Windows 10 Users Beware New Hacker Attack Confirmed By Google, Microsoft

As Microsoft confirms a Google-disclosed and unpatched zero-day vulnerability is being targeted by attackers right now, here’s what you need to know.

Microsoft has confirmed that an unpatched ‘zero-day’ vulnerability in the Windows operating system, affecting every version from Windows 7 through to Windows 10, is being actively targeted. Microsoft was first informed of the vulnerability by Google’s Project Zero team, a dedicated unit comprised of leading vulnerability hunters, which tracks down these so-called zero-day security bugs.

Because Project Zero had identified that the security problem was being actively exploited in the wild by attackers, it gave Microsoft a deadline of just seven days to fix it before disclosure. Microsoft failed to issue a security patch within that hugely restrictive timeframe, and Google went ahead and published details of the zero-day vulnerability, which is tracked as CVE-2020-17087.

The bug itself sits within the Windows Kernel Cryptography Driver, known as cng.sys, and could allow an attacker to escalate the privileges they have when accessing a Windows machine. The full technical detail can be found within the Google Project Zero disclosure, but slightly more simply put, it’s a memory buffer-overflow problem that could give an attacker admin-level control of the targeted Windows computer. Recommended For You

While attackers are known to be actively targeting Windows systems right now, that doesn’t mean your system is going down. Firstly, I should point out that, according to a confirmation from Shane Huntley, director of Google’s Threat Analysis Group, the attackers spotted exploiting the vulnerability are not targeting any U.S. election-related systems at this point. That’s good news, and there’s more.

While Microsoft has confirmed that the reported attack is real, it also suggests that it is limited in scope being targeted in nature. This is not, at least as of yet, a widespread broad-sweep exploit. Microsoft says that it has no evidence of any indication of widespread exploits.

PROMOTED Civic Nation BrandVoice | Paid Program Election Day On College Campuses: Not A Day Off, A Day On MORE FROM FORBESNew Windows 10 Remote Hacking Threat Confirmed-Homeland Security Says Update NowBy Davey Winder

Then there’s the attack itself which requires two vulnerabilities to be chained together for a successful exploit to happen. One of them has already been patched. That was a browser-based vulnerability, CVE-2020-15999, in Chrome browsers, including Microsoft Edge. As long as your browser is up to date, you are protected. Microsoft Edge was updated on October 22 while Google Chrome was updated on October 20.

There are no known other attack chains for the Windows vulnerability at this point. Which doesn’t mean your machine is 100% safe, as an attacker with access to an already compromised system could still exploit it. However, it does mean there’s no need to hit the panic button, truth be told. Microsoft has also confirmed that the vulnerability cannot be exploited to affect cryptographic functionality.

I reached out to Microsoft, and a spokesperson told me that “Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers.”

As for that seven-day disclosure deadline from the Google Project Zero team, the Microsoft spokesperson said that “while we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”

Although Microsoft has not commented on the likely timing of a security patch to prevent exploitation of this Windows vulnerability, the Project Zero technical lead, Ben Hawkes, has tweeted that it is expected as part of the Patch Tuesday updates on November 10.

How big a threat is this to your average Windows user? That remains to be seen, but currently I’d classify it as a be aware but don’t panic situation. Hang-fire, ensure your web browsers are bang up to date, and you should be fine. There are far more significant risks to your data than this zero-day attack, in my never humble opinion. Risks such as phishing in all forms, password reuse, lack of two-factor authentication and software that isn’t kept up to date with security patches.

MORE FROM FORBESHacker Uploads Own Fingerprints To Crime Scene In Dumbest Cyber Attack EverBy Davey Winder Follow me on Twitter or LinkedIn. Check out my website

Davey Winder

Davey Winder

I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at davey@happygeek.com if you have a story to reveal or research to share.

.

.

Business News

As Microsoft confirms a Google-disclosed and unpatched zero-day vulnerability is being targeted by attackers right now, here’s what you need to know. Microsoft has confirmed that an unpatched ‘zero-day’ vulnerability in the Windows operating system, affecting every version from Windows 7 through to Windows 10, is being actively targeted. Microsoft was first informed of the vulnerability by Google’s Project Zero team, a dedicated unit comprised of leading vulnerability hunters, which tracks down these so-called zero-day security bugs. Because Project Zero had identified that the security problem was being actively exploited in the wild by attackers, it gave Microsoft a deadline of just seven days to fix it before disclosure.

Connect with CNBC News Online Get the latest news: http://www.cnbc.com/ Find CNBC News on Facebook: http://cnb.cx/LikeCNBC Follow CNBC News on Twitter: http://cnb.cx/FollowCNBC Follow CNBC News on Google+: http://cnb.cx/PlusCNBC Follow CNBC News on Instagram: http://cnb.cx/InstagramCNBC

#vulnerability #newsupdate #newstodayheadlines #newsworldnow #newstodaybbc #newstodayoncnn #newstodayusa

How to Tackle Identity Theft as a Remote Worker

There are more and more remote workers in the modern age. Companies are realizing how effective it can be to have their staff based at home and opening up the possibilities of employing people without having to worry too much about where they are based. 

One issue that a lot of people ignore, but one that is still utterly vital, is identity theft. A number of people simply don’t realize how much of a threat this can be to their life and the problems it can cause. As a remote worker, you might have to consider both your own personal information and that of the company you work for.

In this guide, we’re providing some of the information you need to ensure you are preventing and tackling ID theft. We also show you what steps you can take if you are unfortunate enough to fall foul of online fraudsters.

What is Online Identity Theft?

Identity theft is nothing new. People have been stealing identification via Social Security numbers and other details for a long time, usually by stealing wallets, but historically some people would go through mail to find details for identity theft.

In the modern age of the internet, it is easier for people to find personally identifiable information. This is sometimes abbreviated to “PII”. This allows people to commit fraud and pretend to be you. They can sometimes steal money directly in this way, but they can also do things to impact upon your reputation or, in the case of employees they might be able to gain access to company servers or more.

Remote workers need to think about the impact of their identity being stolen, access to their online accounts, and more, but if you don’t take the right precautions you can even be responsible for issues regarding your work details. 

Identity theft used to require physical documents to commit this kind of fraud, but now, things have changed. Details can be stolen in a number of ways and networks and websites can be hacked to allow fraudsters to find PII.

How Serious is Identity Theft?

It’s easy to think that identity theft isn’t too much of a big deal or assume that nobody could impersonate you so there’s nothing to worry about. Actually, once they have your details people can take advantage in a lot of different ways. 

Identity theft crime statistics are scary. 16.7 million people in America suffered some form of identity theft in the year 2017. That figure is continuing to grow. Billions of dollars are stolen every year using identity theft methods. 

If you find yourself the victim of identity theft it might be impossible to recover all of the assets you have lost or the damage to your reputation or the company you work for. This means that identity theft is a huge issue that can impact years of your life.

Also, people can commit crimes and run up debts in your name. This can leave you facing a legal battle in the future, too. Make no mistake about it, identity theft is incredibly rife and can make an impact for a number of years in the future.

This is not something you will necessarily have out of the way in a matter of weeks. Even if you contact the authorities and explain that you have been the victim of identity theft, the onus might be on you to prove this. 

Cybercrime is on the rise. 3.2 million identity theft, cybercrime, and other forms of fraud were reported in 2019. As you can see from this article, almost half of the time when people stole someone’s identity, they applied for a credit card. This debt doesn’t automatically get written off. You will need to prove that you were a victim of fraud and take action if this happens to you. Until then the debts could be in your name.

computer hacked with a lot of money stolen

How Does Identity Theft Happen?

It is easy to assume that you have done the right things and won’t be a victim. Just changing your password from time to time isn’t necessarily enough. There are lots of ways in which people can steal your ID details online.

  • Phishing is still popular, even though most people know to be very careful with emails. Phishing can be a big issue for remote workers who might get targeted when people want to gain access to company information. Never go to your bank’s site via a link, as it could be fake. The government has provided advice on avoiding phishing scams here.
  • Pharming is another sophisticated way for cybercriminals to steal your personal information. This is when a criminal might have got a virus into your browser allowing them to redirect you to a fake site, but one that actually looks trustworthy. This is where you’ll be asked to input details.
  • Weak passwords or using the same password for everything is always a risk. If you can, opt to use multi-factor authentication, where you use your smart device as well as your password to prove you are who you say you are.
  • Malware and other viruses or software that can attack your PC. This will potentially allow a hacker or fraudster to gain control and to see your details. You will probably want to keep your operating system updated and you will definitely want to get some sort of virus protection. Working for a company means that if you have a work computer, you should already have this in place.
  • Fraudulent or unsecured sites. Websites that don’t provide you with proof of who they are can hurt you. Look for the padlock sign in your browser which shows that a site has a security certificate. 
  • Old devices you have got rid of can also be used against you in this regard. Some criminals can find your old data just by going through a discarded laptop, for example.
  • “Over The Shoulder” techniques. Someone can watch your input data. It’s as simple as that. If you are in a co-working space, for instance, you might be targeted by someone looking to steal your data.

You need to have your guard up. Identity theft is becoming more sophisticated and people will always look for new ways to get your personal information. For a criminal, it can be very lucrative.

What Happens When Your Identity is Stolen?

Identity theft can lead to your data being sold. People sell it on the dark web, and this means that people all over the world could be using your data to borrow money, make applications, and even commit other crimes.

Generally, most of the consequences that happen after your identity is stolen have some sort of financial gain for the criminal. As a remote worker, it could be that someone is looking to steal your data to gain access to the company you work for. Organizations need to be especially careful. As an employee, this doesn’t fall solely on you, but it is important that you consider the best practices for keeping data safe.

How to Prevent Identity Theft

If you’ve found this article in advance of having to deal with the consequences of identity theft then there is still a lot you can do to hopefully ensure you never have to deal with it happening to you.

If you are working for a large company or your data is particularly sensitive, it makes sense to outsource all of your online security. There are organizations that know exactly how to keep your ID safe and secure and can help both individuals and organizations, even large organizations might find that they are lacking in precautions.

The best thing to do for peace of mind is to work with the professionals and make sure that identity theft doesn’t become a big hassle for you in the future.

Now, this might be a different story for business owners who work remotely. Many remote business owners get targeted for online identity theft. This can prove deadly for the business; many businesses fail right after they get their online security breaches.

It is essential for every company on the internet to implement security measures for it to succeed. This could be achieved either by outsourcing your identity security or, you can do it yourself. Even though it is advised to leave it to the professionals, you can still tackle this problem and be safe on the internet:The most important thing you should do is doing your research thoroughly regarding this issue. It is essential because it not only involves buying software or implementing new technology. It also requires education and hours of reading and watching videos. Hence, it is more complicated than you think. You may find more information here.Cybersecurity presentaton by techie

Source – DepostiPhotos.com

There are some basic things you can do:

Change passwords regularly and generate them rather than just use your cat’s name! People will find a way to get through basic and simple passwords so they should use a lot of different characters. 

Never automatically trust a link that is sent to you. Check if the website is secure and don’t put any details in on a site that you have even one doubt about. Things like online banking are prime examples. Always visit their sites through your browser rather than just clicking on a link in an email. This is prime for someone to take advantage of phishing.

Have a high-quality anti-virus on your computer. If you are running a big company then you should definitely ensure you have access to this for all of your staff.

Don’t mix work and personal life. A working computer should be for work and your personal devices should be for your own accounts on things. If you log into work emails on a laptop that is yours, and you don’t take the right precautions, you could be accountable if anything happens.

How to Tackle Identity Theft When it Happens

If the worst does happen and you find yourself a victim of identity theft, don’t panic. There are steps you can take to try and minimize the damage. 

If you want to, you can contact the specialists. Again, there are specific companies who can deal with identity theft and help you to ensure that you deal with everything in the correct manner, rather than making mistakes along the way.

You should look to get a fraud alert put on your credit report, this can limit the damage of any credit taken out fraudulently in your name.

Report to the FTC. This is one of the first steps you can take. There is a simple form that you can fill in on an FTC site, IdentityTheft.gov or you can call to speak to a member of staff. Try to gain as much evidence as you can when you are talking to them, ready to show exactly what is happening to your accounts.

Go to your local police. Different police forces deal with the issues in different ways and the location where the offense happened might play a part, but authorities should be alerted straight away.

Freeze credit cards and bank accounts. Stop anything negative from happening while you wait to establish what steps you are going to take. Freezing lines of credit can allow you to ensure that you do not run up further debts without spending anything! Your credit card might be being used on the other side of the world.

Change all of your passwords. One breach is enough to ensure that you should get new passwords for every account you have including social media.

Alert your work if using a work laptop or if the ID theft is in any way linked. If you fear that these details could lead to issues for your workplace then there is no way you should keep it from them. 

If you need to, you can still contact specialists in identity theft who can walk you through all of the steps required to try to get your life back on track.

Security image with cursor-Cybersecurity

Conclusion

There is no denying that identity theft can have a huge negative impact on your life, and even on those close to you. If it isn’t properly dealt with then it could keep having an effect decades into the future.

If you haven’t suffered from ID theft yet then you can take steps to ensure your security. If you are working with a company and are worried about their data then this is another reason to take security seriously. Just a few simple precautions can make all the difference, and you need to know what techniques and tactics current fraudsters are using to try and steal your information.

By: David Lukić

%d bloggers like this: