Cyber Security News & Tips by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

August 23, 2022

Good morning, everyone!

This week’s critical vulnerabilities:

  • Update all Apple products immediately. Critical fixes pushed out in iOS 15.6.1. After update, disable Bluetooth (Apple just turned it on for you. Again.)
  • Multiple devices from ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel are vulnerable to flaws in underlying firmware. Patches and workarounds available.
  • Google Chrome has multiple security fixes this week
  • Zoom for Mac has updates available to address a critical security issue. (Note: when I applied this update, it broke the "Polls" functionality. I expect they will fix that in another update soon.)
  • VMWare has released more security patches for critical bugs
  • Amazon Ring and Ring Neighbors released important security and privacy updates
  • Old vulnerabilities in Zimbra are being actively exploited

Patch all the things!



VNC under attack

Dark web intelligence firm Cyble recently reported an increase in attacks on VNC across the globe. VNC is a useful tool but should never be exposed directly to the Internet, nor used without a password.

Two big stories on cyber insurance

Two big stories came out this week regarding cyber insurance:

Check the details of your policy

A recent court case was dismissed when the victim sued its insuror for not covering the full cost of a cyber incident. Turns out, the insurance policy distinguished between "computer fraud" (with coverage of $1M) and "social engineering fraud" (with coverage of only $100,000). Details in the article referenced above. It's worth reading.

No more coverage for nation-state attacks

Lloyd’s of London recently announced it will no longer cover cyber attacks attributable to nation-state actors:

The most eyebrow-raising component is that this definition also includes cyber operations that have a “major detrimental impact” on a state’s function, something that implies an attack on critical infrastructure (such as the Colonial Pipeline and JBS attacks) might no longer be covered by the market’s cyber insurance policies.

You may recall that the 2017 NotPetya ransomware attack was attributed to Russia, and WannaCry was attributed to North Korea. Both of those attacks caused untold damage worldwide. It seems that "insurance" isn't always "insurance" these days.

Craziest case of ID theft I've ever seen

This post on LinkedIn last week is the most elaborate ID theft scheme I've ever read. I've copied the story below. Think as you read it: What was the first red flag? The second? What would you have done differently? When would you have stopped the process and sought help?

I got scammed over a job offer.

On August 5, I got an email invitation to interview for a Remote Product Design Manager position at Splunk from info@splunkcareers.us to my university email. It states that I was fast-tracked to an interview because my AngelList profile shows my skills and experience would be a great fit. I scheduled the interview with an alleged Splunk HR member (Matt Olsen). I even looked up his profile to make sure that I was talking to a real person from the company. After the Skype chat interview, I was told to be online on Monday at 10 am for updates. On Monday, I received the offer, and a request to fill and sign the employment contract, background check authorization, direct deposit form to fill and sign, and a copy of my driver’s license.

Later that week, I had a chat with the alleged CIO of Splunk (Alexander Fridman) who briefed me on equipment that will be sent to set up my home office. I was told I would be given company funds to purchase an iPhone 13 Pro, an Apple Watch Series 7, and Microsoft Business Standard. The finance department will send me the company account information to purchase the items. I was instructed to link the company account to my card to pay off the current balance before I make any purchases. At this point, I received a temporary work email from IT department which I had to log in via privateemail(dot)com where I will receive updates.

On Monday, August 15, I received all the information regarding the bank account and successfully linked it to my card. I use the account to pay off the outstanding balance as told and went to the Apple Store to purchase the items. I was instructed to send the items I purchased to the vendor’s address so that proper company branding and the most up-to-date software can be installed for security purposes. I went to the UPS store on the same day and sent off the package via Next Day shipping.

While driving home, I felt uneasy so I called my friends and family to consult my suspicion. One friend suggested that I reach out to HR employees at Splunk on LinkedIn to be sure. An HR employee confirmed my suspicion. I immediately called UPS to cancel my shipment, froze my credit card, and reported the identity theft incident to the FTC. (Thank you! UPS)

During this interaction with the people who were pretending to be employees at Splunk, I felt like I was being welcomed into the team. These scammers used phrases like “You’re welcome, Splunker!” “Have a great day, Splunker” to make me feel like these people were real employees. 

The most horrifying thing is how I receive this through my school email. They were targeting students like me. A part of me felt like I should have known better. The other part of me knows this is not one of those silly scams. This is an elaborate, calculated, and targeted crime.

If you have read this far, I want to say thank you for reading my story. Please share this with any applicants you know.

Wow, that is some food for thought. Have a good week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

The Net Effect is a CMMC-AB Registered Provider OrganizationRPO

Copyright 1996-2022 The Net Effect, L.L.C. All rights reserved. Read our privacy policy