Zero-Day Chrome Vulnerability No. 5 for 2022
The fifth Google Chrome zero-day vulnerability of 2022 has been disclosed. Automatic update patches are being pushed out in stages, but anyone can manually update now. The vulnerability, CVE-2022-2856 has a ‘high severity’ rating, and follows, CVE-2022-0609 in February, CVE-2022-1096 in March, CVE-2022-1364 in April, and CVE-2022-2294 in July.
Google Chrome is the most popular browser in the world, owning almost 65% of the market. For more details about this zero-day vulnerability go to, https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html.
Authored by: Brad Goetsch
Scam of the month – Using QuickBooks to make a quick buck
QuickBooks is a popular accounting software that offers free accounts to its users. While many individuals and organizations use QuickBooks to track their finances, cybercriminals have been using it to run a “business” of their own. In a new scam, cybercriminals create a free QuickBooks account and use the associated email address to send you malicious emails.
To start, cybercriminals send you a phishing email that appears to be an invoice from a reputable organization, such as Norton or Microsoft. The email includes a phone number and directs you to call if the invoice seems suspicious. If you call the phone number, you’ll be asked to confirm your credit card information to cancel the fake transaction. Unfortunately, if you share this information, the cybercriminals can use it to make their own purchases.
To protect yourself from this malicious scam, follow the tips below:
Cybercriminals can use fake invoices to alarm you and trick you into clicking impulsively. Always think before you click!
Authored by: CalTech
Don’t Post That Pic!
A little advice on oversharing sensitive personal information this week. Ah, summertime. It’s a time for relaxation and fun, but for some, it is that time of year their teenage driver FINALLY gets their learner’s permit or restricted driver’s license. There were likely many stressful hours in the car earning this coveted piece of freedom, not to mention the countless brake checks, the thumping of a parent’s foot on the imaginary brake pedal in the passenger floorboard, or maybe just the sheer number of times that little handle above the passenger’s seat was grabbed.
But now the young driver has their license! Not only does this open a new world of possibilities to them, but the parent also unlocked a parenting achievement, someone to run errands for them! This achievement can make a parent (or kid!) want to boast proudly with a a picture of a young driver with their newly acquired driver’s license on social media.
There is some risk here! Phone cameras are pretty good today, and it’s not hard at all to zoom in and clearly see the driver’s license number, legal name, date of birth, and signature! If you want to post that picture, do the responsible thing, and blur or obfuscate that info before you post it. It is obvious what they are holding (with the DMV in the background), don’t give the bad actors of the world that personal information so easily.
Authored by: Dave Kelly, PenTest+, CEH
Top 8 ways to have a safe and happy Independence Day!
While you are out enjoying your 4th of July holiday, here are a few tips to keep in mind:
ELDER FINANCIAL EXPLOITATION – ENOUGH IS ENOUGH
Sadly, we’ve all seen, heard, or read articles regarding the proliferation of scams during the past two years. I would venture to guess that most of you are like me … nothing gets my blood boiling more than hearing about those schmucks out there who have scammed and defrauded an elderly person. I remember my own parents and grandparents and how hard they worked for every dime they earned, and I can’t understand how anyone would think it’s acceptable to exploit the elderly population.
On June 15, 2022, FinCEN issued an advisory which highlights behavioral and financial red flags to help financial institutions identify, prevent, and report suspected elder financial exploitation (EFE). EFE is defined as the illegal or improper use of an older adult’s funds, property, or assets. The advisory points out that elder abuse, including EFE, affects at least 10% of older Americans each year and that the estimated dollar value of suspicious transactions linked to EFE exceeded $3.4 billion in 2020. What’s even more upsetting is that many of the perpetrators are known and trusted persons of the older adults, but there is a rising trend of scams that originate outside of the U.S. by individuals that have no relationship with the victim.
Many years ago, FinCEN added a specific category for EFE to the suspicious activity report (SAR). But in addition to filing a SAR, financial institutions should refer their older customers who may be a victim of EFE to the Department of Justice’s National Elder Fraud Hotline (833-FRAUD-11). Many states also have requirements that financial institutions contact local law enforcement or the applicable state’s Department of Aging or similar agency to report such activity. If you aren’t filing EFE SARs, you may need to beef up your controls – keep in mind that according to FinCEN the MAJORITY of EFE incidents go unidentified and unreported.
The newest advisory is linked here for your convenience. Even if you think, “Oh, that’s a Compliance or BSA matter” – think again. We all have elderly loved ones who can fall victim to a scam, so educate yourself and help protect them! https://www.fincen.gov/sites/default/files/advisory/2022-06-15/FinCEN Advisory Elder Financial Exploitation FINAL 508.pdf
Authored by: Joann Lang, CAMS, CIA, CCBP
As 10-D is approaching our 18th year and it has fallen to me to write the WST this week, it got me wondering what some of our first weekly security tips were about. So, I dug around in the archives and found some classic topics from our first year of tips; Java, Vishing & Smishing, Remote Access & Multi-Factor Authentication, ATM skimming, and password management, just to name a few.
One in particular caught my eye regarding password length. Remember when the password length recommendation was 8 or more characters? That was the message of this early WST. It even included a chart noting it would take a hacker 115 days to crack an 8-character password. Today, the bad guys will crack your 8-character password in 8 hours. Yes, the bad guys are getting better, too.
Currently, 10-D recommends 10 or more characters using numbers, symbols, and upper- and lower-case letters. Make it a passphrase so it is easier to remember and save yourself some reset headaches. These changes will bump up hack time to about 5 years, so you should be well on to a new password by the time they crack this one!
Authored by: Brad Goetsch
New Zero-Day Vulnerability Affecting Microsoft Products
On May 30, Microsoft reported a zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT). Dubbed “Follina,” this vulnerability could be exploited by a malicious attacker to execute arbitrary code on a Windows system using the MSDT URL protocol via Microsoft Office applications (such as Microsoft Word). Microsoft is reporting that an attacker that successfully exploits this vulnerability could install unauthorized programs, impact data, or conduct other unauthorized activity on an impacted system, including running arbitrary code.
At this time, no patch is available for this vulnerability. Microsoft has provided workarounds for this issue, listed in the link below. Basically, the workaround uses the Windows registry to disable the MSDT URL protocol. For people and organizations using Microsoft Defender products for antivirus, Microsoft also provides additional guidance in the same article: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
As always, testing is important! Consider working with your technical resources to test system changes before rolling them out to your whole organization.
We are also seeing that many antivirus vendors are pushing antivirus definition updates that can detect and block this vulnerability. Organizations may want to check with their antivirus vendors to understand any recommended actions specific to their product.
Authored by David Bentley, CISSP
Do your backups match your expectations?
A previous WST (https://10dsecurity.com/wst/building-blocks-of-a-business-impact-analysis.html) described what a business impact analysis (BIA) is and how it’s a key component of your business continuity program and disaster recovery success. If you’ve done the work to define recovery point objectives, have you also made sure that your backups actually match your needs? For instance, if a server has a recovery point objective of eight hours but you are only backing it up every twenty-four hours, your backups are misaligned! Should system recovery be necessary, data loss beyond eight hours may be experienced. When updating and reviewing the BIA, we recommend that you include a review of your backup retention schedule to ensure that all backups meet the institution’s BIA requirements for recovery point objectives. You may find systems that you need to expand backup frequency. Or, you may find BIA requirements that are unrealistic or unattainable. In those instances, it may be wise for the institution to adjust expectations or develop other processes to resolve the planning gaps.
Authored by: David Matt, CISSP, CEH
Are You Sure That Laptop is Secured?
One of the many areas we look at when conducting an IT audit is the security of portable devices, including laptops. With the proliferation of laptops that are now enabling so many remote workers, it seems obvious to inquire about the security of the information that might be found on devices that are sometimes outside the institution’s normal physical controls. Laptops are at a higher risk of being lost, stolen, or accessed by unauthorized persons.
When discussing laptop security, we sometimes hear, “Our policy is not to let employees store any customer information on the laptop, so we don’t feel there is any value in encrypting the laptop’s storage.” While this is probably a well-intentioned belief, this overlooks several ways sensitive information may be stored locally.
Application data – Many applications will keep working copies of files, at least in temporary storage. For example, when you open a Word or Excel file, the application may open temporary storage locally on the laptop or workstation while you are editing files. Think of it as a scratch pad the application uses, which could include almost any content from the file being edited. If the application ends abnormally, that temporary data may accumulate instead of being deleted normally. Other application data may be more permanent, such as personal archive files that Outlook may be saving locally (i.e., .pst files) that may contain massive amounts of personal or sensitive information.
Windows temporary data – Much like the application-specific temporary storage discussed above, Windows creates temporary files as well. These files are usually hidden from the end user seeing them, but they also can contain some sensitive information. Not as likely to include customer data, but these temporary files could provide useful information for a potential attacker as there may be user IDs, network topology data, configurations, recovery files, and other infrastructure information that shouldn’t be disclosed.
Deleted files – Wait, how are deleted files a risk? Often, when files or folders are deleted, Windows won’t truly delete all the data from storage and will instead only erase the listing (or index) of that information. An analogy would be a library where the index listing for a book is deleted but the book is left on the shelf. Deleting the index listing will make it harder to locate the book, but it will still be there. That is essentially how Windows works when a file is deleted, only the index is deleted, and the actual file contents will often stay on the local drive until the space is needed for a new file object. There are special applications made for discovering the data from “deleted” files, available to any motivated person.
Cloud storage – If an institution is using a cloud storage solution, such as Google Drive or Microsoft OneDrive, and it is configured to synchronize data locally, then it will retain copies of files on the laptop or workstation. As an example, OneDrive will usually keep local copies in C:\Users\[username]\OneDrive.
Intentional – Even when the institution is operating with the best of intentions, it is not uncommon for a rogue individual to intentionally circumvent the rules or inadvertently save files to their desktop. They may only be taking home a file to work on over the weekend, but it is a potential risk, nonetheless.
There is a simple solution, and that is whole disk encryption. Most versions of Microsoft Windows have the functionality built in (BitLocker) and only need it to be configured (by a qualified IT administrator). Whether built-in encryption or another readily available commercial solution is used, implementation will result in well-protected storage on the laptop (this functionality also exists for desktops). If a laptop with encrypted storage is lost or stolen, the institution will be out the value of the device but will have a substantially lower risk of information disclosure.
Authored by: Jim Baird, CBCP, TCNA
NOTICE OF EXPIRATION OF THE TEMPORARY FULL FDIC INSURANCE COVERAGE FOR NON-INTEREST-BEARING TRANSACTION ACCOUNTS: By operation of federal law, beginning January 1, 2013 funds deposited in a noninterest-bearing transaction account (including an Interest on Lawyer Trust Account) no longer will receive unlimited deposit insurance coverage by the Federal Deposit Insurance Corporation (FDIC). Beginning January 1, 2013, all of a depositor’s accounts at an insured depository institution, including all noninterest-bearing transaction accounts, will be insured by the FDIC up to the standard maximum deposit insurance amount ($250,000), for each deposit insurance ownership category. For more information, visit www.fdic.gov.