Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: Why browsers are a key part of your security defences, why Uber has done a deal with the US Department of Justice, and why I tend to use quotes around the phrase “crypto investment opportunities”.

This week’s action: If it sounds too good to be true, it probably is.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.


 

THREE ARTICLES

 

1: Why browser vulnerabilities are a serious threat.

A recent article in Dark Reading explains why a focus on ensuring Microsoft Windows is kept up-to-date should be matched by a focus on our browsers.

“Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on.”

Even though there seem to be a lot of different Web browsers, there are really only a few – “Chrome, Vivaldi, Brave, [Microsoft Edge] and many other browsers are all built on the same engine, Chromium”. Mozilla Firefox and Apple Safari are the other two main alternatives.

As a result, cyber attackers can focus their attention on this small number of browser engines and there are frequent security alerts about vulnerabilities identified in these browsers. The article describes many ways that these vulnerabilities are used by the bad guys, with the most common attacks relying on a human being fooled by a phishing email to click a link.

It’s a useful reminder that when it comes to software updates (aka ‘patches’), keeping your browser up-to-date is a critical part of your defences. I explained how to do this in a previous edition of Cyber 3-2-1.

Read more: https://www.darkreading.com/attacks-breaches/why-browser-vulnerabilities-are-a-serious-threat-and-how-to-minimize-your-risk via Secure The Village
 

2: Uber avoids criminal charges by assisting with the prosecution of its ex-CISO.

Teiss recently reported on a deal agreed between Uber and the US Department of Justice (DoJ), relating to a cyber attack in 2016 that was concealed from authorities for a year.

According to the DoJ, Uber covered up the breach and did not disclose it to the Federal Trade Commission until a new executive team took over management of the company in late 2017.

Uber has already paid $148m to settle civil litigation arising from the breach. To avoid further criminal charges, Uber has now agreed to assist the DoJ to prosecute Uber’s ex-CISO for crimes including obstruction of justice and concealing a felony. In return, the organisation will not face any criminal charges.

So, what can we take from this?

  1. Apparently, the breach succeeded when an attacker used a stolen password to access Uber’s systems. At face value, it sounds like the use of Multi-Factor Authentication (MFA) could have prevented the attack.
  2. A cyber-attack is a bad situation. But hiding it from authorities is a very bad idea.
  3. And if you personally choose to hide it (as the DoJ seems to think the ex-CISO did), you can’t always assume your employer will support you with your defence.

Read more: https://www.teiss.co.uk/news/news/uber-admits-concealing-a-data-breach-involving-57-million-users-10474 (free registration required)
 

3: Another week. Another crypto scam hits the headlines.

Reuters has reported that the Securities and Exchange Commission (SEC) has charged “11 people for their roles in creating and promoting a fraudulent crypto pyramid and Ponzi scheme [called Forsage]”. “According to the SEC’s complaint, the scheme’s website was launched in January 2020 and allowed millions of retail investors to enter into transactions via smart contracts.” Before the scam was shut down, it is estimated that $300 million was taken from retail investors.

Despite these frequent news stories about crypto scams, I still fear that ordinary people continue to be lured by the promises of huge returns. For example, only last week, I overheard a group of people in a pub discussing their crypto “investment strategies”. One of the individuals mentioned speaking to someone on Facebook who was running an “investment scheme” that could turn a €2k investment into €15k within two weeks. He was assured by this “professional investor” that any money he invested would always remain within his control and could be withdrawn at any time. She shared “testimonials” from many “happy customers” about their “investment returns”. Fortunately, many other members of the group responded with all of the right questions, so they didn’t need me to interrupt their conversation. One or two sounded like they had already been fooled by similar promises and scams in the past.

While I am unsure if one person in this group will still be lured into parting with their money, I am hopeful that the others will stick with their cynicism and continue to live by the motto “If it sounds too good to be true, it probably is”.

Read more: https://www.reuters.com/business/finance/us-sec-charges-11-individuals-300-million-crypto-pyramid-scheme-2022-08-01/
 

TWO NUMBERS

 

1: 113

The number of security vulnerabilities in Chrome that were fixed (aka ‘patched’) in the first 3 months of 2022, an increase of 13% on the same period in 2021.

Read more: https://www.darkreading.com/attacks-breaches/why-browser-vulnerabilities-are-a-serious-threat-and-how-to-minimize-your-risk via Secure The Village
 

2: 57 million

The number of Uber customers whose personal details were exposed following a cyber-attack in the firm in 2016, including 600,000 Uber drivers.

Read more: https://www.teiss.co.uk/news/news/uber-admits-concealing-a-data-breach-involving-57-million-users-10474 (free registration required)
 

ONE ACTION

 

1: If it sounds too good to be true, it probably is.

We have all heard the saying “If it sounds too good to be true, it probably is”.

Perhaps the saying is overused, but it’s still very useful when it comes to crypto “investing”, and any offers we receive online or via email.

We may not understand how crypto works, but that doesn’t mean we should suspend all disbelief and lose all reason when an “expert” promises significant rewards in return for a small investment (of our time or our money). If someone says they can take 2k and turn it into 15k in two weeks, you need to listen to the alarm bells in your head. In any reality, how is this was possible, legal and sustainable?

I have “expert” in quotes because this person may not be an expert in crypto-investing (or whatever their offer is), but they are probably experts in social engineering and fraud.

I have “investing” in quotes because even if this offer is genuine, this is not investing. At best, it’s gambling. There’s nothing fundamentally wrong with gambling, as long as you use money that you can afford to lose.

And I would bet that in this particular case, you will lose.