February 2, 2022

Good morning, everyone!

The latest critical vulnerabilities: Apple has released iOS 15.3, iPadOS 15.3, WatchOS 8.4, and macOS 12.12 this week, to fix a Safari data leak and some other problems. SonicWall released a fix in December for a critical flaw in its Secure Mobile Access gateways – now being actively exploited. Let’s Encrypt is revoking 2 million certificates because of “irregularities in its implementation of the TLS-ALPN-01 validation method” – does your website use a secure certificate from LE? Might want to check on that. QNAP NAS Devices are being attacked by ransomware – details on securing these devices in this article and also here Patch All the Things!

The dangers of QR codes

I was reading this article “ Surge in Malicious QR Codes Sparks FBI Alert” and thought, hmmmm, I wonder how many of my newsletter readers realize that QR codes can be quite dangerous? Maybe I should talk about that this week!

First of all, what is a QR code? I think most people have seen them by now, either in an advertisement, on a restaurant menu, on a coupon … it’s a square symbol with odd shapes and lines inside that looks vaguely like some sort of computer-speak (actually it kinda reminds me of a sophisticated version of punch cards – how many people remember those?) QR codes have grown in popularity during the current pandemic for “contactless” tasks. So naturally the cyber criminals have upped their game again!

The FBI said it has also observed threat actors using malicious QR codes to download malware giving them access to a victim’s device, where they then accessed financial data to steal money. Cybercriminals are also swapping out genuine QR codes for their own, intercepting payments, collecting cash and data, the FBI added.

The FBI offers several tips for protecting yourself against this kind of attack:

• Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
• Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
• If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
• Do not download an app from a QR code. Use your phone's app store for a safer download.
• If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
• Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
• If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
• Avoid making payments through a site navigated to from a QR code.

Happy February, everyone!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺