The Lowdown on Phone Carrier UIDH Injection

Over the past few days, media outlets have been reporting that Verizon has been inserting a string of letters and numbers called a UIDH into outgoing http requests made by its customers. The string uniquely identifies a specific device. The diagram in Jonathan Mayer’s blog post provides a good picture of how the process occurs and how this string can be used. Basically, a website that receives the string can pass it along to an advertising exchange which in turn pays Verizon for information on the subscriber that allows them to show more relevant ads.

Mayer’s post states that at a minimum, Verizon reveals Continue reading The Lowdown on Phone Carrier UIDH Injection

Fake Tech Support Scam is Shut Down

In a post on vishing, I warned against calling phone numbers provided by untrusted sources. The particular case I posted about involved a bogus e-mail technical support phone number. Today, a judge just shut down an outfit that pretended to provide technical support for Microsoft and Facebook.

In my previous post, I warned about vishing because there was no way to know the intentions of the people behind the number without actually making a call; vishing occurred to me as one possibility. The scheme that was just shut down, however, shows that such numbers can also be used to sell nonexistent services to victims.

Remember to never buy anything from or give any personal information to unsolicited callers. Before calling a number, make sure to check a trusted source to make sure the number is genuine. Even if you receive a call that you believe may be legitimate, it may be safer to tell the caller you will call back later at a number you know to be correct.

Ebola Email Scam is Making The Rounds

Since the spread of Ebola outside of Africa this year, the disease has been dominating the headlines. Unsurprisingly, scammers have tried to capitalize on the topic by sending out phony emails purportedly from the World Health Organization. The article reports that if you open the attachment, it will install a Trojan called DarkComet on your computer. DarkComet contains, among other features, keylogging and webcam hijacking functions.

I am not an expert on the topic of public health, so take the following with a grain of salt, but to me, the text of the e-mail doesn’t look as legitimate as the article says. Continue reading Ebola Email Scam is Making The Rounds

Analyzing the Whisper CEO’s Response To The Guardian’s Allegations

From October 16 to October 19, The Guardian posted a series of articles containing a number of allegations about the Whisper app’s practices.

Some of the more serious allegations made by The Guardian are as follows:

1. Whisper tracks the location of users who have expressly opted out of geolocation services

2. Whisper shares information with the US Department of Defense from smartphones it knows are used from military bases.

3. Four days after learning The Guardian intended to publish their story, Whisper rewrote its terms of service to Continue reading Analyzing the Whisper CEO’s Response To The Guardian’s Allegations

Is the Snapchat Model Fundamentally Broken?

The incident dubbed the “Snappening,” in which up to 200,000 Snapchat images were leaked, has been widely reported by the media. The third-party app Snapsaved has taken responsibility for being hacked and has stated that Snapchat itself was not hacked. Snapchat confirmed this in a blog post, stating “We are grateful that the service provider acknowledged that Snapchat was never compromised,” a reference to the statement made by Snapsaved.

Snapchat also made the following statement at the end of their post: “We’ll continue to do our part by improving Snapchat’s security and calling on Apple and Google to take down third-party applications that access our API. You can help us out by avoiding the use of third-party applications.”

The question we should be asking ourselves is Continue reading Is the Snapchat Model Fundamentally Broken?

Dropbox “Hack” Due To Credentials Stolen from Other Services

Here’s yet another reminder of why it’s a bad idea to use the same password on more than one site.

According to the Dropbox blog, “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”

If you have trouble remembering a different password for every site, one option is to use a password manager. Password managers are not impervious to all types of attacks, but they can help to ensure that you have different, strong, and unique passwords for every online service.

Personal Information from 76 Million Households Stolen

Due to a cyberattack on JPMorgan Chase, the personal information of 76 million households has been stolen. According to the bank itself, names, addresses, phone numbers, and e-mail addresses were compromised, but there is no evidence that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised.

Even if your password was stolen, the damage done with that password will likely be limited to what anyone with access to only the bank’s services and information can do as long as Continue reading Personal Information from 76 Million Households Stolen

Shellshock Is Not One Bug, But A Family of Bugs

Over the past week or so, I’ve seen a lot of articles and blog posts about Shellshock, and many of them refer to Shellshock as a single bug, even though it is really a family of related bugs. Further confusion potentially resulted from reports that patches for the first bug were incomplete.

That the articles talk about Shellshock as if the name refers to only one bug doesn’t mean the articles are wrong. Continue reading Shellshock Is Not One Bug, But A Family of Bugs