Weakness Scoring System

Our Federal government division witin the Department of Commerce, under the National Institute of Standards and Technology, NIST, has a National Vulnerability Databaase designed to help the public, and especially the technical administrators of IT systems to guage potential weaknesses or vulnerabilities in software and hardware systems.  

 

NIST has been working with private industry and other public sector organizations to rate and maintain a catalog of IT threats.   Originally started in 1999 under another name, and as an effort between NIST, SANS institute, and othrs, under the name ICAT or Internet Category Attack Toolkit.  It evolved and even faced death by lack of budgets until rebranded as NVD in 2005 and supported more fully.  

Example: 7.8 Severity Linux Vulnerability

This page is an excellent example of the use, and also of how technical it is.  https://nvd.nist.gov/vuln/detail/CVE-2021-46936

The post What’s the Score? National Vulnerability Database appeared first on Aditi Group Managed IT & Consulting.

Advisory April 4, 2024

Summary

A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator. Under this circumstance, some browsers like Edge for example, have additional mitigations to prevent opening as Administrator.

Affected software

The affected tool is YubiKey Manager GUI (commonly known as ykman-gui) with versions prior to 1.2.6. The issue impacts installations on Windows because Windows requires Administrative permissions to interact with FIDO authenticators. For other operating systems, YubiKey Manager GUI should not be run with elevated permissions.

Not affected software

Installations of YubiKey Manager GUI on platforms other than Windows are not impacted by this issue.

How to tell if you are affected

You are affected if you have YubiKey Manager GUI versions < 1.2.6 installed on a computer that is running Windows and is not using Edge as the default browser. You can check the version of YubiKey Manager GUI you have installed by clicking the “About” menu in the YubiKey Manager GUI.

Customer Actions

Yubico recommends that affected customers update to the latest version of YubiKey Manager available for download from our website or directly from GitHub.

Alternate Mitigations

1. Running YubiKey Manager GUI elevated is only required for using the FIDO features. In cases where users do not require FIDO features in YubiKey Manager GUI, it can run as an unelevated user to avoid this issue.
2. Users can set Microsoft Edge as their default browser which includes mitigations to avoid inheriting Administrative permissions when opened in this way.

Issue Details

YubiKey Manager GUI is a tool for managing the various features of a YubiKey, including FIDO, OTP or PIV. In certain situations, the tool spawns the system default browser as a child process. This action requires user interaction with the tool and is not automatically triggered.

On Windows systems, the ability to communicate with FIDO authenticators requires Administrator privileges. This is a limitation built into the operating system by Microsoft. Thus, in order to interact with the FIDO functionality of the YubiKey, the user must run YubiKey Manager GUI with Administrator privileges. Once YubiKey Manager GUI is run with Administrator privileges, any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks.

Severity

Yubico has rated this issue as High. It has a CVSS score of 7.7.

Timeline

February 1, 2024	Issue identified
April 4, 2024	Yubico releases advisory

The post Watch Your Keys – YubiKey Manager Advisory appeared first on Aditi Group Managed IT & Consulting.

Special guest Kevin Thompson, CPA, a 45-year veteran in accounting and tax preparation, tells us about 2021 tax fraud and scams, credit fraud, identity theft, ghost tax preparers, SBA loan and stimulus check scams. He’ll also explain what to do if you’re the victim of IRS tax fraud and valuable steps you can take to protect yourself. Cyber Gurus podcast hosts Ted Flittner and Ted Mayeshiba of Aditi Group bring this lively and valuable happy hour session to protect your money.

Press the ARROW on the player below to listen now

Show Notes

IRS 5071 C letter – Identity theft letter. This is how the IRS will tell you that you’re a victim of Tax Fraud

https://www.irs.gov/individuals/understanding-your-letter-5071c-or-6331c

 

IRS Fraud targeting gift cards – Watch a short video

https://youtu.be/Z9yRuyXt9vQ

 

California State Abandoned Property – one of many websites for check whether property in your name can be claimed

https://www.sco.ca.gov/upd_msg.html

 

Identity Protection Pins

https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin

Where Apply for your PIN

https://sa1.www4.irs.gov/icce-core/loac/ippin/pages/ippin.xhtml

Please have the following information and materials to complete registration:

•     Full Name
•     Email
•     Birthdate
•     Social Security Number (SSN) or Individual Tax Identification Number (ITIN)
•     Tax filing status
•     Current address

The post S1E2 – Talking Brass Tax, 2021 Money Scams, and Advice with Finance Veteran Kevin Thompson appeared first on Aditi Group Managed IT & Consulting.

In this episode cyber security experts from Aditi Group tell us about why things are not Golden at Coors this week. And you’ll learn about the hack that is sweeping the planet with Microsoft Exchange. This first Friday Happy Hour edition podcast uncovers network security issues at Molsen-Golden that have had big impact on the taps and the company bottom line. We’ll talk data backups, ransomware, cyber hacks and more as we also cover the Microsoft global vulnerability that has already affected tens of thousands of servers. Join us to hear about these stories and how they relate to you and your precious electronic data.

Press the ARROW on the player below to listen now

The post S1E1 – Not So Happy Hour at Coors and Microsoft appeared first on Aditi Group Managed IT & Consulting.

The post Does HIPAA Still Apply with Work at Home and COVID-19? appeared first on Aditi Group Managed IT & Consulting.

HHS has published several warnings recently, including this statement on April 3rd, that businesses should be ever vigilant against imposters posing as HHS / OCR investigators.

Why Are People Posing As HHS Investigators?

HIPAA Spells Fear

For most people who fall under the auspices of the Health Insurance Portability and Accountability Act, aka HIPAA, the terms instill a dread of burdensome policies and obscure reference documents and of punishment for failure to meet the rules. HIPAA penalties include massive potential monetary fines. In the most extreme cases, there is no legal dollar cap. And perhaps worse for individuals, the potential for jail time for violation.

Scams Operate on Fear

Many scam artists take advantage of fears that people may have. The IRS, FBI, or now, HHS / OCR is calling. When people are stressed or afraid, they often divulge information that they otherwise would keep private. The scammer questions tend to follow the line of creating the panic or stress, then requesting info from people – your name, account numbers, social security numbers, etc. These bits of data are the keys they want. These are the keys to create false identities, credit fraud, or simply to hack into online accounts and ultimately bigger prizes.

Stay Calm, Stay Professional

Investigators from any government agency don’t need to pressure people. They don’t need to and don’t tend to rush. If they are ever investigating a case, they are careful, diligent, and patient because they are after the truth. They know that rushing leads to incomplete data and more often, wrong data.

You can stay calm and professional, and know what if they contacted you, they know who you are. They don’t need you to reveal private data.

If you do receive questionable calls, emails, or personal visitors, check with the agencies. Remember this comment from HHS:

HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.

The post OCR Imposters – Office for Civil Rights Investigators, Are They Real? appeared first on Aditi Group Managed IT & Consulting.

Download and install the Windows updates released on January 14, 2020 immediately!

Not every update from Microsoft is as critical as this one for your security. But this should be processed immediately.

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

https://support.microsoft.com/en-us/help/4534306/windows-10-update-kb4534306

Don’t Keep It A Secret

Microsoft Would Like This Swept Under the Rug

The MSNBC website found ZERO results in a quick search for windows 10 security vulnerability but other search and news sites have an every growing list of news articles and tech articles highlighting the latest Windows weakness and potential for exploit.

The post NSA Finding Leads to Windows Security Update appeared first on Aditi Group Managed IT & Consulting.

https://www.ml.com/articles/digital-defense-keeping-your-family-safe-online.html

The post October is National Cybersecurity Awareness Month appeared first on Aditi Group Managed IT & Consulting.

Something else to fear.  Yes, just when you thought web advertising couldn’t be more annoying with slow page loading, pop-ups in the middle of that interesting article and more Viagra than you ever care the know about…comes Malvertising ransomware.

And it came in a big way as major websites that we trust and visit daily were hit by dangerous software hidden in advertisements.  This software is a form of ransonware which encrypts data and holds it hostage – for a price.

Were you hit already?  If so, the authorities say you’ll just have to pay up if you want your data back.

Read more > http://www.cnet.com/news/new-york-times-bbc-dangerous-ads-ransomware-malvertising

The post Malvertising Ransonware – Don’t Click on That Ad appeared first on Aditi Group Managed IT & Consulting.

Hollywood Presbyterian Medical Center paid hackers about $17,000 worth in Bitcoin. And reporters at Forbes say Locky is infecting up to 90,000 network systems every day.

When Locky encrypts a file it will rename the file to the format [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][unique_id][identifier].locky and creates ransom notes called _Locky_recover_instructions.txt.

So, please, BACKUP your data!

> Read more[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

The post Locky Ransomware – Data Lockout appeared first on Aditi Group Managed IT & Consulting.