October 25, 2022

Good morning, everyone!

This week’s critical vulnerabilities: Zoom has released critical fixes for Mac clients. Zimbra has released a fix for a critical security issue under active exploitation. FortiNet continues urging customers to patch their FortiOS, FortiProxy and FortiSwitchManager appliances, as attacks are escalating. Apache has released an important security patch for Apache Commons Text. Patch All the Things!

Ever hear of spell-jacking?

Google Chrome and Microsoft Edge web browsers both have built-in spell-checking features that are leaking data entered into web forms, including user name, password, email address and even sensitive information such as date of birth and Social Security number.

"What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background," Summit says.

Before enabling cool new features like this, always ask yourself: "How does this work?" If you don't know, you might want to research a bit. By default, the spell-checking features send the data back to Microsoft (Edge) and Google (Chrome) (and do you really want them to have this data?), but the FBI is warning that bad actors have created malicious browser extensions that take advantage of this functionality to siphon off this data and send it elsewhere (this is spell-jacking). The article linked above has suggested mitigations for organizations, and

"Consumers can mitigate their own risk of having their data sent to Microsoft and Google without their knowledge by going into their browsers and disabling the respective spell-check culprits"

Federal Student Aid Scams

You knew this was coming, right? The latest scam to hit the Internet includes phishing emails sending student loan debtors to fake websites, set up to look like the real thing. Once there, they may be asked to enter personal information and payment data, all of which is now compromised, and may also be asked to pay a processing fee.

Important points:

• There is no charge to apply for the federal aid program, so any website asking for a processing fee or anything similar is a scam.
• The only legitimate place to sign up is https://studentaid.gov/welcome/

Have a safe and secure week!

Upcoming Virtual Workshop

Eight years after its release, many organizations still find themselves struggling with how to implement the NIST CSF. In this virtual workshop, we will break it down into a simple, 7-step process that anyone can follow.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺