Archive for the ‘Uncategorized’ Category

US Charges Nigerian with Elder Fraud

US Charges Nigerian with Elder Fraud

The United States has brought federal charges against a Maryland resident in connection with a social media scam that victimized elderly Americans.



Oluwaseyi Akinyemi, also known as “Paddy Linkin” and “Joseph Kadin,” is accused of conning more than a dozen seniors out of nearly half a million dollars. 



A criminal complaint was filed against the 34-year-old Nigerian native on April 16 charging him with mail fraud, attempted mail fraud, and mail and wire fraud conspiracy.



Akinyemi is suspected of being a member of a criminal group that operated a social media–based advanced-fee fraud scheme that caused losses of $474,145.07 over the course of nine months. 



The group, called AFG, comprises Nigerian nationals who created fake social media accounts and used them to trick elderly victims into believing that they were to receive a large financial reward. Victims were told that before they could receive their reward, they must first pay “taxes” or “fees.”



Social engineering techniques were deployed by AFG to trick the seniors. The group created fraudulent social media accounts that appeared to belong to friends of the victims. These fake accounts were then used to make victims believe that they were communicating online with people that they knew and trusted. 



“Once the victims displayed a level of interest, the AFG allegedly opened a new account or persona (“the closers”) to carry out the fraud scheme,” said the Department of Justice.



“At times, the closers fraudulently posed as real or fictitious government agencies offering the victims financial awards in exchange for associated taxes and fees.”



Funds sent by victims to individuals in Maryland and elsewhere were forwarded by AFG members to the group’s co-conspirators in Nigeria. 



Akinyemi was charged on suspicion of being one of the individuals who received victims’ cash or gift card payments through mail services. 



On April 16, 2019, a package addressed to Paddy Linkin at Akinyemi’s address was intercepted by police. The package contained $30,000 in cash concealed inside two stuffed animal bears.



The sender of the package told police that the money was one of six “taxes” they had been told they needed to pay to receive a federal grant. 


Source: Infosecurity
US Charges Nigerian with Elder Fraud

CVE-2021-20990

In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
Source: NIST
CVE-2021-20990

CVE-2021-20991

In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
Source: NIST
CVE-2021-20991

CVE-2021-20992

In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.
Source: NIST
CVE-2021-20992

CVE-2021-20989

Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions.
Source: NIST
CVE-2021-20989

SolarWinds: A Catalyst for Change & a Cry for Collaboration

Cybersecurity is more than technology or safeguards like zero trust; mostly, it’s about collaboration.
Source: DarkReading
SolarWinds: A Catalyst for Change & a Cry for Collaboration

CVE-2021-21070

Adobe Robohelp version 2020.0.3 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. An attacker with permissions to write to the file system could leverage this vulnerability to escalate privileges.
Source: NIST
CVE-2021-21070

CVE-2020-7851

Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.
Source: NIST
CVE-2020-7851

CVE-2021-29399

XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or 1.9.11.16.
Source: NIST
CVE-2021-29399

Google Trumpets New Mobile App Security Standard

Google Trumpets New Mobile App Security Standard

Google is shouting about a new standard designed to enhance baseline security across mobile applications.


The Mobile Application Profile is the work of the Internet of Secure Things Alliance (ioXt), a consortium of over 300 members including Google, Facebook, T-Mobile, Zigbee Alliance, Schneider Electric and many others.


“With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, and webcams, and since most smart devices are managed through apps, they have expanded coverage to include mobile apps with the launch of this profile,” explained Brooke Davis and Eugene Liderman of the Android Security and Privacy Team.


“The ioXt Mobile Application Profile provides a minimum set of commercial best practices for all cloud connected apps running on mobile devices. This security baseline helps mitigate against common threats and reduces the probability of significant vulnerabilities.”


According to the document itself, the Profile covers passwords, interfaces, cryptography, software updates, vulnerability reporting and security-by-default.


It was produced by ioXt in collaboration with over 20 industry players including Google and Amazon, labs such as NCC Group and Dekra, and automated mobile app security testing vendors like NowSecure.


It’s also based on existing frameworks like OWASP MASVS and the VPN Trust Initiative. Although mobile apps only need to be certified under the Mobile Application Profile, VPN apps must also comply with a specialized VPN extension.


“Certification allows developers to demonstrate product safety and we’re excited about the opportunity for this standard to push the industry forward,” noted Davis and Liderman.


“We observed that app developers were very quick to resolve any issues that were identified during their black box evaluations against this new standard, oftentimes with turnarounds in a matter of days.”


The duo encouraged more developers to get involved in the project and said it would help act as a “guiding light” to inspire more of the community to invest in mobile app security.


Source: Infosecurity
Google Trumpets New Mobile App Security Standard