October 25, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Ever hear of spell-jacking?
Google Chrome and Microsoft Edge web browsers both have built-in spell-checking features that are leaking data entered into web forms, including user name, password, email address and even sensitive information such as date of birth and Social Security number.
"What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background," Summit says.
Before enabling cool new features like this, always ask yourself: "How does this work?" If you don't know, you might want to research a bit. By default, the spell-checking features send the data back to Microsoft (Edge) and Google (Chrome) (and do you really want them to have this data?), but the FBI is warning that bad actors have created malicious browser extensions that take advantage of this functionality to siphon off this data and send it elsewhere (this is spell-jacking). The article linked above has suggested mitigations for organizations, and
"Consumers can mitigate their own risk of having their data sent to Microsoft and Google without their knowledge by going into their browsers and disabling the respective spell-check culprits"
Federal Student Aid Scams
You knew this was coming, right? The latest scam to hit the Internet includes phishing emails sending student loan debtors to fake websites, set up to look like the real thing. Once there, they may be asked to enter personal information and payment data, all of which is now compromised, and may also be asked to pay a processing fee.
- There is no charge to apply for the federal aid program, so any website asking for a processing fee or anything similar is a scam.
- The only legitimate place to sign up is https://studentaid.gov/welcome/
Have a safe and secure week!
Upcoming Virtual Workshop
Eight years after its release, many organizations still find themselves struggling with how to
implement the NIST CSF. In this virtual workshop, we will break it down into a simple, 7-step process that
anyone can follow.
Have a great week!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺