Brian Krebs has written a new post warning about the dangers of fake order confirmation e-mails. 2 of the screenshots in the post show examples of fake order confirmation e-mails from Home Depot and Walmart, respectively. I don’t know with absolute certainty the dates the e-mails in these screenshots were sent, but because both e-mails mentioned Thanksgiving and have a copyright date of (or ending in) 2014, they are likely to be recent.
Nevertheless, Krebs is correct in referring to this type of e-mail as a “perennial scourge.” A quick Google search reveals similar scams going back as far as 2004, though the DSLReports scam does not seem to explicitly mention the holidays. Here’s another example in 2012 that probably linked to a phishing website. Here’s a third example Continue reading Protecting Yourself Against Fake Order Confirmation E-mails
The EFF, Amnesty International, Digitale Gesellschaft, and Privacy International have teamed up to release an anti-surveillance program called Detekt. Detekt rightly cautions users against being lulled into a false sense of security; the failure by Detekt to find any traces of spyware on your computer does not mean that spyware doesn’t exist. In fact, even if Detekt finds something, that doesn’t mean there is additional spyware that it failed to detect.
The program doesn’t appear or claim to be the definitive solution to the surveillance of journalists by repressive regimes; it only claims to detect FinFisher and Hacking Team RCS. In fact, Continue reading 4 Organizations Release Anti-Surveillance Software
McAfee has released a list of 12 holiday scams. Here are some thoughts I had on the items in the list:
1. Clicking any links in e-mails and using them to give personal information are generally bad ideas, and shipping notification e-mails are no exception. If you placed an order, they already have all the information they need to ship you the item, so why would they need to ask you for it again?
2. This tip isn’t very specific, but it brings to mind shady sites that steal your credit card information instead of actually shipping you items. It may help to look up stores at the BBB. For example, if you type in www.newegg.com into the search box, you will see that the store has an A+ rating, and then you can see why the store received that rating if you’re interested.
3. It’s important to always Continue reading My Thoughts On McAfee’s 12 Scams of The Holidays
Need a reason not to use free hotel wi-fi without a VPN? How about spear-phishing and targeted attacks against you by people who your real name, your room number, and expected arrival and departure times? According to the article, some of the tactics used include Adobe Flash zero-day exploits, fake software updates containing malware, and embedded iFrames redirecting to phony installers.
When you connect to any wi-fi network, you must assume it is hostile and act accordingly. Even if you’re not a senior company executive, here’s an example of the types of attacks that could be used by a rogue Wi-Fi network against various password managers; if you use one, yours could be among them. It’s interesting to note that iFrames are also involved in one of the “sweep attacks” described by the paper.
Want to know if the messaging app or program you’re using is truly secure? The EFF recently rated the security of 39 different apps/services/programs based on these 7 categories:
1. Encrypted in transit?
2. Encrypted so the provider can’t read it?
3. Can you verify contacts’ identities?
4. Are past comms secure if your keys are stolen?
5. Is the code open to independent review?
6. Is security design properly documented?
7. Has the code been audited?
Go here to see the results. The EFF says they plan to do closer examinations in the future.
Here’s an interesting article describing how privacy can suffer due to overreactions to security threats.
Since the spread of Ebola outside of Africa this year, the disease has been dominating the headlines. Unsurprisingly, scammers have tried to capitalize on the topic by sending out phony emails purportedly from the World Health Organization. The article reports that if you open the attachment, it will install a Trojan called DarkComet on your computer. DarkComet contains, among other features, keylogging and webcam hijacking functions.
I am not an expert on the topic of public health, so take the following with a grain of salt, but to me, the text of the e-mail doesn’t look as legitimate as the article says. Continue reading Ebola Email Scam is Making The Rounds
The incident dubbed the “Snappening,” in which up to 200,000 Snapchat images were leaked, has been widely reported by the media. The third-party app Snapsaved has taken responsibility for being hacked and has stated that Snapchat itself was not hacked. Snapchat confirmed this in a blog post, stating “We are grateful that the service provider acknowledged that Snapchat was never compromised,” a reference to the statement made by Snapsaved.
Snapchat also made the following statement at the end of their post: “We’ll continue to do our part by improving Snapchat’s security and calling on Apple and Google to take down third-party applications that access our API. You can help us out by avoiding the use of third-party applications.”
The question we should be asking ourselves is Continue reading Is the Snapchat Model Fundamentally Broken?
Here’s yet another reminder of why it’s a bad idea to use the same password on more than one site.
According to the Dropbox blog, “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”
If you have trouble remembering a different password for every site, one option is to use a password manager. Password managers are not impervious to all types of attacks, but they can help to ensure that you have different, strong, and unique passwords for every online service.
Due to a cyberattack on JPMorgan Chase, the personal information of 76 million households has been stolen. According to the bank itself, names, addresses, phone numbers, and e-mail addresses were compromised, but there is no evidence that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised.
Even if your password was stolen, the damage done with that password will likely be limited to what anyone with access to only the bank’s services and information can do as long as Continue reading Personal Information from 76 Million Households Stolen