By Deeba Ahmed
In this instance, the hackers were white hat; otherwise, things could have gone awry.
This is a post from HackRead.com Read the original post: Hackers Uncover Airbus EFB App Vulnerability, Risking Aircraft Data

Whitehat hackers from Pen Test Partners identified a critical issue in Airbus’ Flysmart+ Manager suite, which was remediated 19 months after the initial disclosure.

Cybersecurity researchers at penetration testing firm Pen Test Partners have been testing the security of various electronic flight bag (EFB), IoT and vehicle applications **for several years**. Due to their extensive research, a crucial issue was identified in the Flysmart+ Manager suite from Airbus and remediated 19 months after initial disclosure. 

**NAVBLUE**, an Airbus-owned IT services company, developed the Flysmart+ Manager app for iPad, which synchronizes and installs airline data into other apps, including EFBs. According to a report from Pentestpartners, this app has a disabled security control, allowing it to communicate with servers using insecure methods, potentially allowing an attacker to modify aircraft performance data or adjust airport information. 

For your information, Flysmart+ is a suite of apps for pilot EFBs. EFBs are crucial for storing critical flight data and information, but they can be exploited to disrupt operations or compromise aircraft systems. Airline EFBs can be exposed to untrusted networks due to known pilot layover hotels, and standard operating procedures may not detect tampering.

Research published on February 1, 2024, **reveals** that one of the suite’s iOS apps has intentionally got the App Transport Security (ATS) feature disabled. This issue exposes it to Wi-Fi interception attacks, potentially tampering with engine performance calculations, leading to tailstrike or runway excursion.

The app, Flysmart+, was previously disabled due to a lack of ATS protection, which prevents unencrypted communications. This vulnerability allows attackers to intercept and decrypt sensitive information in transit. Due to disabled ATS, insecure communication occurs, making the app susceptible to interception. An entry in the info.plist file allows insecure HTTP loads to any domain.

Airlines often use the same hotel for layover pilots, allowing attackers to modify aircraft performance data through targeted Wi-Fi networks. That’s because pilots in layover hotels can be easily identified, along with the airline and the suite of EFB apps they will likely use.

This helped Pen Test Partners to access data from NAVBLUE Servers, including SQLite databases containing aircraft information and take-off performance data (PERF), with specific table names.

Researchers downloading the data from data the NAVBLUE Servers (Screenshot: Pen Test Partners)

It is worth noting that database tables are crucial for aircraft performance, including the Minimum Equipment List (MEL) and Standard Instrument Departure (SID). Misunderstandings in MEL and SID can lead to safety issues, such as fuel starvation in the Gimli Glider. Confusion between units like US gallons, imperial gallons, litres, kilograms, and pounds can also cause safety problems.

> _“We’ve now worked on disclosures with Boeing, Lufthansa, and Airbus We’re really pleased that the vulnerability was successfully closed which is a win for aviation safety and security.”_
> 
> Antonio Cassidy – Pen Test Partners

The researchers shared the vulnerability report with Airbus on 28 June 2022 and the next day Airbus confirmed the issue. By 25th July 2022, the company had replicated the issue and promised a fix for the next version of Flysmart+ by the end of 2022.

On 22 February 2023, the Airbus VDP team confirmed fixing the issue in the latest version of Flysmart+, and the mitigation measure was communicated to customers on 26th May 2023. The findings were presented at DEF CON 31 in Las Vegas in 2023, as well as at the Aerospace Village and Aviation ISAC in Dublin.

1.  **Reporter Gets His Email Hacked on The Plane**
2.  **Warning as small planes found vulnerable to hacking**
3.  **Smart alarm flaw let hackers track and turn off car engine**
4.  **Smartwatch flaw lets hackers overdose dementia patients**
5.  **Critical Flaws Found in Devices That Provide WiFi on Airplanes**

Hackers Uncover Airbus EFB App Vulnerability, Risking Aircraft Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.
"An attacker with

Vulnerability / Software Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.

"An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication," Apple said in an advisory, adding the issue "may have been exploited against versions of iOS released before iOS 15.7.1."

The iPhone maker said the problem was addressed with improved checks. It's currently not known how the vulnerability is being weaponized in real-world attacks.

Interestingly, patches for the flaw were released on December 13, 2022 with the release of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, although it was only publicly disclosed more than a year later on January 9, 2024.

It's worth noting that Apple did resolve a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which was shipped on July 20, 2022.

"An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication," the company said at the time. "A logic issue was addressed with improved state management."

In light of the active exploitation of CVE-2022-48618, CISA is recommending that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by February 21, 2024.

The development also comes as Apple expanded patches for an actively exploited security flaw in the WebKit browser engine (CVE-2024-23222, CVSS score: 8.8) to include its Apple Vision Pro headset. The fix is available in visionOS 1.0.2.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Active Exploitation of Critical Flaws in Apple iOS and macOS

Actions by the FCC and FTC have led to a decrease in unsollicited and scammy calls

The Federal Communications Commission (FCC) has announced that its recent actions with the Federal Trade Commission (FTC) against international robocalls appear to have had an effect.

Robocalls are automated phone calls, often associated with scams and unwanted solicitations, which can be a nuisance to individuals and businesses alike.

In November, 2023, the FCC and FTC sent separate, but coordinated, warning letters to specific gateway providers demanding these providers cease to serve as entry ways for international robocalls to the US. Failure by a gateway provider to take reasonable and effective steps to prevent their networks from transmitting illegal traffic could ultimately result in an order by the FCC directing downstream providers to block and cease accepting all of the gateway provider’s traffic, they were warned.

From the reduced number of traceback requests the FCC deducts that this has had a positive effect. According to USTelecom’s Industry Traceback Group (ITG), there is a downward trend in tracebacks related to traffic entering the US network through these providers.

The ITG is a group of companies from across the wireline, wireless, VoIP, and cable industries that collaborate to trace, source, and ultimately, stop illegal robocalls.

Robocalls are not only an annoying waste of time and resources, they often serve as a prelude to more targeted scams. Scam calls in particular can result in serious financial losses and frustration. So the FCC has made combatting unlawful robocalls and malicious caller ID spoofing a top consumer protection priority.

There are apps that can help you block robocalls. Malwarebytes for iOS, for example, blocks all incoming robocalls and text message scams. The Malwarebytes iOS app also protects you from phishing attacks and malware. If, by chance, you click a malicious link or attempt to navigate to a fraudulent site, Malwarebytes will block the site from loading.

Some wireless companies are also providing services, which will display some variation of the message “possible scam” on the screen for unknown numbers that call you.

**What to do if you answer a robocall**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1.  Hang up as soon as you realize that it is an automated robocall.
2.  Do not engage with the call at all.
3.  Don’t follow any instructions.
4.  Avoid giving away any personal information.
5.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your voice being recorded, can be used in scams against you or your loved ones.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Decline in robocalls is encouraging, efforts seem to be working 

To comply with the EU's Digital Markets Act, Apple will allow European iPhone owners to install apps obtained from outside the official App store.

Despite several warnings about the risks, Apple will allow European iPhone owners to install apps obtained from outside the official App store (sideloading).

These drastic changes are brought about to comply with the European Union’s (EU) Digital Markets Act (DMA). The Digital Markets Act (DMA) establishes a set of clearly defined objective criteria to identify “gatekeepers”. Gatekeepers are large digital platforms providing so called core platform services, such as for example online search engines, app stores, and messenger services.

The Digital Markets Act aims to regulate the gatekeeper power of the largest digital companies. The EU designated iOS, Safari, and the App Store as “core platform services” under the Digital Markets Act. According to the DMA, Apple as it is now has a monopoly in the App Store, and will no longer be allowed to use that to enforce a monopoly in payments in apps.

For reference, something similar happened when the US accused Microsoft of illegally monopolizing the web browser market for Windows. A few law cases later they reached a settlement in which Microsoft agreed to modify some of its business practices, opening up the opportunity for Windows users to switch to other browsers.

The Apple Newsroom says:

> “The changes include more than 600 new APIs, expanded app analytics, functionality for alternative browser engines, and options for processing app payments and distributing iOS apps.”

But Apple also warns very firmly about the consequences.

> “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”

Another big change is that web browsers won’t be forced to use Safari’s WebKit engine, opening the space for Chromium based browsers and a more desktop-alike feel for Firefox.

The fact that Apple only allows other browsers to drop WebKit in Europe means that browser developers are forced to make hard choices. Mozilla spokesperson Damiano DeMonte tells The Verge it’s extremely disappointed with the way things turned out.

> “We are still reviewing the technical details but are extremely disappointed with Apple’s proposed plan to restrict the newly-announced BrowserEngineKit to EU-specific apps. The effect of this would be to force an independent browser like Firefox to build and maintain two separate browser implementations — a burden Apple themselves will not have to bear.”

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed how he felt about the announced changes and the associated risks.

Thomas is waiting for more details as well, but he expects that Apple will use the experience it gathered with macOS by nature of its openness and only open it up only as much as it is forced to, and no more. Thomas expects Apple to impose notarization on iOS apps from outside the App Store, just as they did for macOS.

> “If they completely open up iOS to the same degree as macOS, I think there will be some inevitable malware, adware, and PUP issues. The biggest problem with iOS currently is PUPs and scam apps that manage to get past the review process. I think those will also be a problem with apps from outside the App Store, and I think Apple will combat those similarly. Which is to say, far from perfectly.”

Developers can get acquainted with these changes on the Apple Developer Support page and start testing new capabilities in the iOS 17.4 beta. The new capabilities will become available to users in the 27 EU countries around the beginning of March 2024.

Don’t rely on the fact that this will be limited to the EU. Although the most significant app policy changes apply only to EU countries, other shifts concerning cloud gaming and in-app purchases will take effect worldwide.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Apple warns of &#8220;privacy and security threats&#8221; after EU requires it to allow sideloading 

Apple Security Advisory 01-22-2024-4 - iOS 15.8.1 and iPadOS 15.8.1 addresses code execution and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-4 iOS 15.8.1 and iPadOS 15.8.1iOS 15.8.1 and iPadOS 15.8.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214062.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.WebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch(7th generation)Impact: Processing web content may disclose sensitive information. Appleis aware of a report that this issue may have been exploited againstversions of iOS before iOS 16.7.1.Description: An out-of-bounds read was addressed with improved inputvalidation.WebKit Bugzilla: 265041CVE-2023-42916: Clément Lecigne of Google's Threat Analysis GroupWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch(7th generation)Impact: Processing web content may lead to arbitrary code execution.Apple is aware of a report that this issue may have been exploitedagainst versions of iOS before iOS 16.7.1.Description: A memory corruption vulnerability was addressed withimproved locking.WebKit Bugzilla: 265067CVE-2023-42917: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.8.1 and iPadOS 15.8.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDd8ACgkQX+5d1TXaIvrnYQ//eEhI4dYnq+om+sw4N+fNEcTZWLtBe3GyWgzVtBuvWOwt0Z34BNfVD4jFz1YlzYp18bzYTCdThkIrvQSe/QmYEmdKt16RtQH3qJTyE18h2YLG31gA/ja8iPcNAdqQqz6tJEq9aUrmeyAhFNsEZX7PHVfuSigqi8495rMcN1xI6caCS7Tio98EVmNe6cMRLUefSJH0z5GvwjbTgLCKbhv+/pDAq0L8Lqosy9CFS+oMRYyCdXoPL3E2wOpdnxVgjctp6YJrjT/LFdeT8e3gu6oOo/Pj+bx9RWP8vVS0jos5DXOJJAnLn3qOt9yStqmECBpque3L3PrhToPdSCiIFE8JbHFBWscO/TaF3rQvmZfLSx+HKJR8VSAjpGThjLHWAQUFUauoQ1TudmtA3y9rolCkvhMeZXvbi0dxkEgRtBCbJzRWfMQ6rPeOOkgUUSBkVM/O55bhQ1JqmpUBq2s4lCx6EErwSm1XS6ooXxZt9FWltqhu+ixgne63X8U5+cLJlkRWjeIC63pziGkB6RbIQkupEanrbH8ekRFQs4zIazq1fjZANRN71y+wAZZ5tcbvH37FzUPT7HL9ZPMO8wvVVFEEHNx4RIB+KNSH2E/z67Jhs9nM1atUNg1djufg/mmAfx/83pQretb4xqiN6VKJdPCY/BXkWhBJbdWUpqsODUmfvY0==wSSi-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-4

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

**MiniZinc 2.7.6 Null Pointer**

Posted Jan 29, 2024

Authored by Meng Ruijie

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

tags | advisory

advisories | CVE-2023-46050

SHA-256 | a80cb0270b834776631af2ca8f8daa61229fb0418cf1801a697093adfbf995c9

Download | Favorite | View

**MiniZinc 2.7.6 Null Pointer**

    [Vulnerability description]A null pointer deference existed in MiniZinc v.2.7.6 via a crafted Preferences.json file.[VulnerabilityType Other]null pointer deference[Vendor of Product]MiniZinc[Affected Product Code Base]MiniZinc - 2.7.6[Reference]https://github.com/MiniZinc/libminizinc/issues/729[CVE Reference]The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46050 to this vulnerability.

**File Tags**

*   ActiveX (932)
*   Advisory (83,946)
*   Arbitrary (16,508)
*   BBS (2,859)
*   Bypass (1,810)
*   CGI (1,031)
*   Code Execution (7,521)
*   Conference (685)
*   Cracker (843)
*   CSRF (3,365)
*   DoS (24,223)
*   Encryption (2,377)
*   Exploit (52,460)
*   File Inclusion (4,241)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,819)
*   Intrusion Detection (902)
*   Java (3,111)
*   JavaScript (884)
*   Kernel (6,899)
*   Local (14,626)
*   Magazine (586)
*   Overflow (12,942)
*   Perl (1,429)
*   PHP (5,167)
*   Proof of Concept (2,359)
*   Protocol (3,677)
*   Python (1,585)
*   Remote (31,191)
*   Root (3,610)
*   Rootkit (517)
*   Ruby (615)
*   Scanner (1,646)
*   Security Tool (7,948)
*   Shell (3,224)
*   Shellcode (1,216)
*   Sniffer (898)
*   Spoof (2,236)
*   SQL Injection (16,468)
*   TCP (2,420)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,325)
*   Web (9,813)
*   Whitepaper (3,763)
*   x86 (966)
*   XSS (18,088)
*   Other

**File Archives**

*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,058)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,953)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,425)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,371)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (14,947)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,245)
*   UNIX (9,356)
*   UnixWare (187)
*   Windows (6,620)
*   Other

MiniZinc 2.7.6 Null Pointer

Plus: North Korean hackers get into generative AI, a phone surveillance tool that can monitor billions of devices gets exposed, and ambient light sensors pose a new privacy risk.

Police took a digital rendering of a suspect's face, generated using DNA evidence, and ran it through a facial recognition system in a troubling incident reported for the first time by WIRED this week. The tactic came to light in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets. Meanwhile, information about United States intelligence agencies purchasing Americans' phone location data and internet metadata without a warrant was revealed this week only after US senator Ron Wyden blocked the appointment of a new NSA director until the information was made public. And a California teen who allegedly used the handle Torswats to carry out hundreds of swatting attacks across the US is being extradited to Florida to face felony charges.

The infamous spyware developer NSO Group, creator of the Pegasus spyware, has been quietly planning a comeback, which involves investing millions of dollars lobbying in Washington while exploiting the Israel-Hamas war to stoke global security fears and position its products as a necessity. Breaches of Microsoft and Hewlett-Packard Enterprise, disclosed in recent days, have pushed the espionage operations of the well-known Russia-backed hacking group Midnight Blizzard back into the spotlight. And Amazon-owned Ring said this week that it is shutting down a feature of its controversial Neighbors app that gave law enforcement a free pass to request footage from users without a warrant.

WIRED had a deep dive this week into the Israel-linked hacking group known as Predatory Sparrow and its notably aggressive offensive cyberattacks, particularly against Iranian targets, which have included crippling thousands of gas stations and setting a steel mill on fire. With so much going on, we've got the perfect quick weekend project for iOS users who want to feel more digitally secure: Make sure you've upgraded your iPhone to iOS 17.3 and then turn on Apple's new Stolen Device Protection feature, which could block thieves from taking over your accounts.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

After first disclosing a breach in October, the ancestry and genetics company 23andMe said in December that personal data from 6.9 million users was impacted in the incident stemming from attackers compromising roughly 14,000 user accounts. These accounts then gave attackers access to information voluntarily shared by users in a social feature the company calls DNA Relatives. 23andMe has blamed users for the account intrusions, saying that they only occurred because victims set weak or reused passwords on their accounts. But a state-mandated filing in California about the incident reveals that the attackers started compromising customers’ accounts in April and continued through much of September without the company ever detecting suspicious activity—and that someone was trying to guess and brute-force users' passwords.

North Korea has been using generative artificial intelligence tools “to search for hacking targets and search for technologies needed for hacking,” according to a senior official at South Korea's National Intelligence Service who spoke to reporters on Wednesday under the condition of anonymity. The official said that Pyongyang has not yet begun incorporating generative AI into active offensive hacking operations but that South Korean officials are monitoring the situation closely. More broadly, researchers say they are alarmed by North Korea's development and use of AI tools for multiple applications.

The digital ad industry is notorious for enabling the monitoring and tracking of users across the web. New findings from 404 Media highlight a particularly insidious service, Patternz, that draws data from ads in hundreds of thousands of popular, mainstream apps to reportedly fuel a global surveillance dragnet. The tool and its visibility have been marketed to governments around the world to integrate with other intelligence agency surveillance capabilities. “The pipeline involves smaller, obscure advertising firms and advertising industry giants like Google. In response to queries from 404 Media, Google and PubMatic, another ad firm, have already cut-off a company linked to the surveillance firm,” 404's Joseph Cox wrote.

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory have devised an algorithm that could be used to convert data from smart devices' ambient light sensors into an image of the scene in front of the device. A tool like this could be used to turn a smart home gadget or mobile device into a surveillance tool. Ambient light sensors measure light in an environment and automatically adjust a screen's brightness to make it more usable in different conditions. But because ambient light data isn't considered to be sensitive, these sensors automatically have certain permissions in an operating system and generally don't require specific approval from a user to be used by an app. As a result, the researchers point out that bad actors could potentially abuse the readings from these sensors without users having recourse to block the information stream.

23andMe Failed to Detect Account Intrusions for Months

By Uzair Amir
While cybercriminals create their toolbox, as a user you should also keep yourself ready for unsuspecting cyberattacks and keep a safety toolbox for your defence. 
This is a post from HackRead.com Read the original post: Building Your Defense Toolbox: Tools and Tactics to Combat Cyber Threats

It is a well-known fact that cybercriminals have evolved over the years. The emergence of AI-powered malicious chatbots, such as WormGPT and FraudGPT, has enabled malicious threat actors to not only refine their skills but also consolidate all their malicious activities and tools into one, like a toolbox. Understanding these tools is the first step towards safeguarding yourself against their scams.

While cybercriminals create their toolbox, as a user you should also keep yourself ready for unsuspecting cyberattacks and keep a safety toolbox for your defence.

One major part of that toolbox should be a Virtual Private Network or VPN. Why? because this tool hides your real-time IP address and protects your online privacy from cyber criminals and state-backed threat actors. VPNs, like CyberGhost, encrypt your internet connection, shielding your online activities from prying eyes.

Additionally, employing two-factor authentication (2FA), such as Google Authenticator, Microsoft Authenticator, Okta, and Authy, adds an extra security layer, making it harder for fraudsters to gain unauthorized access to your accounts, even if they have your passwords. These tools, combined with regular updates and vigilance, are crucial in safeguarding against sophisticated scams.

Let’s dive into the tools commonly used by fraudsters, followed by the countermeasures you can employ to protect yourself.

****Common Fraud Tactics********Spoofing****

Spoofing is a deceptive practice where fraudsters falsify information to appear as a legitimate entity. This can involve altering caller IDs or email addresses to mimic those of trusted organizations or individuals. The primary goal is to gain the victim’s trust, making them more susceptible to divulging sensitive information or granting access to their accounts.

****Phishing****

Phishing is a widespread technique that involves sending fraudulent communications that appear to come from a reputable source. Typically executed through email, these messages aim to steal sensitive data such as login credentials, credit card numbers, or personal identification information. Phishers often use urgency or fear to bypass rational judgment.

****Fake Profiles****

Creating fake profiles on social media, dating websites, and other platforms is a common tool in a fraudster’s arsenal. These profiles are carefully crafted to appear genuine, often mimicking the identities of real individuals or organizations. The objective is to build trust with potential victims, eventually manipulating them into financial transactions or sharing confidential information.

****Fake Photos and Entities****

Fraudsters frequently utilize stolen or altered images to bolster the credibility of their fake profiles or websites. Additionally, they might establish counterfeit entities, such as businesses or charities, to appear legitimate. These entities are used to facilitate various scams, including fraudulent sales, charity fraud, and investment scams.

The latest and ongoing incident involving deepfake images of Taylor Swift is just one example of the nightmarish scenarios that cybercriminals can create in your life.

****Fake Claims****

Scammers use persuasive narratives and false claims to trick their victims. These may include threats of legal action, false claims of lottery winnings, or other deceptive propositions that require the victim to make payments or provide personal information.

****Misrepresentation****

Fraudsters often impersonate authority figures or institutions using fake names, credentials, and badge numbers. This tactic is designed to intimidate or convince the victim of the legitimacy of their requests, thereby facilitating the extraction of sensitive information or money.

****Computer Pop-ups****

The prevalence of unwanted pop-ups bombarding your screen is a key reason why adblockers have gained immense popularity. Pop-up warnings on computers are commonly used to spread malware or obtain personal information.

These pop-ups often carry false alerts about viruses or security breaches, prompting the user to take immediate action, which usually involves downloading harmful software or calling a fraudulent support number.

****Robocalls****

Automated calls, or robocalls, are used extensively by scammers to reach many potential victims efficiently. These calls might contain deceptive messages about unpaid taxes or lottery winnings or offer fake services, aiming to extract personal information or direct payments.

****Lead Lists****

Lead lists are databases of individuals who have previously fallen for scams. Fraudsters trade and sell these lists, knowing that individuals scammed once are more likely to be targeted and tricked again.

****Secrecy and Persuasion****

A common tactic used by scammers is to demand secrecy from their victims. By insisting that the dealings remain confidential, fraudsters aim to isolate the victim and prevent them from seeking advice or help from others. They often employ a mix of charm, flattery, and threats to manipulate and control their targets.

****Emotional Manipulation****

Emotional manipulation involves fraudsters playing on the victim’s emotions to extract money or personal information. They may pretend to be in a romantic relationship, a distressed family member, or a charity representative. The fabricated scenarios often evoke strong emotional responses, compelling the victim to act impulsively.

****Search Engine Optimization and Malicious Links****

Fraudsters often use search engine optimization techniques (SEO Poisoning) to promote their scam websites, making them appear legitimate and trustworthy in online searches. They also distribute malicious links through emails or messages, which lead to fraudulent websites or directly install malware when clicked.

****Protective Measures Against Fraud********Caller Verification****

Always verify the identity of callers, especially when they request personal information. If someone claims to be from a legitimate organization, hang up and contact the organization directly using a verified phone number to confirm their authenticity.

****Email Caution****

Exercise caution with email links and attachments, especially from unknown senders. Hover over email addresses and links to verify their authenticity. Be cautious of emails that use urgency or pressure tactics to gather personal information or payments.

****Continuous Education****

Staying informed about common scam tactics and trends is essential. Regularly educating oneself and others about the latest fraud methods can significantly reduce the risk of falling victim to these scams. In simple terms, having cybersecurity knowledge for yourself and your employees is the master key to protecting against every known cyberattack to date.

****Anti-Virus Software****

Ensure your devices are protected with reliable and updated anti-virus software. This software is capable of detecting and preventing malware attacks, which are commonly used in various scams.

****Pop-Up Blockers****

Pop-up or ad blockers can prevent malicious ads and links from appearing on your devices. These pop-ups often contain false claims or threats designed to trick users into downloading malware or revealing personal information.

If you are on Chrome browser, you can disable pop-ups from settings. > Chrome > Settings > Privacy and security > Site Settings > Pop-ups and redirects.

****Secure Network Usage****

Avoid conducting sensitive transactions over public wi-fi networks. Always use secure, private networks for online banking, shopping, and other activities that require personal information.

Businesses should employ a variety of fraud detection tools to safeguard their operations. These include:

*   **Geolocation and Proxy Piercing:** Identifying the physical location of transaction attempts can flag suspicious activities, especially if the location mismatches the user’s typical pattern.
*   **Device Fingerprinting:** This tool helps recognize devices used in previous fraudulent activities, enabling businesses to block transactions from these devices.
*   **Address Verification (AVS):** AVS checks if the billing address provided by the customer matches the address on file with the card issuer.
*   **Velocity Checks:** Monitoring the frequency and volume of transactions from a single user can help detect and prevent fraud.
*   **Biometric Verification:** Using biometrics in payment processes adds an extra layer of security.
*   **Blacklists and Whitelists:** These lists allow businesses to control traffic based on known fraudulent sources or trusted entities.
*   **Machine Learning:** AI models can detect patterns indicative of fraud, improving over time as they process more data.
*   **3-D Secure Technology:** This adds authentication steps for online credit and debit card transactions, reducing the risk of card-not-present fraud.
*   **Fraud Scoring:** Analyzing transactions based on various risk factors helps identify potentially fraudulent activities.

****Regular Updates and Vigilance****

Keeping software and fraud detection tools up to date is crucial. Regularly updating your knowledge about new fraud tactics and protective measures can help you stay ahead of scammers.

****Conclusion****

Fraudsters are always changing their tactics, which makes it crucial for individuals and businesses to stay informed and alert. Understanding the tools used by fraudsters and implementing strong protective measures can significantly reduce the risk of falling victim to these sophisticated scams. Regular updates, continuous education, and employing advanced fraud detection tools are key to safeguarding against these threats.

****_RELATED ARTICLES_****

1.  **What is an OSINT Tool – Best OSINT Tools**
2.  **McAfee’s Mockingbird AI Tool Detects Deepfake Audio**
3.  **Temporary Phone Number: An Essential Tool for Privacy Protection**
4.  **Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices**
5.  **Understanding Reverse Email Lookup: A Tool to Strengthen Cybersecurity**

Building Your Defense Toolbox: Tools and Tactics to Combat Cyber Threats

## Overview
OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not  release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an "out of memory" error and terminate.

## Fix
Upgrade to v1.4.3. This upgrade is backwards compatible.

**Package**

gomod github.com/openfga/openfga (Go)

**Affected versions**

< 1.4.3

**Patched versions**

1.4.3

**Description**

**Overview**

OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an "out of memory" error and terminate.

**Fix**

Upgrade to v1.4.3. This upgrade is backwards compatible.

**References**

*   GHSA-rxpw-85vw-fx87
*   https://nvd.nist.gov/vuln/detail/CVE-2024-23820
*   openfga/openfga@908ac85
*   https://github.com/openfga/openfga/releases/tag/v1.4.3

 miparnisari published to openfga/openfga

Jan 26, 2024

Published by the National Vulnerability Database

Jan 26, 2024

Published to the GitHub Advisory Database

Jan 26, 2024

Reviewed

Jan 26, 2024

GHSA-rxpw-85vw-fx87: OpenFGA denial of service

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

**1\. **Set up two-factor authentication****

Do this for as many of your online accounts as you can, especially the major ones like your email and social media accounts. Two-factor authentication (2FA) adds an extra step of protection and makes it much harder for attackers to login as you. We recommend using authenticator apps or physical security keys, but sometimes SMS is the easiest option and that’s fine. In most services you won’t have to enter the 2FA code every time, only when using a new device.

**2\. Use a different password for every account**

If your password is breached on one site, cybercriminals can use that login information to access your other online accounts that use the same passwords. If you use a different password for each account they can’t do this. Make sure your passwords are long (15 characters or more is good) and use a mix of upper and lower case characters, numbers and symbols too.

To make it easy, you can chose a phrase or a line from a song you like (for instance: DancingInTheMoonlight1999!). You can also use a password manager built-in on your browser, or a stand-alone password manager (see below). If you’ve received a notification from Google, Malwarebytes or any other service telling you your password has been exposed make sure to not use it or any variation of it again for any of your accounts. 

**3\. Use a password manager**

Making different and complicated passwords for each and every online account you have is one thing, but **remembering** them all is a lot more difficult. That’s why we use a password manager, and why you should too. It will generate passwords for you and then remember them all. Choose a vendor you trust for it, or simply use Apple or Google.

**4\. Keep software and hardware up to date**

Make sure your computer, phone, browser, apps and other programs are always on the latest version. If someone finds a security bug, the company that makes that software or hardware will release a new version with a patch for the bug. If you’re not on the latest version, you will be vulnerable. We know it can sometime be a hassle to update the version – but it’s not only about the latest features, in many cases it’s about keeping you safe!

**5\. Double check everything**

Got an email or SMS saying your delivery has been delayed that asks you to click on a link? Double check that you are expecting a delivery from where it says it’s coming from. Got a message from a friend on Facebook that seems off? Double check via text or phone that it is really them. Is your CEO suddenly asking you to buy $5000 of gift cards on the company credit card? Double check that it really is the CEO (it probably isn’t). There’s a ton of scams out there and they are getting more and more sophisticated with time, you just have to stay vigilant and aware of it.

Does that restaurant you’re making a reservation with really need to know your actual date of birth? Does that shopping site really need to know your mother’s maiden name as a password reset question? Consider carefully where you share your data and keep in the back of your mind that the service you are using could be breached. If it is breached, what of your information would be taken? If you can use false information, we really encourage you to do that. Pro-tip: create an “avatar online identity” for yourself with a separate email, date of birth and information you remember and use this information for vendors that don’t require your real identity.

**7\. Cover your camera**

When your camera isn’t in use, make sure you cover it with a physical cover. You can get webcam covers that slide open and shut to make it easy for you to use your camera when you like, and they look a lot nicer than a sticking plaster! Hackers have been known to take over webcams and take snapshots – so sometimes a physical cover is our last line of defense!

**8\. Use an identity monitoring solution**

Identity theft is a real challenge today, including stealing your credit and even opening new lines of credit in your name. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. Malwarebytes Identity Theft Protection can help with this.

**9\. Check what data of yours has already been exposed**

It’s very likely that your personal information has already been involved in a breach, but you might be wondering how much information can be gained about you from all the pieces of data about you that’s online—aka your digital footprint. We created a tool that will show you just that. You enter your most commonly-used email address, we’ll run a scan and then we’ll send you the results. Try the free scan now.

**10\. Use security software**

Finally, make sure you have protected your devices with security software. It doesn’t take long and it’s such a basic step we must all do. Malwarebytes Premium detects or blocks over 95 million pieces of malware a day so we definitely have you covered. We protect Windows, Mac, Chrome, Android, and iOS.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Tag

#ios