Mother’s Day scam, plus all the week’s security news
Scam Of The Week: Mom Doesn’t Want This Mother’s Day Scam
With the power of social media and internet retailing, it’s easier than ever to find the right gift for anyone on your list.
Mother’s Day is no exception; even the hardest to shop for mom can be delightfully surprised with a few quick online searches for the right item. Unfortunately, thieves come out in full force whenever there’s a gifting holiday coming up, and a few scams have already hit hard for Mother’s Day.
Bed, Bath, and Beyond has already had to issue the following statement surrounding a “Mother’s Day scam”–a phony store coupon that has been circulating on Facebook:
“We all know some things are too good to be true! We are sorry for any confusion and disappointment this fake coupon has caused. We are partnering with Facebook to have these coupons removed. Thank you for your understanding!”
The post in question is a coupon for $75 off any purchase, but if the shopper takes special notice, the website on the coupon and the post isn’t Bed, Bath, and Beyond. It’s a spoofed site with a very similar name, close enough that the scammers hope their victims don’t take notice
DataBreachToday – Social Security to Try Two-Factor Authentication Again
The U.S. Social Security Administration has come up with a revised plan to implement strong authentication after a previous effort was scrapped amid criticism.
As of June 10, those logging into their “my Social Security” account will be required to turn on multifactor authentication, according to a notice sent by email over the weekend. The security control requires a time-sensitive passcode in addition to a username and password.
“You will be able to choose either your cell phone or your email address as your second identification method,” the notice says. “Using two ways to identify you when you log on will help better protect your account from unauthorized use and potential identity fraud.”
Threatpost – Vanilla forums open source software vulnerable to RCE, Host header injection vulnerability
Popular open source forum software suffers from vulnerabilities that could let an attacker gain access to user accounts, carry out web-cache poisoning attacks, and in some instances, execute arbitrary code.
Legal Hackers‘ Dawid Golunski found the vulnerabilities–a host header injection and an unauthorized remote code execution vulnerability–in software which is developed by Vanilla Forums.
Golunski reported the issues to Vanilla Forums in January and while a support team acknowledged his reports, he’s experienced five months of silence from the company since, something that prompted him to finally disclose the vulnerabilities Thursday via his ExploitBox.io service.
The researcher confirmed the vulnerabilities exist in the most recent, stable version (2.3) of Vanilla Forums. He presumes older versions of the forum software are also vulnerable.
When reached Thursday, Lincoln Russell, a senior developer at Vanilla Forums stressed the vulnerabilities, which are in the middle of being fixed, only affect the company’s free and open source product.
Golunski says the most concerning vulnerability, the RCE (CVE-2016-10033) stems from a PHPMailer vulnerability he disclosed last December. An attacker could remotely exploit the same vulnerability in Vanilla Forums by sending a web request in which a payload is passed within the HOST header.
HealthCareInfoSecuirty – NIST Issues Draft Guidance for Wireless Infusion Pumps
New draft guidance from the National Institute of Standards and Technology calls for using commercially available, standards-based technologies to improve the security of wireless infusion pumps.
NIST issued a white paper on the same topic in 2014, but it was criticized for being too prescriptive (see Infusion Pump Security: NIST Refining Guidance).
Wireless infusion pumps are commonly used medical devices that can be potentially vulnerable to accidental and malicious tampering, posing both data security and patient safety risks.
In fact, certain infusion pumps from Hospira were the subject of two 2015 alerts from the Food and Drug Administration following the discovery by independent researchers of cyber vulnerabilities. But there have been no documented cases of patients being harmed as a result of an infusion pump, or other medical device, being hacked.
The NIST guidance is broken into several sections, including a chapter on “how business decision makers, program managers, information technology professionals – for example, systems administrators – and biomedical engineers – might use each volume of the guide.”
Other sections include:
- Risk Assessment and Mitigation: Highlights the risks identified and potential response and mitigation efforts;
- Architecture: Describes the usage scenarios supported by project security platforms, including NIST cybersecurity framework functions supported;
- Life Cycle Cybersecurity Issues: Discusses cybersecurity considerations from a product life cycle perspective including;
- Security Characteristics Analysis: Provides details about the tools and techniques guidance collaborators used to perform risk assessments pertaining to wireless infusion pumps;
- Functional Evaluation: Summarizes the test sequences employed to demonstrate security platform services;
- Future Build Considerations: Offers a brief treatment of other applications that NIST might explore in the future to further support wireless infusion pump cybersecurity.
Security Bulletins from the FBI and DHS
DHS – U.K. hospitals, clinics hit by large-scale ransomware cyberattack
The National Health Service NHS has confirmed that hospitals across England have been hit by a large-scale cyberattack. The attack has locked staff out of their computers and forced emergency patients to be diverted to hospitals not hit by the attack.
The BBC reports that the IT systems of NHS facilities across England have been hit simultaneously – and that the screens of computers connected to the networks under attack showed a pop-up message demanding a ransom in exchange for allowing staff access to the PCs.
The ransom attack made details of patient records and appointment schedules, internal phone lines and emails, and more inaccessible.
In a statement released Friday morning in the wake of the attacks, the National Cryptology Center said a cyber assault had been launched “against various organizations,” affecting Windows systems and corrupting networks and archives.
The ransomware used in the Spanish attacks is a version of the WannaCry virus, which encrypts sensitive user data, the National Cryptology Center said.
FBI – Cybersecurity Executive Order Finally Arrives:
The cybersecurity executive order is getting mostly good reviews from industry and lawmakers. The order was long awaited by the cybersecurity community. The cybersecurity executive order contains suggestions that are, by and large, considered good ideas by experts, including holding agency heads accountable for cybersecurity. In the past, agency leaders often demurred to IT staff when problems arose. Other portions of the order require agencies to follow the NIST cybersecurity framework, require them to study things ranging from a cyberwarfare deterrence plan to increasing their cyber workforce, and to focus on modernizing critical infrastructure.
Microsoft – Microsoft Security Updates for May 2017 Include Fixes for Four Zero-Days
Earlier today, Microsoft officially released its monthly updates, something that sysadmins all over the world call Patch Tuesday.
This month’s updates train includes security and non-security updates, for the company’s main operating systems, but also for products such as Internet Explorer, Microsoft Edge, the .NET Framework, and various Office suite apps.
- Microsoft patches 3 zero-days detected in live attacks
- No more support in Edge and IE for SSL/TLS certs signed with SHA1
- A bunch of .NET Framework fixes
- As usual, Adobe’s Flash Player fixes are included as well
See the following hyperlink for a breakdown of the latest security updates