Pete Recommends – Weekly highlights on cyber security issues, January 27, 2023

Subject: Beware: Hackers now use OneNote attachments to spread malware
Source: Bleeping Computer

Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.

However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware.

Soon after, threat actors began utilizing new file formats, such as ISO images and password-protected ZIP files. These file formats soon became extremely common, aided by a Windows bug allowing ISOs to bypass security warnings and the popular 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives.

However, both 7-Zip and Windows recently fixed these bugs causing Windows to display scary security warnings when a user attempts to open files in downloaded ISO and ZIP files.


Subject: Separating Wi-Fi Security Fact From Fiction
Source: Forbes

It seems like with each passing year we depend more and more on Wi-Fi technology. The number of appliances, devices, and gadgets that connect via Wi-Fi continues to rapidly expand, while Wi-Fi networks and Wi-Fi connectivity has become essentially ubiquitous. Interestingly, while our use of Wi-Fi has grown exponentially and Wi-Fi technology has evolved significantly over the past couple decades, there are a number of myths and common misconceptions that are stubbornly persistent.Today’s Wi-Fi is not invulnerable, but neither is any other networking technology. The problem is that the myths and misconceptions that drive much of the perception of Wi-Fi security are based on partial truths and outdated information. It’s like having a debate about vehicle safety but using arguments that rely on partial data from before seatbelt laws, or before antilock brakes and airbags became standard. Those arguments are meaningless today.

So, let’s examine and debunk the myths.

Other articles by

Subject: 7 Ways to Avoid Scammers on Social Media
Source: PCMag

PCMag / Kim Key – “Learn how to recognize the most common scams and protect your personal data on Facebook and Instagram. I’ve been scaling back my social media presence for a few years, and it’s brought me the peace of mind that comes with keeping nosy acquaintances and curious strangers out of my business. In addition to the mental and social health benefits of not reading everyone’s thoughts in a public forum, I also get fewer spam emails, texts, and robocalls these days. When I stopped sharing details about my life with strangers and locked down my privacy settings on social media apps, I blocked access for potential scammers. And I encourage you to do the same…”

Filed in PCMag category:

Read the latest from Kim Key

Subject: Apple Cash, Cash App, Venmo, Zelle P2P Payment Apps Compared
Source: Consumer Reports

CR’s evaluation of these peer-to-peer payment apps identified potential concerns and ways to protect yourself. The speed and simplicity of such transactions—a few taps on a mobile phone and, bam, a few seconds later the money lands in the recipient’s account—have rapidly turned these and other peer-to-peer (P2P) payment apps into everyday tools for millions of Americans. Nearly two-thirds of us use a P2P app to send money to other individuals, according to a nationally representative March 2022 CR survey of 2,116 U.S. adults (PDF). And over $1 trillion changed hands this way in 2022, according to research firm Insider Intelligence.

Unfortunately, user protections and regulations are not keeping pace with the speed of P2P payment app adoption, or the evolving risks consumers face when using these apps, says Delicia Hand, director of financial fairness for Consumer Reports.

“Meanwhile the regulatory vacuum around these new tools has allowed potentially unfair, unsafe, and discriminatory practices to spread unchecked,” Hand says. For this reason, CR has developed the Fair Digital Finance Framework, a set of criteria and procedures for evaluating a range of digital finance products and services.

Fund protection: Consumers can lose money in a range of ways while using P2P apps, but the most common problems generally fall into two categories: Authorized and unauthorized transactions.

Although P2P companies are not falling short of their legal obligations with respect to authorized or unauthorized transactions, CR’s Hand says, they can and should do more to help users who lose their money in these ways. “Providers could create a fund to reimburse users who are victims of scams and tricked into transferring money,” she says.

In the meantime, here are steps you can take to minimize the risks of using P2P payment apps.

Other “money” articles:

More on Banking:

Subject: Data explosion prompts agencies to look at advanced e-discovery platforms
Source: StateScoop

A new report highlights how modern, cloud-based e-discovery tools allow agency leaders to tap into the full potential of their data.

Data, arguably the government’s most important resource, is growing exponentially — and increasingly more dispersed as agencies adopt decentralized networks. That’s leading agencies and organizations in highly regulated industries to look for tools capable of assuring the reliability and sourcing of data, especially when conducting an investigation or responding to a FOIA request.

While agencies are used to managing large amounts of data, experts suggest that agency and program executives are missing out on capabilities that would help them manage and analyze massive datasets more effectively and tap into their data’s full potential.
Read the report.

Organizational siloes and legacy infrastructure continue to inhibit the modern use of data in government as well as reduce transparency to citizens, says a new report produced by FedScoop and StateScoop underwritten by Relativity.

“The key piece of adopting modern technologies and toolsets—or digitization—is implementing better data management, so that [federal IT leaders] can manage business and workforce more effectively to serve the citizens,” says Doug Cowan, managing director of the U.S. public sector at Relativity.

Additionally, the shift to remote-based work elevated the need for collaborative and flexible tools for document management. Litigation, investigations and records requests can involve the tedious collection and review of a vast amount of potentially relevant material. Furthermore, multiple agencies may need access to and understand the same data. Having solutions that work seamlessly across agencies while maintaining security and control over data has taken on new importance for agencies.

Subject: MacBook Security Chip Gives the Secondhand Computer Market Hell
Source: Gizmodo

Digital recyclers are having a hard time breaking into secondhand Macbooks that have retailed for as much $3,000. The problem? The laptops won’t let anyone other than the owner wipe its data, so now these perfectly good computers are being sold for scrap. Vice says that the problem lies in the Macbook’s T2 security chip, which was unveiled back in 2018, and the security features of the chip include encrypting stored data and biometric data from TouchID. The trouble is that refurbishers can’t factory reset a laptop with the T2 chip for a new user unless the original has allowed the refurbisher to log in, due to the chip’s Activation Lock. Instead, these laptops, which can be worth thousands of dollars, get sold for scrap parts.

The T2 chip is contained inside several Macbook models and some iMacs, according to Apple. In an ideal world, users would factory reset their computers before they are sent to a refurbisher, but instead, Bumstead and his colleagues are forced to accept reduced profits.


Subject: Everyone Wants Your Email Address. Think Twice Before Sharing It
Source: New York Times

The New York Times: “Your email address has become a digital bread crumb for companies to link your activity across sites. Here’s how you can limit this. When you browse the web, an increasing number of sites and apps are asking for a piece of basic information that you probably hand over without hesitation: your email address. It may seem harmless, but when you enter your email, you’re sharing a lot more than just that. I’m hoping this column, which includes some workarounds, persuades you to think twice before handing over your email address. First, it helps to know why companies want email addresses. To advertisers, web publishers and app makers, your email is important not just for contacting you. It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads…

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Posted in: Cybersecurity, E-Discovery, Economy, Email Security, Encryption, Privacy