tonight/tomorrow to test a backup and restoration process.

  Security

• Ensuring your safety

  Posted on April 5, 2022 at 02:45 CDT by Susan Bradley • Comment in the Forums

  

  ISSUE 19.14.1 • 2022-04-05

  

  By Susan Bradley

  MailChimp was compromised by attackers. Here’s what you should know.

  This is breaking news.

  An article at BleepingComputer on Monday, April 4, 2022, revealed the news that the MailChimp email and marketing service had been breached. The report has also been picked up by many different online services and will probably hit the bigger publishers by tomorrow. The attack focused on MailChimp’s internal tools, which allowed the bad guys to steal audience data and launch phishing attacks.

  Read the full Plus Alert (19.14.1, 2022-04-05).

  AskWoody Plus Alert, Security AskWoody Alert, MailChimp, Patch Lady Posts, Security

• Apple pushes updates for 2 new zero days

  Posted on March 31, 2022 at 15:01 CDT by Susan Bradley • Comment in the Forums

  watchOS 8.5.1 This update has no published CVE entries.	Apple Watch Series 3 and later	31 Mar 2022
  macOS Monterey 12.3.1	macOS Monterey	31 Mar 2022
  iOS 15.4.1 and iPadOS 15.4.1	iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)	31 Mar 2022
  tvOS 15.4.1 This update has no published CVE entries.	Apple TV 4K and Apple TV HD	31 Mar 2022

   

  – CVE-2022-22675 in AppleAVD

  – CVE-2022-22674 in Intel Graphics Driver

  2 zero-days in macOS Monterey 12.3.1

  1 zero-day in iOS and iPadOS 15.4.1

  Apparently actively exploited, used to hack iPhones, iPads and Macs.  It’s unsure if it’s merely targeted attacks or more widespread. Apple AVD is a media decoder file so watch (pun intended) what you are watching on your devices until they are patched.

  Apple, Security Patch Lady Posts

• The browser is your operating system – patch it!

  Posted on March 26, 2022 at 23:08 CDT by Susan Bradley • Comment in the Forums

  Tonight’s topic is …. are you up to date on the platform that is REALLY the one you should be worried about?  Your browser.  No matter what underlying operating system you use, you really need to pay attention to how patched your Browser is.

  With more and more things going to the web, with more and more things going through the web, it’s the browser that is the most important software to keep up to date.  And lately I’ve noticed that the one that gets the zero days most often is Google Chrome.  Don’t use Chrome, you say?  Not so fast. Much of the time the other platforms browsers are built on the Chromium engine and thus (for example) you may be using Brave browser but you still need to be aware of the issues as Brave is built on the Chromium engine.

  So which browsers use Chromium?

  • Chrome obviously.
  • Edge
  • Opera
  • Vivaldi
  • Brave
  • Colibri
  • Epic
  • Iron
  • Among others

  For Chrome you need to be on 99.0.4844.84 to be protected from this zero day bug that has been seen in use in attacks on the web.

  There are not a lot of details about who or what was using the bug but it appears that it was used in targeted attacks.

  While Firefox (and it’s versions) are not impacted, it’s still wise to check and make sure you are fully up to date. At this time you need to be on 98.0.2 for Firefox.

  For all of these browsers you can check if you are up to date by clicking on the help menu or about menu and that usually triggers them to download a new update if they are out of date. Alternatively you can go to their direct download site and download a new version and install over the top.

  For those of you that are Plus members I’ve put the versions or build numbers of the major Browsers on the Master patch listing that you need to be sure you are up to date on.  I’m not sure I’ll be able to keep up with every release of every browser, but for sure when there is a patch like this that is fixing a known in the wild and what appears to me to be a realistic risk of attack, I’ll be sure to flag it and also send out a tweet and a text message if you need to update your browser for known in the wild attacks.

  So remember, tonight or in the morning, launch your browser, click on (typically) the dot dot dot in the menu bar at the top, then on help and about.

  

  Make sure your browser is fully patched!

  Security Master Patch List, Patch Lady Posts

• Falling for the scams

  Posted on March 10, 2022 at 22:49 CST by Susan Bradley • Comment in the Forums

  

  So I got this text a little bit ago and figured it was a scam. But what sort of scam I wondered. Went online to search and sure enough… it’s a scam.

  But look at this… it’s a “pay us, get money out of you scam” they’ve been doing this since 2013!!!! Why are we still falling for this stuff this number of years later? Why can the bad guys still get money from us?

  Then again, the city where I live, the local government fell for a scam so clearly we’re got getting any smarter at all.

  Security Patch Lady Posts
• « Older Entries

  Newer Entries »