News

Regulator alleged Microsoft knowingly collected personal information from children

UK regulator admits hundreds of employees are impacted

Stock research firm revealed more recent incident in January

No zero-days this month, if you ignore the Edge RCE hole patched last week

Gozi threesome from way back in the late 2000s and early 2010s now all charged, convicted and sentenced. The DOJ got there in the end…

The New York Times has a long article on the investigative techniques used to identify the person who stabbed and killed four University of Idaho students.

Pay attention to the techniques:

The case has shown the degree to which law enforcement investigators have come to rely on the digital footprints that ordinary Americans leave in nearly every facet of their lives. Online shopping, car sales, carrying a cellphone, drives along city streets and amateur genealogy all played roles in an investigation that was solved, in the end, as much through technology as traditional sleuthing.

[…]

At that point, investigators decided to try genetic genealogy, a method that until now has been used primarily to solve cold cases, not active murder investigations. Among the growing number of genealogy websites that help people trace their ancestors and relatives via their own DNA, some allow users to select an option that permits law enforcement to compare crime scene DNA samples against the websites’ data.

A distant cousin who has opted into the system can help investigators building a family tree from crime scene DNA to triangulate and identify a potential perpetrator of a crime.

[…]

On Dec. 23, investigators sought and received Mr. Kohberger’s cellphone records. The results added more to their suspicions: His phone was moving around in the early morning hours of Nov. 13, but was disconnected from cell networks ­- perhaps turned off—in the two hours around when the killings occurred.

Venmo, quick and convenient. A great way to pay back a friend or split the cost of a meal. Yet its ease of use and popularity has made it a hunting ground for scammers. 

Venmo scams come in all shapes, and many of them look like variations of email phishing and text scams. The scammers behind them will pose as Venmo customer service reps who ask for your login credential. Other scammers offer bogus cash prizes and pyramid schemes that lure in victims with the promise of quick cash. Some scammers will use the app itself to impersonate friends and family to steal money from you.  

All of it is preventable. 

Just like any other payment app out there, using Venmo safely calls for a few precautions—and for knowing the tricks that scammers like to pull. 

The basics of staying safer on Venmo 

Keep your transactions private. Venmo has a social component that can display a transaction between two people and allow others to comment on it. Payment amounts are always secret. Yet you have control over who sees what by adjusting your privacy settings:  

• Public – Everyone on the internet can see and comment on the transaction. 
• Friends – Only your Venmo friends and the other participant’s friends can see and comment on the transaction. (Note that the friends of the other participant might be strangers to you, so “friends and friends of friends” is more accurate here.) 
• Private – Here, only the participants can view and comment on the transaction. 

This brings up the question, what if the participants in the transaction have different privacy settings? Venmo uses the most restrictive one. So, if you’re paying someone who has their privacy set to “Public” and you have yours set to “Private,” the transaction will indeed be private. 

We suggest going private with your account. The less financial information you share, the better. You can set your transactions to private by heading into the Settings of the Venmo app, tapping on Privacy, and then selecting Private.  

In short, just because something is designed to be social doesn’t mean it should become a treasure trove of personal data about your spending habits. 

Add extra layers of security. Take extra precautions that make it difficult for others to access your Venmo app.  

• First off, lock your phone. Whether with a PIN or other form of protection, locking your phone prevents access to everything you keep on it—which is important in the case of loss or theft. Our own research found that only 58% of adults take the vital step of locking their phones. If you fall into the 42% who don’t, strongly consider changing that. 
• Within the Venmo app, you can also enable Face ID and a PIN (on iOS) or a PIN and biometric unlock (Android). These add a further layer of security by asking for identification each time you open the app. That way, even if someone gets access to your phone, they’ll still have to leap that security hurdle to access your Venmo app. 

Pay only people you trust. Per Venmo, the app was originally designed for people who know and trust each other to send each other payments. Since then, it’s expanded to making payments for goods and services under certain circumstances. In Venmo’s words: 

“The only way to accept payments for goods and services on Venmo is to be explicitly authorized to accept Venmo for purchases, either by applying for a business profile or tag a payment to a personal profile as a purchase.” 

Venmo further clarifies their policy by stating (emphasis theirs):  

“Unless directly given the option by Venmo, DO NOT USE VENMO TO TRANSACT WITH PEOPLE YOU DON’T PERSONALLY KNOW, ESPECIALLY IF THE TRANSACTION INVOLVES THE PURCHASE OR SALE OF A GOOD OR SERVICE (for example, concert tickets, electronic equipment, sneakers, a watch, or other merchandise).” 

Purchases that don’t follow these policies open you up to risk. That includes the many scammers who peddle phony goods, ask their victims to pay with Venmo, and never deliver a thing. On the flip side, when you make an authorized purchase through Venmo, you gain the benefits of their protection plan. You can learn more about it on their protection plan site. 

Venmo scams 

Venmo has a dedicated web page on the topic of scams, and lists the following as the top Venmo scams out there: 

Fake Prize or Cash Reward  Call from Venmo  Call from Tech Support  Fake Payment Confirmation   Pre-payment for Goods and Services

Stranger Posing as a Friend  Payments from Strangers  Offers to Make Money Fast  Paper Check Scam  Romance Scam

Venmo breaks down each of these scams in detail on their site. They further share things you can do to avoid them—or steps to take if you unfortunately fall victim to one of these scams. 

Broadly speaking, though, you can take several steps to avoid Venmo scams: 

1) Never share private details. 

Scammers will often pose as customer service reps to pump information out of their victims. They’ll ask for things like bank account information, debit card or credit card numbers, or even passwords and authentication codes sent to your phone. Never share this information. Legitimate reps from legitimate companies won’t request it. 

2) Know when Venmo might ask for your Social Security number. 

In the U.S., Venmo is regulated by the Treasury Department. As such, Venmo might require your SSN in certain circumstances. Venmo details the cases where they might need your SSN for reporting, here on their website. Note that this is an exception to what we say about sharing SSNs and tax ID numbers. As a payment app, Venmo might have legitimate reasons to request it. However, don’t send this information by email or text (any email or text that asks you to do that is a scam). Instead, always use the mobile app by going to Settings then Identity Verification. 

3) Keep an eye out for scam emails and texts. 

Venmo always sends communications through their official “venmo.com” domain name. If you receive an email that claims to be from Venmo but that doesn’t use “venmo.com,” it’s a scam. Never click or tap on links in emails or texts supposedly sent by Venmo.  

4) Be suspicious of the messages you get. Imposters are afoot. 

Another broad category of scams includes people who aren’t who they say they are. In the case of Venmo, scammers will create imposter accounts that look like they might be a friend or family member but aren’t. If you receive an unexpected and likely urgent-sounding request for payment, contact that person outside the app. See if it’s really them.  

Keep your online finances yet more secure with the right tools  

Online protection software like ours offers several additional layers of security when it comes to your safety and finances online.  

For starters, it includes web browser protection that can block malicious and questionable links that might lead you down the road to malware or a phishing scam—such as a phony Venmo link designed to steal your login credentials. It also includes a password manager that creates and stores strong, unique passwords for each of your accounts. 

Moreover, it further protects you by locking down your identity online. Transaction Monitoring and Credit Monitoring help you spot any questionable financial activity quickly. And if identity theft unfortunately happens to you, $1 ID theft coverage & restoration can help you recover quickly.  

In all, there’s no question that Venmo makes payments quick and convenient. You can make them far more secure too. The right precautions and tools can see to it. 

The post How to Identify and Protect Yourself From Venmo Scams and Other Cash App Scams appeared first on McAfee Blog.

Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.

June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”

Top of the list on that front is CVE-2023-29357, which is a “critical” bug in Microsoft SharePoint Server that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).

“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”

There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the Windows Pragmatic General Multicast (PGM), which is used for delivering multicast data — such as video streaming or online gaming.

Security firm Action1 says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.

It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using Microsoft Exchange for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.

Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.

“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

The ‘data bridge’ is an extension to the Data Privacy Framework agreed between the US and EU last year

A DDoS attack targeting Switzerland’s administration is the third campaign targeting the country in two weeks