News

Let’s be honest, talking to your kids about identity theft isn’t probably top of your list. There’s a long list of topics to cover off when you are a parent. But if you take a minute to picture someone stealing your child’s identity or using their personal information to take out a loan for a shiny new car then you’ll probably want to move it closer to the top of your parenting to-do list!

What Is Identity Theft?

Identity theft occurs when a person’s personal identifying information is used without their permission, usually to commit fraud by making unauthorised purchases or transactions. Identity theft can happen in many ways, but its victims are usually left with significant damage to their finances, credit score, and even their mental health.

Most people associate identity theft with data breaches – think Optus, Latitude Financial, and Medibank – however, there are many more ways that scammers can get their hands on your personal identifying details. They can use ‘phishing’ emails to get information from you, do a deep dive on your social media accounts to find identifying information in posts or photos, hack public Wi-Fi to access any information you share, or simply, steal your wallet or go through your trash!!

How Big An Issue Is It Really?

In short, it’s a big problem – for both individuals and organisations. And here are the statistics:

• 94,000 cybercrime reports were made in the 2022/23 financial year, an increase of nearly 13% from the previous year, according to The Annual Cyber Threat Report by The Australian Cyber Security Centre (ACSC).
• A recent study by The Australian Cybercrime Survey showed that 31% of respondents had experienced identity crime in their lifetime and 20% within the previous 12 months. Just under half of the victims reported that they had noticed suspicious transactions on their bank statements. Although 25% of respondents couldn’t identify how their information was stolen, 16% attributed it to the hacking of a computer or device.
• 10 million Australians had their personal details stolen in the Optus data breach in September 2022.
• 7 million Australians also had personal data stolen in the Medibank data breach in October 2022.
• 14 million Australians had their personal information stolen in the Latitude Financial data breach in March 2023.

How Do You Know If You’re a Victim?

One of the biggest issues with identity theft is that you often don’t immediately know that you’re a victim. In some cases, it might take weeks before you realise that something is awry which unfortunately, gives the thief a lot of time to wreak havoc! Some of the signs that something might be wrong include:

• Unfamiliar charges to your bank account
• Calls and texts about products or services that you’ve never used
• You’re denied credit
• Strange emails in your inbox
• Not receiving expected mail
• Unexpected calls or letters from debt collectors

What To Do If You Think You’re a Victim

The key here is to act as soon as you believe you are affected. Don’t stress that there has been a delay in taking action – just take action now! Here’s what you need to do:

1. Call Your Bank

Your first call should be to your bank so they can block the affected account. The aim here is to prevent the scammer from taking any more money. Also remember to block any cards that are linked to this account, either credit or debit.

2. Change Your Passwords

If your identity has been stolen then it’s highly likely that the scammer knows your passwords so change the passwords for the affected accounts straight away!! And if you have used this same password on any other accounts then change these also. If you can’t remember, you can always reset the passwords on key accounts just to be safe.

3. Report It

It may feel like a waste of time reporting your identity theft, but it is an important step, particularly as your report becomes a formal record – evidence you may need down the track. It may also prevent others from becoming victims by helping authorities identify patterns and hopefully, perpetrators.  If you think your personal identifying information has been used, report it to the Australian authorities at ReportCyber.

4. Make a Plan

It’s likely you’re feeling pretty overwhelmed at what to do next to limit the damage from your identity theft – and understandably so! Why not make a contract with IDCARE? It’s a free service dedicated to assisting victims of identity theft – both individuals and organisations – in Australia and New Zealand.

How Do We Talk To Our Kids About It?

If there is one thing I have learned in my 20+ years of parenting, it is this. If you want to get your kids ‘onboard’ with an idea or a plan, you need to take the time to explain the ‘why’. There is absolutely no point in asking or telling them to do something without such an explanation. It is also imperative that you don’t lecture them. And the final ingredient? Some compelling statistics or research – ideally with a diagram – my boys always respond well to a visual!

So, if you haven’t yet had the identity theft chat with your kids then I recommend not delaying it any further. And here’s how I’d approach it.

Firstly, ensure you are familiar with the issue. If you understand everything I’ve detailed above then you’re in good shape.

Secondly, arm yourself with relevant statistics. Check out the ones I have included above. Why not supplement this with a few relevant news stories that may resonate with them? This is your ‘why’.

Thirdly, focus on prevention. This needs to be the key focus. But don’t badger or lecture them. Perhaps tell them what you will be doing to minimise the risk – see below for your key ‘hot tips’ – you’re welcome!

What You Can Do To Manage Identity Theft?

There are a few key things that you can do today that will both minimise your risk of becoming a victim and the consequences if you happen to be caught up in a large data breach.

1. Passwords

Managing passwords for your online accounts is one of the best risk management strategies for identity theft. I know it’s tedious, but I recommend creating a unique and complex 10+ digit password for each of your online accounts. Tricky passwords make it harder for someone to get access to your account. And, if you use the same login details for each of your online accounts – and your details are either leaked in a data breach or stolen – then you could be in a world of pain. So, take the time to get your passwords sorted out.

2. Think Before You Post

Sharing private information about your life on social media makes it much easier for a scammer to steal your identity. Pet names, holiday destinations, and even special dates can provide clues for passwords. So, lock your social media profiles down and ensure your privacy settings are on.

3. Be Proactive – Monitor Your Identity Online

Imagine how good it would be if you could be alerted when your personal identifying information was found on the Dark Web. Well, this is now a reality! McAfee’s latest security offering McAfee+ will not only protect you against threats but provide 24/7 monitoring of your personal details so it can alert you if your information is found on the Dark Web. And if your details are found, then advice and help may also be provided to remedy the situation. How good!!

4. Using Public Computers and Wi-Fi With Caution

Ensuring you always log out of a shared computer is an essential way of keeping prying eyes away from your personal identifying information. And always be super careful with public Wi-Fi. I only use it if I am desperate and I never conduct any financial transactions, ever! Cybercriminals can ‘snoop’ on public Wi-Fi to see what’s being shared, they can stage ‘Man in The Middle Attacks’ where they eavesdrop on your activity, or they can lure you to use their trustworthy sounding Wi-Fi network – designed purely to extract your private information!

5. Monitor Your Bank Accounts

Why not make a habit of regularly checking your bank accounts? And if you find anything that doesn’t look right contact your bank immediately to clarify. It’s always best to know if there is a problem so you can address it right away.

With so many Aussies affected by data breaches and identity theft, it’s essential that our kids are armed with good information so they can protect themselves as best as possible. Why not use your next family dinner to workshop this issue with them?

Till Next Time

Stay Safe Online

Alex

The post How to Talk To Your Kids About Identity Theft appeared first on McAfee Blog.

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

By far the most curious security weakness Microsoft disclosed today has the snappy name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rolling back of fixes for some vulnerabilities affecting “optional components” on certain Windows 10 systems produced in 2015. Those include Windows 10 systems that installed the monthly security update for Windows released in March 2024, or other updates released until August 2024.

Satnam Narang, senior staff research engineer at Tenable, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited.

“To correct this issue, users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates,” Narang said.

Kev Breen, senior director of threat research at Immersive Labs, said the root cause of CVE-2024-43491 is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code.

“The notes from Microsoft say that the ‘build version numbers crossed into a range that triggered a code defect’,” Breen said. “The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state.”

Zero Day #1 this month is CVE-2024-38226, and it concerns a weakness in Microsoft Publisher, a standalone application included in some versions of Microsoft Office. This flaw lets attackers bypass Microsoft’s “Mark of the Web,” a Windows security feature that marks files downloaded from the Internet as potentially unsafe.

Zero Day #2 is CVE-2024-38217, also a Mark of the Web bypass affecting Office. Both zero-day flaws rely on the target opening a booby-trapped Office file.

Security firm Rapid7 notes that CVE-2024-38217 has been publicly disclosed via an extensive write-up, with exploit code also available on GitHub.

According to Microsoft, CVE-2024-38014, an “elevation of privilege” bug in the Windows Installer, is also being actively exploited.

June’s coverage of Microsoft Patch Tuesday was titled “Recall Edition,” because the big news then was that Microsoft was facing a torrent of criticism from privacy and security experts over “Recall,” a new artificial intelligence (AI) feature of Redmond’s flagship Copilot+ PCs that constantly takes screenshots of whatever users are doing on their computers.

At the time, Microsoft responded by suggesting Recall would no longer be enabled by default. But last week, the software giant clarified that what it really meant was that the ability to disable Recall was a bug/feature in the preview version of Copilot+ that will not be available to Windows customers going forward. Translation: New versions of Windows are shipping with Recall deeply embedded in the operating system.

It’s pretty rich that Microsoft, which already collects an insane amount of information from its customers on a near constant basis, is calling the Recall removal feature a bug, while treating Recall as a desirable feature. Because from where I sit, Recall is a feature nobody asked for that turns Windows into a bug (of the surveillance variety).

When Redmond first responded to critics about Recall, they noted that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data.

But that claim rang hollow after former Microsoft threat analyst Kevin Beaumont detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

As it is apt to do on Microsoft Patch Tuesday, Adobe has released updates to fix security vulnerabilities in a range of products, including Reader and Acrobat, After Effects, Premiere Pro, Illustrator, ColdFusion, Adobe Audition, and Photoshop. Adobe says it is not aware of any exploits in the wild for any of the issues addressed in its updates.

Seeking a more detailed breakdown of the patches released by Microsoft today? Check out the SANS Internet Storm Center’s thorough list. People responsible for administering many systems in an enterprise environment would do well to keep an eye on AskWoody.com, which often has the skinny on any wonky Windows patches that may be causing problems for some users.

As always, if you experience any issues applying this month’s patch batch, consider dropping a note in the comments here about it.

 

Increasingly complex regulations are stretching governance and compliance in organizations, warns the IAPP

Distributed denial of service attacks continue to increase, with government the most targeted vertical

A cyber-attack on Slim CD, which handles electronic payments for US and Canadian-based merchants, has potentially exposed the credit card details of 1.7 million people

A North Carolina resident made over $10m in unlawful royalty payments by producing hundreds of thousands of fake songs listened to by bots using AI

Rental hire company Avis has notified 300,000 customers of a data breach

Transport for London has revealed several digital services are suspended after a cyber-attack last week

In 2018, Australia passed the Assistance and Access Act, which—among other things—gave the government the power to force companies to break their own encryption.

The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include:

• Technical Assistance Requests (TARs): TARs are voluntary requests for assistance accessing encrypted data from law enforcement to teleco and technology companies. Companies are not legally obligated to comply with a TAR but law enforcement sends requests to solicit cooperation.
• Technical Assistance Notices (TANs): TANS are compulsory notices (such as computer access warrants) that require companies to assist within their means with decrypting data or providing technical information that a law enforcement agency cannot access independently. Examples include certain source code, encryption, cryptography, and electronic hardware.
• Technical Capability Notices (TCNs): TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible.

It’s that final one that’s the real problem. The Australian government can force tech companies to build backdoors into their systems.

This is law, but near as anyone can tell the government has never used that third provision.

Now, the director of the Australian Security Intelligence Organisation (ASIO)—that’s basically their CIA—is threatening to do just that:

ASIO head, Mike Burgess, says he may soon use powers to compel tech companies to cooperate with warrants and unlock encrypted chats to aid in national security investigations.

[…]

But Mr Burgess says lawful access is all about targeted action against individuals under investigation.

“I understand there are people who really need it in some countries, but in this country, we’re subject to the rule of law, and if you’re doing nothing wrong, you’ve got privacy because no one’s looking at it,” Mr Burgess said.

“If there are suspicions, or we’ve got proof that we can justify you’re doing something wrong and you must be investigated, then actually we want lawful access to that data.”

Mr Burgess says tech companies could design apps in a way that allows law enforcement and security agencies access when they request it without comprising the integrity of encryption.

“I don’t accept that actually lawful access is a back door or systemic weakness, because that, in my mind, will be a bad design. I believe you can ­ these are clever people ­ design things that are secure, that give secure, lawful access,” he said.

We in the encryption space call that last one “nerd harder.” It, and the rest of his remarks, are the same tired talking points we’ve heard again and again.

It’s going to be an awfully big mess if Australia actually tries to make Apple, or Facebook’s WhatsApp, for that matter, break its own encryption for its “targeted actions” that put every other user at risk.

Almost every teenager in the United States (approximately 96%) reports using the internet daily. As students prepare to return to school after the summer break, ensuring their cybersecurity practices are up to date is essential to protect personal information from increasingly sophisticated cyber threats. By teaching proactive cybersecurity measures, parents can empower their children to maintain a secure online presence, fostering a safer digital environment for the entire family.

Protecting Devices

According to research conducted at Baylor University, students are estimated to spend a substantial average of eight to ten hours daily engaged with smartphones or other forms of technology. These devices need to be safeguarded because they are integral to daily life, facilitating communication, learning, and productivity.

Here are essential steps to safeguard computers, cell phones, and tablets:

• Update Software Regularly: Make it a habit to update all software promptly. Updates frequently contain crucial security patches that shield devices from potential cyber threats. Encourage your student to enable automatic updates whenever possible to stay protected against the latest vulnerabilities.
• Use Holistic All-Around Online Protection: Install and activate reputable online protection software on all devices. This acts as a defense mechanism, detecting and neutralizing malicious software that could compromise personal information or disrupt device functionality.
• Secure Your Network: Use a secure Wi-Fi network with encryption (such as WPA2) and change the default administrator passwords on your routers. Avoid accessing sensitive information or conducting financial transactions over public Wi-Fi. Consider using a Virtual Private Network (VPN) when connecting to public Wi-Fi networks to encrypt internet traffic and protect data from potential eavesdroppers.

Using Complex Passwords

One study found that young students knew not to share their passwords with others, but only about 13% of them created very strong passwords. Creating a complex password is crucial because it acts as a barrier against unauthorized access to personal accounts and sensitive information.

• Create Complex Passwords: Use passwords that are at least 12 characters long, include a mix of letters, numbers, and special characters, and don’t have any easily guessable information like birthdates or names. A password generator can suggest strong passwords for you.
• Avoid Password Reuse: Emphasize the importance of using different passwords for different accounts. If one account is compromised, having unique passwords ensures that other accounts remain secure.
• Consider Password Managers: Using a password manager can help students securely store and manage their passwords. This eliminates the need to remember multiple passwords while maintaining security.
• Enable Multi-Factor Authentication (MFA): Enable multi-factor authentication for added security. This extra layer of protection requires a second form of verification (like a text message code or authentication app) in addition to a password, significantly reducing the risk of unauthorized access.

Being Cautious of Online Scams and Phishing Attempts

Phishing attacks are prevalent and can trick students into revealing sensitive information or downloading malware. These scams often mimic trusted sources like educational institutions or familiar online services, enticing recipients to click on malicious links or download attachments containing malware. Once engaged, these tactics exploit vulnerabilities to compromise devices, steal information, or gain unauthorized access to accounts, posing significant risks to personal and academic security.

• Educate About Phishing: Teach students how to identify common phishing red flags, such as urgent requests for personal information or emails with grammatical errors and suspicious links.
• Verify Sources: Always verify the legitimacy of emails, messages, or websites before clicking on links or providing personal information.
• Report Suspicious Activity: Encourage students to report any suspicious emails or messages to their school’s IT department or a trusted authority figure.

To further enhance students’ defenses against phishing attacks, utilizing a scam protection tool can be invaluable. These tools are designed to automatically detect and alert users to potentially dangerous URLs embedded in texts, emails, or social media messages. Imagine receiving a suspicious link in what appears to be a package delivery notification or a bank alert—this tool’s AI technology swiftly identifies such threats and alerts you before you click, providing peace of mind against falling victim to phishing scams. As a proactive measure, it can even block access to risky websites if you inadvertently follow a scam link, effectively bolstering your defenses across various digital platforms.

Protecting Personal Information

A Pew Research Center survey found that the majority of U.S. teens use social media sites like TikTok (67%), Instagram (62%) and Snapchat (59%). Social media serves as a powerful tool for connecting, discovering, and exchanging information. However, oversharing can inadvertently expose us to threats posed by scammers, hackers, and data aggregators. To stay better protected on social media, consider these tips:

• Limit Social Sharing: Advise students to refrain from disclosing sensitive details like home addresses, phone numbers, or upcoming travel plans. This proactive step minimizes the risk of such information falling into the wrong hands, ensuring personal safety and privacy.
• Use Privacy Settings: Make full use of privacy controls available on social media platforms to specify who can view posts, access personal information, and contact you. Customizing these settings empowers users to manage their online presence effectively, but finding and adjusting privacy settings on social media accounts can often be a difficult task. McAfee’s Social Privacy Manager can help you adjust more than 100 privacy settings across your social media accounts in just a few clicks.

As students gear up for another school year, cybersecurity awareness should be a top priority. Staying vigilant and proactive is key to maintaining a secure digital environment for students at all educational levels. By implementing these cybersecurity tips, students can protect themselves against potential threats and focus more on their studies with peace of mind.

The post Cybersecurity Tips for Students Returning to School appeared first on McAfee Blog.