Greg's Corner

Tagged: security Toggle Comment Threads | Keyboard Shortcuts

• 

  Geebo 8:00 am on October 3, 2019 Permalink | Reply
  Tags: cybersecurity ( 34 ), formjacking, security   

  New online attack is undetectable! 

  

  With most online threats there is a lot that consumers can do to protect themselves. For example, with phishing attacks, you can go to a website directly rather than using the link provided in an email or text. To avoid malware you can avoid risky websites and install an anti-malware program in case you do get infected. However, security experts are now warning about an online threat that has virtually no protection. It’s called formjacking and there’s no way to detect it until it’s too late.

  Formjacking is when a third-party injects code into a secure website that uses forms for anything from a job application to payment methods. If a website has been compromised then the attackers can lift any information submitted through the form. As you can imagine, this can include your home address, your social security number, and any credit or debit card numbers. The only defense against formjacking is for the company that owns the website to do a constant review of the site’s code to make sure there is no malicious code in there.

  [youtube https://www.youtube.com/watch?v=zeRxFynfvLE%5D

  Not all hope is lost though. There are services that can provide you with temporary charge card numbers that can be assigned to individual services that you may use. Your bank or credit card provider may also offer such a service. Both Google and Apple Pay are reportedly said to be secure as well. But we fill out so many forms online there isn’t anything that can guarantee 100% protection. Your best defense is to keep a watchful eye on your charge statements and credit history to make sure that no one has lifted your information and used it for their gain.

   

  Leave a ReplyCancel reply
• 

  Geebo 8:00 am on September 26, 2019 Permalink | Reply
  Tags: 2FA ( 11 ), hacking ( 31 ), internet of things/ ( 7 ), IoT ( 7 ), security, Smart Home ( 5 ), two factor authentication ( 17 )   

  When a smart home isn’t so smart 

  

  Many people think that they are better securing their home by installing smart devices. These devices can range from anything from cameras to door locks and anything in between. These classes of smart devices are known as the internet of things or IoT for short. That means that these devices are connected to the internet so the user can control them from just about anywhere. The major drawback to IoT devices is that they can also be controlled by bad actors if the user isn’t careful.

  A couple in Milwaukee found that the hard way this week when someone was able to take control of some of their smart devices. The couple had a nest camera and thermostat installed. When one of them came home they found that the thermostat was set at 90 degrees. After that, someone started verbally harassing them through the speaker on their security camera. Even after the couple changed all their passwords the abuse continued until the devices were disconnected. The couple lays the blame at Nest, which is owned by Google, but the fault may lie elsewhere.

  [youtube https://www.youtube.com/watch?v=xbk3OdYBLHA%5D

  It’s not hard to hack into IoT devices if the users are using the same password or weak passwords to secure their network and devices. Also, as we discussed with the recent YouTube hack, two-factor authentication (2FA) should also be enabled on these devices. While 2FA has its own flaws, it’s more secure than using an easily guessed password. These devices are designed to help protect your home, but if you’re not using 2FA it’s like having the most expensive lock that you just leave the key in.

   
• 

  Geebo 8:00 am on September 24, 2019 Permalink | Reply
  Tags: 2FA ( 11 ), hacking ( 31 ), security, two factor authentication ( 17 ), YouTube ( 6 )   

  What you can learn from the massive YouTube hack 

  

  Recently, a large number of YouTube channels with substantial subscriber counts had been hijacked by hackers. This way the hackers can sell the accounts to bad actors who can then potentially claim a channel with a large built-in subscriber base. It’s not easy to cultivate a successful YouTube channel. Some creators have spent years carefully growing their audience in a highly competitive market. To possibly see it all disappear in an instant could be a devastating blow to any moderately successful channel.

  The plot against some of YouTube’s creators was a coordinated phishing attack. Authentic looking emails were sent to creators asking them to log into their accounts. Like most phishing attacks, the creators were then directed to phony login pages where the hackers could steal their login credentials. The hackers could then assign the channels to new owners, locking the creators out of their channels. What’s particularly troubling about this attack is that it allegedly bypassed what’s known as two-factor authentication. 2FA, as it’s known, is the process of requiring a user to securely log in to their accounts using a two-step process that usually involves signing in with their log-in credentials then verifying their access request by replying to a text message. it’s believed that the hackers were able to intercept the 2FA messages.

  [youtube https://www.youtube.com/watch?v=5Xd4kWSl3Ac%5D

  If you’re not using 2FA, you should be. While it’s not unhackable it does go a long way in stopping someone from accessing your sensitive accounts. While SMS text messages are the most common form of 2FA, they’re not the most secure, however, there are alternatives. One way of protecting yourself is by purchasing a hardware key that works on both your computer or phone that you have to have in your possession to access your accounts. There are also software approaches to 2FA like Google Authenticator or Microsoft Authenticator, both of which are free.

  Some of these YouTube creators may have lost their life’s work. With a more secure 2FA option you may not have to worry about losing anything important that you access online.

  When a smart home isn’t so smart | Greg's Corner is discussing. Toggle Comments

   
• 

  Geebo 8:00 am on June 20, 2019 Permalink | Reply
  Tags: Firefox, Google Calendar, Nest Cameras, privacy ( 46 ), security   

  Tech Security news to protect your privacy! 

  

  Today we have a handful of stories that could potentially affect your privacy and we start off with Google Calendar. You may not realize that you even use Google Calendar but if you use Gmail to make any kind of appointments, the odds are you’ll receive a reminder from your Google Calendar. Now, reports are being circulated the Google Calendars are being used for phishing attacks. Reports say that you’ll receive a Google Calendar notification that says things like that you’ve received a cash reward or asking you to take a survey. Attached will be a link the phishers will want you to click on to try to glean your personal or financial information. Mental Floss has some tips on how to block these annoying invitations in Calendar, but as always you should never click on strange links from correspondents that you don’t know.

  [youtube https://www.youtube.com/watch?v=c3rJYhzKXy0&feature=youtu.be&t=350%5D

  If you’ve recently purchased a used Nest cam for your home you may want to know that in some instances the previous owners could still access the cameras. While that does sound scary it does not apply to all previously owned Nest cameras. The cameras must have previously been connected to a Wink branded home hub then the previous owners could still access the cameras through the Wink app. If you own a Nest camera and you feel it could be potentially compromised you may want to consider purchasing a new set of cameras as so far there has yet to be a fix for the issue. According to The Wirecutter, even a factory reset won’t help.

  Lastly, if you use the Firefox web browser you’ll want to perform an update as soon as possible. Mozilla, the company behind Firefox, recently issued a statement asking users to update their browsers after an exploit was found that could compromise user security. Mozilla didn’t go into detail about what the exploit was except to say that there have been documented accounts of attacks against the exploit. It’s relatively easy to perform an update on Firefox. All you need to is click on the open menu icon on the upper right of the browser. Scroll down the menu to the help option, click on help, then click on About Firefox. Then a prompt should come up asking you to update Firefox. Click on the update button and Firefox will update and your browser will be more secure.

  Hopefully, these tips will keep your privacy and security a little more private and secure.

   
• 

  Geebo 10:17 am on January 29, 2019 Permalink | Reply
  Tags: Apple ( 28 ), Facetime ( 3 ), ios ( 3 ), privacy ( 46 ), security   

  Apple bug let you spy on friends 

  

  If you’re a fan of Apple products and are deeply entrenched within the iOS ecosystem, you’ve probably used the popular app Facetime. For those of you who may not know, Facetime is an app that allows you to make video calls to your friends on many Apple devices. While Apple prides itself on user privacy, the hacking of iCloud accounts notwithstanding, a major bug was recently discovered in Facetime that potentially allowed users to spy on their contacts.

  According to unofficial Apple new site 9 to 5 Mac, a bug in Facetime allows you to connect a Facetime call without the other party having to accept the call. In order to enact the bug, you would need to add yourself as a contact in a Facetime group call and the call would connect automatically while it appears to the other contact that they have not accepted the call yet.

  [youtube https://www.youtube.com/watch?v=lI2za9p95r0%5D

  In order to prevent these types of Facetime calls from happening it was recommended that you disable Facetime in the settings of your iOS device. However, Apple has since reacted to the news of the bug by disabling group chat ion Facetime across most devices. Apple claims that there will be a patch for the bug later this week.

  This privacy gaffe comes in the wake of Apple taking out a massive billboard at this year’s Consumer Electronics Show in Las Vegas that touted their reputation of iOS devices being secure than other devices.

   
• 

  Geebo 10:00 am on January 18, 2019 Permalink | Reply
  Tags: Collection #1, data breach ( 31 ), security   

  Data breach could potentially expose millions of email accounts 

  

  If you’re the type that doesn’t change their online passwords frequently, you may want to change your passwords today. It’s been reported that a massive amount of data known as ‘Collection #1’ has been floating around on the internet for a while and contains 773 million email addresses and 21 million passwords. The list itself is a few years old so if you’ve been using the same password for while you should probably go ahead and start changing your passwords on your online accounts.

  [youtube https://www.youtube.com/watch?v=5Dy-K3QbtYM%5D

  Now you may think that you’ve probably changed your passwords since this data was collected. Well, there’s a reason this data dump has been called Collection #1. THat’s because there is a Collection #2 on the horizon which contains even more recently exposed data from within the past year. Collection #2 is said to have ten times the data that Collection #1 had. While we’re waiting for Collection #2 to hit the internet like a wrecking ball you can check to see if your email account was included in Collection #1 by checking your email address at Have I Been Pwned.

  While you’re changing your passwords there are some good practices that everyone should follow. You should never use the same password for all of your online accounts. If you have trouble remembering all your passwords there are a plethora of secure password managers that will create and remember secure passwords for your accounts. If you are going to manage your own passwords don’t fall into the trap of using the most common passwords. You may think your clever by using ‘password’, ‘qwerty’, and ‘football’ as your passwords but you’re not fooling anyone. Instead, most security experts agree that passwords should contain no dictionary words, contain a mix of uppercase and lowercase letters and numbers and at least one non-alphanumeric symbol.

  If a bad actor were to gain access to your email account they could wreak some fairly damaging havoc to your life since most of your online accounts are probably tied to that email address.

   
• 

  Geebo 10:19 am on January 11, 2019 Permalink | Reply
  Tags: privacy ( 46 ), Ring Doorbells ( 3 ), security   

  Ring doorbells caught in potential privacy gaffe 

  

  If you’re unfamiliar with the Ring brand of video doorbells it’s actually an ingenious device. The doorbell not only has a built-in camera but also has built-in two-way communication. When someone rings your doorbell, not only can you see them through an app on your phone or tablet but you can also talk to them as if you were home. Many homeowners swear by the devices as if it was the answer to solving any potential security concerns. Privacy, on the other hand, may now be a completely different matter.

  It’s being widely reported that Ring gave unfettered access to customer cameras and recorded videos to their researchers in Ukraine. Not only that but that the video recordings sent to Ring through their cloud service were unencrypted in an effort to cut costs. While some Ring customers may not care who sees their video feed in Ukraine it also turns out that some US Ring employees and executives had around the clock access to some live feeds from customers whether their job required them to have the access or not. These allegations become even more disturbing when you realize that Ring also sells security cameras for inside the home as well.

  [youtube https://www.youtube.com/watch?v=qklIhlyO6ZU&t=44s%5D

  Ring themselves have claimed that no impropriety has been taken part in by their employees, however, the reports state that Ring employees found workarounds to the company blocking their employees from certain access. Not only does this not bode well for Ring but also for its parent company Amazon who purchased the company in 2018. Amazon itself is no stranger to privacy concerns with the company trying to sell allegedly invasive facial recognition software to several law enforcement agencies last year. It will be interesting to see if this alleged breach of privacy will catch the eye of legislators or whether or not the market will control the future of Ring going forward.

   
• 

  Geebo 10:12 am on December 17, 2018 Permalink | Reply
  Tags: data breach ( 31 ), Facebook ( 173 ), privacy ( 46 ), security   

  Here we go again: Facebook bug exposes millions of accounts 

  

  In what is starting to become an almost weekly event, Facebook announced this past Friday that yet another bug exposed close to 7 million accounts to third-party app developers. The bug was first discovered in September and was active for a few weeks before being corrected. The bug is said to have exposed pictures that users had posted to Facebook but did not give permission for the pictures to be seen by third-parties.

  In the grand scheme of things, this bug is not that big of a security risk as other Facebook data leaks have been in the past year. The pictures that were exposed were only those that were started to be uploaded but for some reason were never posted to the user’s timeline. Or they were photos that were posted to Facebook Marketplace. However, it further shows Facebook’s long-standing disregard not just for user privacy but for Facebook’s own security.

  This was a bug that was discovered back in September after being active for weeks. Why did it take Facebook upwards of three months before informing the public? According to the New York Times, Facebook didn’t notify government officials about the bug until November because they needed to “create a notification page” first. Again, this shows that Facebook is really more concerned about covering their own tails from regulators rather than protecting user privacy.

   
• 

  Geebo 10:00 am on December 11, 2018 Permalink | Reply
  Tags: data breach ( 31 ), Google ( 29 ), privacy ( 46 ), security   

  Google+ shutting even earlier due to more massive breach 

  

  If you’ll recall, back in October, Google announced that it would be shuttering its underused social network Google+ in August of 2019 due to a security breach that left 500,000 user accounts vulnerable. This was after the Wall Street Journal discovered a flaw in the comically underused platform. In a world where Facebook is continually exposing millions of accounts to third parties in an almost regular basis, 500,000 users seemed like a thimble of water in the ocean in comparison. Now, a new breach has put Google in very similar company with Facebook.

  During internal testing by Google, it was recently discovered that Google+ had another bug in it that left 100 times the amount of accounts exposed than the last breach. Over 52 million accounts could have been potentially exposed with such information as a user’s name, email address, occupation, and age to third-party developers. Google has stated that there’s no evidence that any of the exposed information was used by bad actors but this latest breach has caused Google to move up the timetable for the demise Google+. Now Google has scheduled the shutdown for April of 2019.

  Besides being in amazement that Google+ actually had that many users at one point, this bug could not have come at a worse time. Maybe Google will be able to weather this storm since Google+ was nowhere near as popular as its competitors but when you add it to the multitudes of other security breaches in similar spaces this could invite even more governmental eyes looking to regulate companies like Google and Facebook. And as we’ve mentioned before, in today’s highly partisan climate it might not be the best time for any kind of sweeping legislative change.

   
• 

  Geebo 9:22 am on November 2, 2018 Permalink | Reply
  Tags: data breach ( 31 ), Facebook ( 173 ), security   

  Your Facebook account and messages could be sold for just ten cents 

  

  Ever since the major security breaches happened at Facebook, the social media titan has been trying to assure us that no sensitive user information has fallen into the hands of bad actors. However, it may be just now that we’re starting to see the veracity of those claims. When the accounts of hundreds of millions of users have been exposed, you have to expect at least some fallout from the exposure. Let’s revisit Facebook’s most recent hack that exposed somewhere between 30 and 50 million users.

  Now, the BBC is reporting that the private messages from over 80,000 Facebook accounts are being sold on the open market. While the majority of the accounts belong to users in the Ukraine and Russia, there are US and UK accounts listed among them. The bad actors in possession of this information were trying to sell each account for ten cents a piece. The BBC claims to have verified with some of the exposed users that the messages are in fact genuine. The hackers also claim that the 81,000 accounts are just a small sample of a larger cache that contains 120 million accounts.

  Not surprisingly, Facebook is trying to deflect blame from themselves, instead blaming the compromised accounts on malicious third-party browser extensions. That may be all well and good but when you put the words Facebook and hacked together it’s still Facebook who is going to take a lion’s share of the blame no matter how you look at it. Considering they’ve allowed close to 350 million accounts to be exposed in the past year is laying blame at their feet really that much of a stretch?