Stop annoying Internet videos from autoplaying

Photo

© Photocreo Bednarek - Fotolia.com

Video is fine, but you should decide when and if they play!

(Mark Huffman @ ConsumerAffairs) The case can be made that the Internet has gotten better in recent years. More resources and faster, more targeted searches.

But there is no doubt that it has also gotten more annoying. Like those creepy ads that follow you from website to website, just because a week ago you happened to look at a product the ad is promoting.

But perhaps the biggest annoyance is videos that automatically play once you open a page. Video content is a great feature and more providers are offering it. But since almost all videos start with a short advertisement, the sites aren't content to just offer the video content, they make their videos begin automatically.

This can be annoying for a couple of reasons. First, it's distracting. Maybe the user just wants to read the article first.

It's hard to concentrate with the audio from the video competing for your attention. In some cases, a page might have more than one video, with all starting at about the same time.

For people on measured bandwidth ISP accounts, autoplaying videos can be a nuisance for another reason. Video can gobble up bandwidth, and over time it can cause these users to exceed their allotment during a billing cycle.

Fortunately, there's something you can do about it. You can turn off the video autoplay in your browser.

Nearly all web videos use Flash, so you just have to prevent Flash from starting when the page opens. It's easily done but the routine is different for each browser.

Internet Explorer

PhotoWith Internet Explorer you can control autoplay through ActiveX filtering. That makes it fairly easy to turn it off.

According to Microsoft, you only have to go to “tools,” select “safety,” and enable ActiveX Filtering. When you come across a page containing Flash videos, there will be a blue icon in the URL bar, indicating that the autoplay has been blocked.

But if you want to see a video on the page, you have to click on the icon, which allows you to turn off ActiveX Filtering for that site. If you want to turn it back on, it's the same process over again. A bit cumbersome.

Firefox

PhotoThere are two ways to block autorun videos in Firefox but the simpler and more reliable method may be to download Flash Block. You can get it from Mozilla here.

Once it's downloaded, install and enable Flash Block. Restart Firefox and from then on, you'll have to click on Flash media to get it to play.

Chrome

To turn off Flash autorun in Chrome typechrome://chrome/settings/content into the URL bar. Up pops a “content settings” page.

Scroll down to “plug ins” and select “click to play,” and then “done. It's that simple. After that, every Flash screen will have a gray error message. Just click it to play the content.

Safari

To disable autostart in Safari, you will need to download some extensions. You'll find them here. The extention ClickToPlugin prevents plug-ins, including video, from launching content unless you allow it.

Many Facebook users may want to take the extra step of disabling autoplay in their Newsfeed. When logged into Facebook, click on the arrow in the upper right of your screen and, from the drop down menu, select “settings.”

From the left of the page, scroll through the sections to “videos.” You will find that the default position is to play videos automatically. Click on the button to turn it to the off position.

Spam – “We Are Going To Sue You”

"What do I do if my email account has been spamming to the outside? I just got an email warning me that I will be sued!"

Don't worry just yet. When spam cannot lure you, then they will try to scare you! Here is a spam social engineered to trick to you into launching malware.

Websense® ThreatSeeker® Network has detected that an email campaign broke out on 19th September, 2011. In this campaign, emails are spoofed to appear as though they are sent from established companies. The emails even formally claims that legal action will be taken because of the spam you have sent. These emails with the fake warning even attach a ZIP file that contains a scanned copy of a document that is supposed evidence of your spam. Read More – Click Here!

instagram - Facebook-owned site asserts right to sell users' photos to advertisers

(James Hood Consumer Affairs) Like to post stuff on the Web? Sure you do. It's yours after all, right? Umm, well, actually, it probably isn't once you've posted it.

Read the privacy policies and terms of use of the vast majority of Internet sites and you'll find that material posted there by users becomes the property of the site. This is not a bad thing, as the world would descend the rest of the way into chaos if every tiny bit of every Web site were owned by various individuals.

However, few Web sites have gone as far in asserting ownership of posted content as Facebook's Instagram. The photo-sharing site recently updated its privacy policy to explicitly give it the right to sell user-posted photos to advertisers without any notification or compensation to the user.

The new policy takes effect January 16. If you want to opt out, you'll need to delete your account before then. There is no opt-out provision other than quitting the site entirely.

In other words, post a nice photo of your dog Spot eating Purina kibble and you may soon see Spot on a billboard, but neither you nor Spot will be the richer for it. Spot will still have to buy his own kibble.

Photos of children

PhotoMore ominously, the new rules would allow the company to use images of children as young as 13 without their parents' permission.

Instagram's reasoning goes like this: You must say you are 13 or older to sign up for the service. The assumption is that when parents allow you to sign up, they are aware that you may become fodder for advertising, or worse.

There's also the little matter of photographing strangers. Amateur photographers -- just about everybody these days -- think nothing of snapping photos of people on the street or in other public or private venues and posting them on the Web, something no commercial photogrpher would dare do.

Using a photo of someone for commercial purposes without their permission is a serious matter and all photographers worth their camera strap always get a signed release before using such likenesses. (News photos are a slightly different matter).

Cookies & logs too

Here's the notice posted recently by Instagram:

Photo"We may share your information as well as information from tools like cookies, log files, and device identifiers and location data with organizations that help us provide the service to you... (and) third-party advertising partners."

"To help us deliver interesting paid or sponsored content or promotions, you agree that a business may pay us to display your username, likeness, photos, in connection with paid or sponsored content or promotions, without any compensation to you," Instagram added in its terms of use.

The change is not going down well in the social media world, where one poster called it "suicide."

But look at it from Facebook's perspective. Facebook paid $1 billion for Instagram in April, even though the site has nearly no revenue.

This is not unusual in Internetland, where the attitude generally is that if a site gets big enough fast enough it will be too big to fail, even though no one has figured out a business model.

Or as Facebook marketing executive Carolyn Everson put it earlier this month: "Eventually we'll figure out a way to monetize Instagram." Whether anyone who would make such a statement should be called a marketing executive is another story.

None of this is really very surprising, though. Facebook has stumbled into one pitfall after another as it tries to fiddle with privacy issues, attempting to install a rational business model that some would say shoud have been thought through before the site was ever started. 

It's a good thing civil engineers don't work this way. They'd start building bridges and railroads without knowing where they were supposed to end up. As long as they were big enough, maybe it wouldn't matter?

Read More - Click Here!

'Microsoft Offers $250K Bounty For Conflicter Virus Creator's Head

Microsoft and other leading companies in the tech industry said last week that they're offering a quarter million dollar reward for information that leads to the conviction of the authors/distributors of the Conficker virus that has infected 10 million Windows computers. If you could use an extra $250,000 and have a lead, read more about it here:

http://arstechnica.com/microsoft/news/2009/02/microsoft-puts-250k-bounty...

10 Ways to Avoid Cyber Crime

(Juliette Fairley @ NEW YORK (MainStreet) About 21% of companies use cloud providers to store and retrieve data. Of those, only 54% have an incident response plan for cyber breaches, including the theft of confidential customer information, according to Chubb's 2013 Private Company Risk Survey.

 

"This is surprising in light of the fact that a large number of these firms have been sued in recent years by employees, customers, government agencies and other parties," said Tracey Vispoli, senior vice president and specialty insurance global customer segments leader with Chubb.

 

While individuals and businesses continue to embrace the convenience of technology, it is also causing people greater concern.

"In general, everyone in the Information Age tends to think data is an asset and that if you can collect it, then you should, because it's cheap to store," said Marilyn Prosch, associate professor at Arizona State University. "If you don't need it, then don't collect it, and only keep what you need for the required amount of time."

According to the Travelers' Consumer Risk Index, 64% of individuals cite personal privacy loss or identity theft as a significant concern.

"Since the release of Zeus malware in 2007, electronic funds fraud has become common," said Dr. Ken Baylor, research vice president with NSS Labs, which tests firewall products and network security devices.

Electronic funds transfer fraud involves fraud crews, often based in ex-Soviet Republics, who scour LinkedIn for finance directors at companies and send them legitimate-looking emails about compliance and fraud. "Once the email is opened, the malware installs and accesses electronic transfer data," Baylor told MainStreet.

For the individual, electronic transfer fraud is less common because consumers can move small amounts of cash but not much more and banks tend to reimburse consumers under Regulation E, which refers to the Electronic Fund Transfer Act that was passed by Congress in 1978 and implemented by the Federal Reserve Board.

"Ideally, companies with which you do business, including financial institutions, use dual authentication and tokens to preserve the security of accounts," said Linda Kornfeld, partner in Kasowitz, Benson, Torres & Friedman in Los Angeles.

Other ways to lessen chances of cyber fraud include:

  • 1. Think before you share information with any site or person on the Internet.
  • 2. Be informed by doing your homework and reading privacy policies.
  • 3. Never log in to online banking sites from public networks at hotels, coffee shops, airports, etc.
  • 4. Use different passwords for finances than for social networks and games.
  • 5. Protect home computers by closing home networks. Otherwise, neighbors or their visitors and other strangers can gain access.
  • 6. Only give out social security numbers on a secured network. Look for https not http.
  • 7. On social networking sites, such as Facebook, switch all privacy settings to friends only. "Technology has changed so rapidly that it will take a while for controls to catch up but data minimization is the way we are moving," Prosch said.
  • 8. Do not answer 20-question lists on social networking sites.
  • 9. Periodically, review credit reports from credit bureaus, such as Experian.
  • 10. Do not allow children to have the location-based options activated on their mobile devices, including portable game devices.

3 surprising things that spy on you that you can't stop

(Kim Komando) With the hullabaloo about the NSA and its extensive spying programs, it's important to remember that it doesn't have a monopoly on tracking what you do. Other organizations and technology keep tabs on you as well.

I'm not just talking about online advertisers. In fact, you might be surprised at some of the things spying on you.

1. Your car
You may or may not have heard that beginning September 1, 2014, every new car is required to have a black box installed. This will record information about your speed, direction, braking, whether you're wearing a seat belt and everything else going on in the seconds surrounding a crash.

Investigators will know exactly what happened rather than trying to figure it out based on witness testimony. That might not be such a bad thing - if you're in the right.

Of course, the big worry is that the black box might eventually go beyond that. Paired with a GPS, a black box could easily record your entire driving history.

Insurance companies might eventually use the data to set your premiums. Some states, such as California, are already talking about including GPS to tax drivers based on how many miles they drive. What happens if hackers get hold of the data?

"Well," you might say, "I'm not going to buy a car made after 2013." I have some bad news for you. Around 96 percent of new cars already include a black box. In fact, they've been in use by some manufacturers since the early '90s. If your car has one, it will say somewhere in the owner's manual.

It's OK; soon, cars will be driving themselves anyway. Click here to see the future of self-driving cars in action.

2. Your favorite stores
Whenever you swipe a loyalty card, enter your phone number or use the same card at a store, your purchases go into a database profile. Based on what you buy, stores know way more about you than you think.

Back in 2012, the New York Times Magazine reported a shocking story. A father went ballistic in a Target after the store sent his 16-year-old daughter coupons for baby supplies. What was Target doing sending pregnancy promotions to a minor?

Well, it turns out the daughter really was pregnant. Target had a team that, crunching data from millions of consumers, were eerily accurate at such predictions. Target can tell how far along a pregnancy is and estimate a fairly accurate due date based on what a person buys.

Imagine what else they can figure out about your politics, beliefs, health, relationships and more. Scary stuff.

Target isn't the only store doing this, of course. Any business loves to have an inside edge on its customers so it can time promotions for the most impact.

Of course, imagine if the government got hold of that information (assuming it hasn't already) or your health-insurance provider. Even worse, what about identity thieves and scammers? Think what they could do with invaluable information into your habits.

Given the major data breaches happening lately, with Target coincidentally having the worst data breach in retail history, it isn't a stretch to think this information might get out as well.

And, aside from using fake information - which some people do - or shopping at the farmer's market, there isn't anything you can do about it.

Don't wait for stores to send you targeted coupons; download hundreds of money-saving coupons from these great sites.

3. Your Internet service provider
Quick: What's the one organization that knows everywhere you go online? If you read the title of the section, then you know the answer is your Internet service provider.

Not that it's necessarily trying to spy on you, but its business is connecting your computer to websites. And for various business reasons, it saves that information.

Some ISPs keep your traffic information for a few months and others for a year or more. And, of course, any ISP will turn the information over to law enforcement if asked.

Click here for more details about what ISPs keep and who keeps your traffic information the longest.

There is a way around this. You can use a service like Tor or KProxy. These route your traffic through servers around the world. No one can track where you're going.

I should point out that no routing system is foolproof and the government has cracked Tor in the past. So, do me a favor and don't use these proxy services for anything illegal.

Read More - Click Here!

With the hullabaloo about the NSA and its extensive spying programs, it's important to remember that it doesn't have a monopoly on tracking what you do. Other organizations and technology keep tabs on you as well.

I'm not just talking about online advertisers. In fact, you might be surprised at some of the things spying on you.

 

1. Your car
You may or may not have heard that beginning September 1, 2014, every new car is required to have a black box installed. This will record information about your speed, direction, braking, whether you're wearing a seat belt and everything else going on in the seconds surrounding a crash.

Investigators will know exactly what happened rather than trying to figure it out based on witness testimony. That might not be such a bad thing - if you're in the right.

Of course, the big worry is that the black box might eventually go beyond that. Paired with a GPS, a black box could easily record your entire driving history.

Insurance companies might eventually use the data to set your premiums. Some states, such as California, are already talking about including GPS to tax drivers based on how many miles they drive. What happens if hackers get hold of the data?

- See more at: http://www.komando.com/tips/index.aspx?id=15933&utm_medium=nl&utm_source...

8 of 10 Software Apps Fail Security Assessment

Eight out of 10 software applications fail to meet a security assessment, according to a State of Software Security report by Veracode. That’s based on an automated analysis of 9,910 applications submitted to Veracode’s online security testing platform in the last 18 months. The applications are submitted by both developers — in the government and commercial sectors — as well as companies and government agencies wanting an assessment of software they plan to purchase.

Read More - Click Here!

8-character passwords just got a lot easier to crack

(  NBC News) A password expert has shown that passwords can be cracked by brute force four times faster than was previously thought possible.

It's no magician's trick. Jeremi Gosney of the Stricture Consulting Group shared the findings at the recent Passwords^12 conference in Norway, where researchers do nothing but focus on passwords and PIN numbers.

What Gosney showed is that a computer cluster using 25 AMD Radeon graphics cards let it make 350 billion  — that's right, billion — password attempts per second when trying to crack password hashes made by the algorithm Microsoft uses in Windows.

Ars Technica reported on the finding, estimating that it would take less than six hours for the system to guess every single possible eight-character password. Gosney, in an email to the site, said, "We can attack (password) hashes approximately four times faster than we could previously."

Users should take action, especially those who have been using eight-character passwords and thinking they were safe (or safer than users with fewer characters in passwords), said Infosecurity, an online magazine. It doesn't even matter if you have numbers, upper case letters and symbols — you are not in the clear.

Eight-character passwords "are no longer sufficient," the magazine says, and users should come up with longer passwords to "help defeat brute forcing, and complex passwords to help defeat dictionary attacks." 

Dictionary attacks use pretty common words, names and places that many of us still come up with for passwords, like "LoveNewYork" or even "Jesus" because they're easy to remember. They're also incredibly easy to crack.

Dmitry Bestuzhev, of Kaspersky Lab, offers these suggestions:

1. Use a different password for each different online resource. Never reuse the same password for different services. If you do, all or many of your other online accounts can be compromised.

2.  Use complex passwords. This means, in a perfect scenario, a combination of symbols, letters and special characters. The longer the better.

3.  Sometimes our online service providers don’t let us create really complex passwords, but try to use long passwords, with at least 23 characters in a combination of uppercase and lowercase letters. A password of 23 characters (131 bits) would be ok. 

That may be an ambitious undertaking, especially with the abundance of services out there that all require authentication, but it's worth striving for.

Eight characters "just isn't long enough for a password these days," Sophos Labs' Paul Ducklin told NBC News in an email. "Even before this latest 'improvement' in cracking, standalone GPU (graphics processing unit)-based servers could do the job on eight-character Windows passwords in under 24 hours." And, he added, "cybercrooks with a zombie network, of course, could easily do something similar, even without GPUs."

Ducklin, writing about another password-cracking presentation at the password conference, made it clear that the findings are "yet another reminder that security is an arms race." But to stay ahead all you have to do is lengthen those passwords. At least for now.

Read More - Click Here!

Read Also - Click Here!

Key To A Strong Password - Click Here!

9 out of 10 emails now spam

LONDON, England (Reuters) -- Criminal gangs using hijacked computers are behind a surge in unwanted e-mails peddling sex, drugs and stock tips.

The number of "spam" messages has tripled since June and now accounts for as many as nine out of 10 e-mails sent worldwide, according to U.S. email security company Postini.

As Christmas approaches, the daily trawl through in-boxes clogged with offers of fake Viagra, loans and sex aids is tipped to take even longer.

"E-mail systems are overloaded or melting down trying to keep up with all the spam," said Dan Druker, a vice president at Postini.

His company has detected 7 billion spam e-mails worldwide in November compared to 2.5 billion in June. Spam in Britain has risen by 50 percent in the last two months alone, according to Internet security company SurfControl.

The United States, China and Poland are the top sources of spam, data from security firm Marshal suggests.

About 200 illegal gangs are behind 80 percent of unwanted e-mails, according to Spamhaus, a body that tracks the problem.

Experts blame the rise in spam on computer programs that hijack millions of home computers to send e-mails.

These "zombie networks", also called "botnets", can link 100,000 home computers without their owners' knowledge.

They are leased to gangs who use their huge "free" computing power to send millions of e-mails with relative anonymity.

While "Trojan horse" programs that invade computers have been around for years, they are now more sophisticated, written by professionals rather than bored teenagers.

"Before it was about showing off, now it's about ripping people off," said SurfControl's Harnish Patel.

Spam costs firms up to $1,000 a year per employee in lost productivity and higher computing bills, according to research published last year.

Home computer users are at risk from e-mails that ask them to reveal their bank details, a practice known as "phishing".

The latest programs mutate to avoid detection and send fewer e-mails from each machine. Fast broadband Internet connections, which are always connected, help the spammers.

The gangs send millions of e-mails, so they only need a fraction of people to reply to make a profit.

"This is a constant game of cat and mouse," said Mark Sunner, Chief Technology Officer at MessageLabs, an e-mail security company. "The bad guys will not stand still."

They disguise words to try to outfox filters searching for telltale words. So, Viagra would become V1úgra.

When anti-spam experts clamped down on this, the spammers began to send messages embedded in a graphic instead of plain text. It is harder for filters to scan pictures.

Random extracts from classic books are often included to confuse filters looking for keywords.

Anti-spam laws have had mixed results.

The first U.S. convictions came last year, while Britain has yet to charge anyone under 2003 anti-spam legislation.

It is difficult to fight spam because the problem crosses international borders, said a spokesman for the UK Information Commissioner's Office, the body which enforces the law.

Some believe laws and filters will not defeat spam.

It will only end when people stop buying diet pills, herbal highs and sexual performance enhancers, said Dave Rand, of Internet security firm Trend Micro.

"The products they are selling by spam are exactly the same products that they sold in the Middle Ages," he said. "This really is a human problem, not a computer problem."

A Single Ransomware Gang Made 121 Million In 2016

Intel Security released its McAfee Labs Threats Report: September 2016, which assesses the growing ransomware threat; surveys the “who and how” of data loss; explains the practical application of machine learning in cybersecurity; and details the growth of ransomware, mobile malware, macro malware, and other threats in Q2 2016. 

A single ransomware gang was able to collect 121 million dollars in ransomware payments during the first half of this year, netting 94 million dollars after expenses, according to the report. It is assumed they refer to the Locky strain. 

"Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs. 

Weafer estimated that total ransomware revenues could be in the hundreds of millions. "And that's on the conservative side," he said. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it. 

Get those users awareness trained! 

Another recently released report, this one from Bromium, confirms the most important key findings of the McAfee report. Surveying the past three years of attacks against businesses, Bromium's report ticks off a depressingly familiar list of dangerous trends in online threat landscape:

  • High profile data breaches are on the rise, with criminal gangs going the extra mile to penetrate corporate networks and pilfer valuable data.
  • Crypto-ransomware attacks are on a steep rise, with dozens of new ransomware families making their debut in 2016 and Locky taking a market-leading position.
  • Exploits (esp. those targeted at Adobe Flash) remain a problem, despite the limited success that software vendors have enjoyed in reducing the number of exploits in popular consumer applications.
  • Online criminals have proven flexible and resourceful in the face of law enforcement take-downs, quickly migrating their operations to newer exploit kits as older ones disappear.
  • Attacks are becoming increasingly sophisticated and complex, making the job of defenders ever more difficult.

Most importantly, however, Bromium's chief security architect, Rahul Kashyap, warns that although new attack methods are always being developed, malicious actors will continue to rely on proven tactics such as social engineering and watering hole attacks, coupling them with constantly morphing malware to effectively "render AV useless."

A Single Ransomware Gang Made 121 Million In 2016

Intel Security released its McAfee Labs Threats Report: September 2016, which assesses the growing ransomware threat; surveys the “who and how” of data loss; explains the practical application of machine learning in cybersecurity; and details the growth of ransomware, mobile malware, macro malware, and other threats in Q2 2016. 

A single ransomware gang was able to collect 121 million dollars in ransomware payments during the first half of this year, netting 94 million dollars after expenses, according to the report. It is assumed they refer to the Locky strain. 

"Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs. 

Weafer estimated that total ransomware revenues could be in the hundreds of millions. "And that's on the conservative side," he said. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it. 

Get those users awareness trained! 

Another recently released report, this one from Bromium, confirms the most important key findings of the McAfee report. Surveying the past three years of attacks against businesses, Bromium's report ticks off a depressingly familiar list of dangerous trends in online threat landscape:

  • High profile data breaches are on the rise, with criminal gangs going the extra mile to penetrate corporate networks and pilfer valuable data.
  • Crypto-ransomware attacks are on a steep rise, with dozens of new ransomware families making their debut in 2016 and Locky taking a market-leading position.
  • Exploits (esp. those targeted at Adobe Flash) remain a problem, despite the limited success that software vendors have enjoyed in reducing the number of exploits in popular consumer applications.
  • Online criminals have proven flexible and resourceful in the face of law enforcement take-downs, quickly migrating their operations to newer exploit kits as older ones disappear.
  • Attacks are becoming increasingly sophisticated and complex, making the job of defenders ever more difficult.

Most importantly, however, Bromium's chief security architect, Rahul Kashyap, warns that although new attack methods are always being developed, malicious actors will continue to rely on proven tactics such as social engineering and watering hole attacks, coupling them with constantly morphing malware to effectively "render AV useless."

A guide if you are a victim of tax refund or tax return fraud.

(Rick) Tax return fraud is becoming a bigger and bigger problem every year. Most people panic when they find out they are a victim, and for a good reason.

Many times people discover they are a victim when they receive a bill from the IRS for a few thousand dollars, or cannot understand what they are being asked to provide during an audit. It is important to keep good records of your taxes and write down all information. Whenever you talk to an IRS agent, it can be very helpful to write down their name, ID, and location. This way you are able to reference that call in the future. Also keep in mind that there are many people who would prefer to blame their taxes on fraud instead of paying what is due. This is unfortunate but is the main reason that the IRS is not going to be welcoming the thought of fraud immediately. You will have to provide proof along the way.

It is critically important to get a transcript, and review all details on your record before agreeing to pay the IRS (if you have reason to believe that they are mistaken, or someone has illegally filed taxes using your personal information). A transcript will show a summary of your tax return along with any actions taken, expenses written, payments, amended returns, and corrections because of math mistakes.

Here are a few examples of what your transcripts will look like:

2009 Tax Year Transcript

2009 Tax Year Transcript

2009 Account Status Transcript

2009 Account Status Transcript

In order to get your tax transcript call 1.800.829.0922

When you are sure your refund was fraudulent do the following:

  1. Contact the IRS exam unit at 1.866.897.0161. Be sure to get a fax number or address in order to submit all of the necessary paperwork. If you have previously spoken with an IRS agent and they have suggested that you are a victim of identity theft, reference the date and time of that original call. If you have a reference number, contact name, and location of where the original call was routed that can also be a help.
  2. Print out a FORM 14039 which is the Identity Theft Affidavit. We have a copy here, or you can go to the IRS website and locate it. This form is very important and will switch your account status from being audited or non paid, to an identity theft case. Usually when your account is being audited, there will be specific things you need to make happen in a timely manner. Once you submit the FORM 14039, your putting everything back into the IRS’ court.
  3. File a police report. You will need the report number from your local police department.
  4. Call the following hotlines and let them know you are a victim of tax fraud.
    • Federal Trade Commission: 1.877.438.4338. or visit FTC.gov
    • Social Security Administration: 1.800.772.1213 or visit SSA.gov
    • Equifax (You need to contact one credit bureau and they will notify the others: 1.800.525.6285 or visit Equifax.com
  5. Get a copy of your W2 from the tax year in question. You can typically get this from the Social Security Administration by visiting a local office. To find an office close to you visit this link on the SSA.gov website. This will give you more evidence when you go to submit all of these forms to the IRS. Remember, you still have to prove that you are a victim of identity theft, and each item you can provide will help build your case. It is equally important to file your taxes for the tax year in question once you have a copy of your W2 from that year. If you are self employed, you will need to contact an accountant and have them file the correct return as well.
  6. Use the cover letter from your transcript (please see example below) as the cover letter when you fax or mail all of your information to the exam unit at the IRS. This information can be different based on each person specific case. During step (1) you should have received the Fax and Address to send everything to.
IRS Transcript / Cover Letter

IRS Transcript / Cover Letter

The process can be frustrating and identity theft is never going to be an easy process to go through. Check your status regularly by contacting the IRS directly, consulting with your CPA or tax professional, and keeping track of any notices you receive via mail or telephone.

If you follow this guide you will make the process smoother and will avoid any headaches.

Please leave a comment with any experiences that you have had. Let’s work together to prevent fraud from happening!

Note from one of the authors:

First Name: martin

Last Name: vivek

Company Name: xxxxxxx

Email Address: xxx@xxxxx.xxx

Phone Number: 00000000000

Message:

Hello, my name is Martin Vivek. I was on [http://www.active-technologies.com/content/scams-and-how-report-them-tex... and I noticed a ton of great resources that people can visit. I feel as though most fraud does not get the attention it deserves.

I recently had the honor of helping a few others put together a thorough guide about tax fraud. You can see it here:

http://www.taxreturnfraud.com/a-guide-if-you-are-a-victim-of-tax-refund-or-tax-return-fraud/

It has helped numerous people, and even CPA's have used it as a guide.

It is very important that people have this information in the event that they become a victim.

If you could please mention us under the FBI's website that would be greatly appreciated. I believe your readers will be thankful as well.

Let me know if you have any comments, or questions.

Read More - Click Here!

ACLU says police use of secret cell phone tracking program

No warrants, and no legislative or judicial oversight either

(Jennifer Abel @ ConsumerAffairs) The American Civil Liberties Union has released records it had obtained via Freedom of Information requests from police agencies across the state of Florida, detailing widespread law enforcement use of surveillance technology kept secret not only from ordinary American citizens, but from judges and the court system, too.

This secrecy is allegedly justified in the name of “national security” although, as the ACLU notes in the records it released yesterday, a detailed list of over 250 investigations from just one city's police department showed not a single case related to national security.

And although yesterday's ACLU investigation only looked at Florida, state and local law enforcement agencies in at least 20 states and Washington D.C. use this secret surveillance technology.

It's called Stingray, and its tracks people's whereabouts (more specifically, it tracks the whereabouts of people's phones) though the use of devices called “cell site simulators.” As the label suggests, such devices simulate cell phone towers in a way that forces cell phones in the area to broadcast information which can be used to locate and identify them.

How extensively does law enforcement use this program? The ACLU notes that Florida alone has spent more than $3 million on Stingrays and related equipment since 2008.

“The documents paint a detailed picture of police using an invasive technology — one that can follow you inside your house — in many hundreds of cases and almost entirely in secret.

“The secrecy is not just from the public, but often from judges who are supposed to ensure that police are not abusing their authority. Partly relying on that secrecy, police have been getting authorization to use Stingrays based on the low standard of “relevance,” not a warrant based on probable cause as required by the Fourth Amendment.”

Little oversight

In other words, police keep information about this program secret not only from the public they presumably serve, but from the judges who presumably are supposed to oversee those police to ensure their behavior stays within legal and constitutional guidelines.

Indeed, authorities would sooner let an armed robber avoid jail than reveal any details of how they use Stingray. On the same day the ACLU released its records about Stingray use in Florida, the Washington Post ran a story (based in part on the ACLU's revelations) illustrating that:

[Tadrae McKenzie] and two buddies robbed a small-time pot dealer of $130 worth of weed using BB guns. Under Florida law, that was robbery with a deadly weapon, with a sentence of at least four years in prison. But before trial, his defense team detected investigators’ use of a secret surveillance tool. ... In an unprecedented move, a state judge ordered the police to show the device — a cell-tower simulator sometimes called a StingRay — to the attorneys. Rather than show the equipment, the state offered McKenzie a plea bargain.

McKenzie took the plea: six month's probation, no jailtime.

Even elected officials are unable to learn details about the program. Last December, the Star-Tribune in Minneapolis ran an expose about a then-two-year-old agreement between the Minnesota Bureau of Criminal Apprehension (BCA) and the FBI to keep information about the tracking program secret from the public:

“The revelation comes after a lengthy attempt to obtain contracts and nondisclosure agreements for the FBI’s cellphone tracking devices, known as StingRay II and KingFish. The state Bureau of Criminal Apprehension (BCA) has long resisted disclosure requests from the public, news media and even the Minnesota Legislature, saying that doing so would violate trade secrets and expose investigative techniques that could be exploited by criminals.....”

The “trade secrets” mentioned belong to Harris Corp., the Florida-based company that manufactures the StingRay and similar cell phone tracking devices. There's a lot of money at stake; a single StingRay sells for anywhere from $68,000 to $134,000, according to Department of Justice documents quoted by the Washington Post.

The ACLU's records show that one Stingray customer, the city of Tallahasee, went on to use its Stingrays in 250 investigations over the six years spanning mid-2007 to early in 2014. As the Post noted, “That’s 40 or so instances a year in a city of 186,000, a surprisingly high rate given that the StingRay’s manufacturer, Harris Corp., has told the Federal Communications Commission that the device is used only in emergencies.”

The ACLU's records also show that police have not been obtaining warrants before using these cell phone trackers to determine peoples' locations. The full Florida Stingray records collected by the ACLU are available online here.

AVG Free 2013 Review by Seth Rosenblatt

CNET Review: AVG's updates for 2013 look to the future while struggling to overcome the problems of the past. There's a new interface optimized for Windows 8 that really does make the suite easier to use, and the suite once again tackles its lengthy installation procedure. However, one of the best new features in AVG was actually introduced as a midyear update during 2012.

Installation
We found that the program can go from completed download to ready to use in about 5 minutes.

AVG's touted its five-screen installation for several years now. While it's true that the process continues to be short, it's important to call out a few improvements and one glaring snag.

The installer itself now weighs in at 33MB, down from more than 100MB two years ago. The installer also does not require a reboot. This isn't surprising for Windows 8, but even on computers running Windows 7 and older, installing AVG will be reboot-free. Unfortunately, not only do you still have to opt out of AVG's toolbar and SafeSearch if you don't want them, but even when you choose only the toolbar, it commandeers your default location bar search in Firefox. This is, of course, problematic because the toolbar provides some important security options, such as AVG Do Not Track.

AVG loses points as well for force-shutting your browser without warning during installation, and for not adapting the installation options to Windows 8. AVG has retained the small check boxes from previous years, which are difficult to use by touch.

A more customer-friendly approach would be to go for an opt-in process that doesn't move forward until the user makes a decision. After all, this is what AVG does when asking you to choose between AVG Free or a 30-day trial of AVG Internet Security.

Shouldn't we be done with search engine commandeering by now?

Interface
Windows 8 has forced every Windows software maker around to reconsider how its programs look, and that's a good thing. Whether kicking and screaming, or gleefully leaping, software designers are changing how they make their Windows apps, and AVG is no different.

Although the security suite had been using a variation of the same interface for years, the 2013 suite has been overhauled with a new one that embraces large, boldly colored, tile-like buttons that ought to feel at home in Windows 8.

The new main interface lays out AVG's features in a clean, legible manner. The upper right corner has links to Reports, Support, and Options. At first blush, the Options list is overwhelmingly long, but navigating is impressively accurate on a touch screen. It contains direct links to features that are also available behind the tiles that take up most of the interface.

Next on your way down the main screen is a protection status notification in green for safe or red for unsafe, and then there are three rows of tiles. The first row of bright green tiles are links to core security options: Computer, Web Browsing, Identity, E-mails, and Firewall. The second row are blue, and link to AVG's performance optimizer, parental controls, and the backup service LiveKive. Next to LiveKive there's a button for AVG apps, new services that haven't been revealed at the time of writing.

The third row contains two teal buttons, one to commence a scan and one to update virus definition files. If you're running AVG Free, the bottom quarter of the interface is an ad to upgrade to AVG Internet Security 2013. Behind each of the buttons is a deeper dive into its associated functions. Under Computer, for example, you have access to antivirus and antirootkit scans, statistics, and configurations.

The interface is basically highly navigable, except that people with Windows 8 touch screens could find the third level down tricky without a mouse. If you go into Configurations or another deeper settings level, the advanced settings options could still be too small for some people to easily adjust.

Do note that AVG is essentially running a Windows 7 program with Windows 8 dressing. It opens to Desktop mode, and runs in a single window that doesn't take up the full screen. It's possible that there have been under-the-hood improvements that will allow AVG to adapt to a Metro interface easily, but that's not available yet.

Features and support
While the interface is new, and as you'll see below, the performance improvements are stunning, AVG's focus for 2013 has not been to push aggressive new security tech. That's okay. Instead, the focus this year was to bring some tech that exists at competitors to AVG's enormous, 128-million-strong active user base.

When you start AVG for the first time, a window appears over the main interface that promotes links to its new, free 24-7 telephone support; the AVG Android app; and a tutorial on getting started. As one of the best-known names in Windows security, we like that AVG is making it easy for newcomers to get acclimated.

There's a new file reputation system, which AVG also uses in conjunction with its scans to scan dramatically faster than before. Basically, it looks at a file in the order that its bits were saved to disk, not in order of the directory file tree. It may sound hokey, but as the benchmarks below show, it's an effective technique. By cross-referencing that data with what other AVG users are running, AVG is able to create a more effective net for blocking malicious files.

The file reputation is an extension of AVG's "smart scanning," which takes advantage of AVG's behavioral detection network to scan known safe files once, and rescan them only if it detects changes. As with its competitors, AVG's network is made up of its user base anonymously contributing data up to the cloud. You can choose to opt out of contributing your data when you install, or from the options menu. AVG says opting out won't negatively affect your security.

The smart scanning tech also gives you a built-in system resource manager that prioritizes scans. If a scan is scheduled to begin while the computer is in use, it will automatically restrict the scan so that it runs more slowly but doesn't interfere with the computer's other tasks. When it detects the computer idling, it will then allocate more power to the scan. The feature comes with a slider so you can customize how sensitive it is.

Another major change was introduced earlier in the year. AVG's Do Not Track add-on has been folded into the AVG toolbar. AVG's version lacks the nuance of Abine's Do Not Track Plus, making it more of a logger's chainsaw than a surgeon's scalpel, but it's still good to get privacy-protecting tools out to as many people as possible.

AVG offers a wide range of effective tools for keeping your computer safe. Along with the expected antivirus and anti-malware engines, it has rootkit detection and removal; fake antivirus and ransomware blocking; and basic e-mail and identity protection.

The LinkScanner tool has been improved to watch out for more dynamic code, which is essential in the security game because threats are mutating at such a rapid rate.

The PC Analyzer scans your system for Registry and disk errors. It includes a disk defragmenter and a broken-shortcut cleaner, as well. Although the feature is restricted in full to paid users, if you have the free version, the PC Analyzer comes with a one-time offer to clean all errors it finds. It provides a link to a download of the separate PC Analyzer tool, once the scan is completed. This is an interesting twist on the idea of letting users detect but not repair errors, and it provides more functionality while not affecting the basic security of your computer. However, it's likely that some users will shy away from the extra download.

Other features are restricted to users of AVG's paid upgrades. The paid upgrade version of AVG Anti-Virus 2013 distinguishes itself by offering a chat link shield, a Wi-Fi guard for open Internet connections, and a download scan for files sent via instant message that looks at all ports, not just port 80. The PC Analyzer option mentioned earlier is also included, and comes without restrictions.

AVG Internet Security 2013 includes all that AVG Anti-Virus 2013 offers, and adds in a firewall and antispam protections.

Performance
AVG claims major performance improvements in the 2013 versions, and both CNET's own tests and independent labs appear to bear this out.

CNET Labs' benchmarks found that this year's version leaves a lighter touch on your system than last year's, a big change for the better for AVG.

We can report that AVG's boot time impact was faster than average in general. AVG Anti-Virus 2013 was around 10 seconds faster than the average suite, while AVG Internet Security 2013 was about 5 seconds faster than average and AVG Anti-Virus Free 2013 was about 5 seconds slower. This is better than last year, when AVG was slower than average, and it's better in general, as AVG tends to have a big impact on startup.

Shutdown impact continued to be minimal, around the same as last year -- among the best we've seen at this point so far.

 

Security program Boot time Shutdown time Scan time MS Office performance iTunes decoding Media multitasking Cinebench
Unprotected system 40 6 n/a 395 120 342 17,711
Average of all tested systems (to date) 72.3 16.3 1,315 410 124 348 17,092
AVG Anti-Virus Free 2013 77.8 12.9 569 354 125 342 17,177
AVG Anti-Virus 2013 61.8 11.9 538 406 124 341 17,089
AVG Internet Security 2012 67.4 14.7 737 408 125 344 17,134

*All tests measured in seconds, except for Cinebench. On the Cinebench test, the higher number is better.

In our other tests, AVG was much faster than the median. The scan times on AVG Anti-Virus 2013 and its free sibling were the two fastest so far this year, and AVG Anti-Virus Free 2013 also notched the fastest time during the MS Office performance test. It wasn't just the fastest, either, it was faster than an unprotected computer with the same specs. AVG claims that this is because of how it reads your computer's files. Whatever the cause, it's clear that in some cases, AVG improves in-use system performance.

Third-party efficacy results haven't been published yet for AVG 2013, but the 2012 suite marks are excellent. In the AV-Test test on Windows 7 from the second quarter of 2012, AVG Internet Security 2012 scored 15 out of 18 overall, a lowish high score. The suite had a 5.5 rating out of 6 in Protection, a 5.0 in Repair, and a 4.5 in Usability. On the same test, AVG Anti-Virus Free 2012 scored slightly better with 15.5 out of 18 overall. The suite had a 5.5 rating out of 6 in Protection, a 5.0 in Repair, and a 5.0 in Usability.

The most recent AV-Comparatives.org Whole Product test, which looks at on-demand scanning, retroactive tests, and "real-world" guards including cloud-based protections, puts AVG Internet Security 2012 in the middle of the class, out of 21 suites tested. Looking at Whole Product test results cumulatively from January 2012 to June 2012 shows AVG came in 13th, blocking 97.7 percent of threats.

When it comes to security, AVG isn't hands-down the best out there. But it is more effective than it used to be, and it's clear that it takes a smaller toll on your system than it used to. Those are big gains for the suite.

Conclusion
AVG Anti-Virus Free continues to offer an excellent if not perfect level of security, and deserves a serious shot at being your go-to suite. If you're unhappy with your current suite because of its impact on your system performance, AVG is definitely worth checking out.

You get a fair number of extras when you pay to upgrade, but it's not essential and really only for people who either feel safer when they pay or want the added bonuses. However, if you're on a Windows Vista or XP computer, you definitely ought to have a firewall upgrade. You could get a free one, but if system resources are a concern, it's worth checking out one that's bolted to a security suite as with AVG's paid suites.

 

Publisher's Description

From AVG Technologies USA:

Our most fully featured Free product ever, AVG AntiVirus Free 2013 delivers security features usually only found in paid-for products, and that's not all.

We believe that antivirus software should never get in your way, so we've added smart performance technology that reduces scan times and keeps gaming without annoying lags and freezes caused by scheduled updates and scans.

AVG AntiVirus Free 2013 also goes beyond detecting and removing viruses on your PC. Its 'AVG Do Not Track' feature gives you control over which websites can collect and use your data (available if you take AVG Security Toolbar as part of your installation). This feature joins Anti-Spyware and WiFi hacker-defeating technology to deliver powerful personal protection at home or on the move.

Also new for the 2013 edition is AVG's Easy Interface, which makes managing your protection as simple as possible.

Together these features make AVG AntiVirus Free 2013 an easy, comprehensive free product, but it's not just the software that's free. So too is phone access to our team of support experts 24/7, 365 days a year (USA, UK, Canada).

What's new in this version: A) Even Greater Ease of Use
We've put a big emphasis for this release on making our product easy to use, for both our less-technically savvy customers, as well as those that wish to have greater levels of control with their PC protection. We've completely overhauled our interface, simplified our Firewall and improved our install experience.

  • New User Interface
    Our new User Interface has been developed with extensive involvement from our customers, helping us to build somet... See all new features

Read more: AVG AntiVirus Free 2013 - CNET Download.com http://download.cnet.com/AVG-AntiVirus-Free-2013/3000-2239_4-10320142.html#ixzz27lIUXUHZ

Active Technologies AVG Free 2013 Review

AVG has released their new 2013 line of Antivirus products, including AVG Free antivirus and Internet Security. AVG has redesign it’s interface so that it looks like, and works with Windows 8, adding bright contrasting colors and large buttons which should benefit touch screens and small display users.

Besides all of the new features, AVG is one of the most highly rated Antivirus programs, Free or Paid!

Free Tech Support: AVG now offers Free tech support, which is HUGE if you need it. Past product, however, run without much difficulty, and we have NEVER had to rely on their tech support to resolve Antivirus and program issues. Nice to know it is there if you need it.
 

New user interface: seems much better when compared to older version. Most of the unnecessary functions have been removed and they have reorganized the interface around four main functions: Computer, Web Browsing, Identity and Emails. Really nice work. However, the “Fix Performance” points to a “PC Analyzer” available at extra cost. CCLEAN does the same thing for free, is widely used and highly recommended in reviews.
 

Reports: AVG has always been known for adequate reporting capability. Reports section is located on top of the screen and features a rotating icon. Reports are in text format and can be easily imported into a spreadsheet or email. What is new in 2013 is an “Archive all” button that makes it easier to save reports to disk.
 

Footprint: .AVG claims that it now requires a smaller footprint to run effectively. Our own experience with recent installations shows that the new program requires less disk and memory to operate, leaving more to be used by programs, data, and operating system. Overall, this should result in better performance.
 

Runtime, however, is where the “rubber meets the road”. In the past, when installing AVG 2012 (last year’s product), the system slowdown after installing the software was quite noticeable. Some end-users complained that their computers were as much as 25% slower. After installing AVG Free 2013 on new computers, we noticed very little slowdown, if any. On Older systems running AVG 2012, we notice that the computers ran faster.

Less Nags: Programs like AVG should just sit in the background and do their job in silence. However, to push their “Brand Names”, ALL Antivirus companies started telling users every time they did something, so you wouldn’t forget them. Sometimes you can’t go 5 minutes without a message or NAG about this or that, and some end-users became frightened every time they saw an Antivirus message. AVG was not the worst offender, but now they have far less Nags, and the ones they do have are timely (the way it should be).

Installation: The Installation completes quickly when compared to previous versions of AVG. The download file installer, required to install AVG, is only 4 MB in size. Number of screens shown during install have been reduced, the interface asks less question, and reboot is usually not required.

Complaint 1: Our biggest installation complaint is that one in three upgrades failed to complete. This required a manual uninstall of AVG 2012 and install of AVG 2013. So much time was wasted that we now opt for a manual install. Please keep in mind that upgrade issues appear to be common with most Antivirus software (nature of the beast).

Complaint 2: Our second installation complaint occurs with the AVG Free product. Though the installation download is smaller in size, we suspect that AVG artificially throttles the download over the internet so that it takes longer, sometimes as much as 30 minutes. Their paid product, roughly the same size, downloads in less than 10 minutes. Why???

Complaint 3: The AVG Express Install Option, by default, also installs the AVG Security toolbar and AVG Search, which sets and keeps AVG Secure Search as default provider for IE, Firefox , and Chrome browsers. AVG Search and Toolbar are useless (as far as I’m concerned), and it takes extra time to disable AVG Toolbar and reactivate Google, Yahoo, or Bing. In addition, I don't appreciate it when a program tries to dominate my browser.  

Observation: AVG file reputation: When you opt-in to participate in the “AVG Product Improvement Program”, which appears with the "Finish" button, then AVG checks some files on your computer against their cloud service to improve their detection capabilities. That may be nice for them, but I don’t want ANYONE snooping around my computer. I always check NO!

Bottom Line: I suggest upgrading to AVG Free as soon as possible:

Better protection
Faster computer
Less Nags

We began upgrading our maintenance customers last weekend and should have it complete by next Monday.

Read More - Click Here!

Adobe Security Bulletin May 13 2014

Adobe customer data breach worse than originally reported

Photo(Jennifer Abel @ ConsumerAffairs) If you have an Adobe account, beware: you should change your password and keep a closer-than-usual eye on your credit report and other financial activities.

Last month Adobe admitted it had suffered a major cyber attack that compromised the data of 2.9 million users; in addition to passwords and email information, that compromised data might also have included customers’ debit or credit card information.

It gets worse. Adobe’s initial report of 2.9 million compromised data accounts was bad enough, but three weeks later, on Oct. 29, Adobe revised the estimate upward to 38 million accounts., over 10 times higher than their original number.

Then, on Nov. 4, Paul Ducklin at Sophos’ Naked Security blog reported that data from over 150 million hacked Adobe accounts had appeared online.

Adobe, however, is sticking to its earlier 38 million figure. But tech and computer security journalists everywhere from GeekWire to the Guardian seem to believe Ducklin over Adobe. This is an important point of contention because Adobe said it has sent warning letters to, and arranged credit alerts for, all customers whose data has been compromised—presumably, to 38 million people. But if Ducklin’s is the correct number, that leaves an additional 112 million Adobe customers at risk and unaware of it.

LastPass has created an online tool Adobe customers can use to see if their emails have been compromised—and it’s worth noting that LastPass thus far says it hasn’t noticed any signs of unauthorized activity in any Adobe user’s emails.

We’re not tech-security experts; if you’re a concerned Adobe user, the tech articles we’ve linked to here offer far more specific advice than we can. However, we do have some generalized online security tips that all people, not just Adobe users, should keep in mind.

If a hacker breaches the database of a company that has your personal information, well, there’s really nothing you can do to prevent that. Even adopting a Luddite lifestyle — “I will never ever buy anything, or undergo any financial transaction, online!”— offers no guarantees. (We personally had to put a credit alert on our accounts a few years ago, after somebody working for our state’s tax-collection bureaucracy lost a laptop computer loaded with the names, Social Security numbers and other information about tens of thousands of state taxpayers, including us.)

But what you can do — what you should do — is conduct your online affairs so that the damage from any one company data breach will be limited to your activities with that company.

For example: never use the same password for more than one account. Some people, for simplicity’s sake, like to use a single password for everything: online email, online banking, online shopping, maybe an online chat forum or two. That definitely makes it easier for you to remember your passwords — and also means a hacker who breaches one of your accounts gets access to all of them.

If you only have a few regular online activities, you might also consider opening a separate web-based email account for each one: use this email address to register for Facebook, use that email for shopping at Amazon. (Confession: we don’t strictly follow that advice ourselves, because we have too many online accounts; however, we do limit ourselves to only two or three accounts per email address.)

And every few days or so, you might try typing terms like “hacker” or “compromised data” into an online news search engine, and see what recent stories pop up; if you read the names of companies with whom you have an account, that’s when you know to be extra-vigilant.

Airplane Systems In-Flight Wi-Fi Is Ripe For Hackers

Cybersecurity researcher Ruben Santamarta says he has figured out how to hack the satellite communications equipment on passenger jets through their Wi-Fi and in-flight entertainment systems.

Andrea Comas/Reuters/Landov

Two years a group at Las Vegas’s annual hacker convention announced it could break into air traffic control systems.

At this year’s Black Hat convention, a cybersecurity consultant, Ruben Santamarta, will discuss how he went even further: By showing it’s possible to interfere with an airplane’s navigation and safety systems — while on the plane and in the air — using the plane’s own Wi-Fi and inflight entertainment systems. As Reuters reports:

“Santamarta published a 25-page research report in April that detailed what he said were multiple bugs in firmware used in satellite communications equipment made by Cobham, Harris, Hughes, Iridium and Japan Radio Co for a wide variety of industries, including aerospace, military, maritime transportation, energy and communications.

“The report laid out scenarios by which hackers could launch attacks, though it did not provide the level of technical details that Santamarta said he will disclose at Black Hat.”

The manufacturers say the risk of break-ins is very small, but, according to Reuters, Santamarta says simple steps can be taken to make the systems more secure: “One vulnerability that Santamarta said he found in equipment from all five manufacturers was the use of ‘hardcoded’ log-in credentials, which are designed to let service technicians access any piece of equipment with the same login and password.”

Other topics on tap for the Black Hat convention this week include an ad network data link that can let hackers take over Android phones; how Microsoft administrator tools can be used for nefarious purposes; uncorrected security gaps during desktop computers’ boot-up processes; and the potential threat of hacks in computers’ USB peripherals.

All Three Billion Yahoo Account Hacked

Sitting down? An epic and historic data breach at Yahoo in August 2013 affected every single customer account that existed at the time, Yahoo parent company Verizon said on Tuesday.

That's three billion accounts -- including email, Tumblr, Fantasy and Flickr -- or three times as many as the company initially reported in 2016.

Names, email addresses and passwords, but not financial information, were breached, Yahoo said last year.

The new disclosure comes four months after Verizon (VZTech30acquired Yahoo's core internet assets for $4.48 billion. Yahoo is part of Verizon's digital media company, which is called Oath.

Verizon revised the number of breached accounts to three billion after receiving new information.

"The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft," Verizon said in a statement.

Verizon would not provide any information about who the outside forensics experts are.

Yahoo will send emails to the additional affected accounts. Following the hacking revelations last year, Yahoo required password changes and invalidated unencrypted security questions to protect user information.

According to experts, it's not uncommon for forensic investigations to expose a greater number of victims than initial estimates.

"This often happens with breaches, on a much smaller scale," said Wesley McGrew, a security expert at Horne Cyber. "Initially, the investigation establishes a set of compromised systems and data that encompasses a set of users, then later something is discovered that expands the compromised systems [or] access."

He also said that internal investigations might miss something, and outside experts focused on digital forensics will find more than an internal team.

Ben Johnson, chief technology officer at Obsidian Security, says Yahoo may never know exactly what was accessed. In any breach it's safe to assume the number of affected accounts will be adjusted, he said.

In the case of the massive breach at credit monitoring firm Equifax, for instance, the company initially said the hacking affected 100,000 Canadians, but later revised that number to just 8,000.

Johnson said it's possible that during due diligence of the company's sale, investigators found new information. Another scenario is that accounts thought not to be compromised may have appeared for sale or are being used by criminals.

"The fact is attackers are having field days and the problem is only going to get worse," Johnson said.

Yahoo was also hit by a hack in 2014, which affected around 500 million people and is believed to be separate from the 2013 breach. In March of this year, the Department of Justice indictedfour people in connection with the 2014 attack -- two Russian spies and two hackers.

It's unclear who exactly was behind the 2013 break-in, but cybersecurity analysts reported in December that the stolen data was up for sale on the dark web, a murky network only accessible through certain software.

Whether or not people use Yahoo servicesthey should always practice proper computer hygiene, experts say, such as not reusing passwords and implementing two-factor authentication on all their accounts.

Amazon phishing scams

Joseph Steinberg recently got an email that appeared to be from Amazon, thanking him for making a purchase on Prime Day.

The email promised him a $50 bonus if he would click a link and post a review about the item. Steinburg, who is CEO of SecureMySocial, a firm that watches out for problematic posts, didn't bite. Writing in Inc. Magazine, he said he recognized it as one of the countless phishing schemes using Amazon's name and logo.

But many others might easily fall for it. If you had not made a Prime Day purchase you might be highly suspicious, but if you did make a purchase -- and millions of consumers did -- you might throw caution to the wind and go for the 50 bucks.

How to protect yourself

So if you are an Amazon customer, how do you protect yourself from all the scams that try to take advantage of that relationship. Amazon gets asked that question a lot, and has a page on its website that explains how to protect yourself.

For example, if you get an email about an order you didn't place, it's not from Amazon. The company would like you to send the email as an attachment to stop-spoofing@amazon.com. Make sure you don't open any attachments or click on any links in the email.

Amazon says other scams use a variety of reasons to ask for your user name and password. Should you turn that information over to a scammer, they can buy all kinds of merchandise on your account, charging it to the credit card you have on file.

Other scams will tell you that it's necessary to update your payment information. By directing you to a spoofed site, made to look like it's part of Amazon, the scammer can steal your credit card information.

Black market websites

There are black market sites on the web where scammers can then sell your user name and password, or your credit card info, for a small amount, such as $50 to $100. The purchaser can then use it to make a major purchase -- maybe more than one -- before the fraud is detected.

If you receive a suspicious email that you think could be from Amazon, there is a very simple way to tell if it is. Simply close the email and use your browser to go directly to Amazon.com.

If the email says you need to update your payment information, click on YourAccount and then Manage Payment options. If you really do need to update your payment information, the website will have that information.

There are other dead giveaways as well. Phishing emails sometimes are filled with typos and misspellings. In a legitimate link, the URL should start with https://www.amazon.com, followed by the code for the particular page on the Amazon site. If you don't see that in the link, then it's not a real Amazon webpage.

Android Brightest Flashlight app shared user location without permission

Photo(Jim Hood @ ConsumerAffairs) You wouldn't expect your flashlight to spy on you, but the Federal Trade Commission says that's just what one of the most popular Android apps does.

The "Brightest Flashlight Free" app has been download millions of times by Android users who, presumably, never expected that the app would report their whereabouts to the app developer, Goldenshores Technologies LLC, and its clients. 

The FTC filed a complain against the company and its manager, Erik M. Geidl, charging that the company's privacy policy deceptively fails to disclose that the app will report their geolocation and unique device identifier to third parties, mostly advertising and marketing networks.

In addition, the complaint alleged that the company deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless.

The company has settled the complaint by agreeing to stop spying on its users and delete any information it still has about them.

“When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “But this flashlight app left them in the dark about how their information was going to be used.”

A few facts omitted

In its complaint, the FTC alleges that Goldenshores’ privacy policy told consumers that any information collected by the Brightest Flashlight app would be used by the company, and listed some categories of information that it might collect. The policy, however, did not mention that the information would also be sent to third parties, such as advertising networks.

Consumers also were presented with a false choice when they downloaded the app, according to the complaint. Upon first opening the app, they were shown the company’s End User License Agreement, which included information on data collection. At the bottom of the license agreement, consumers could click to “Accept” or “Refuse” the terms of the agreement.

Even before a consumer had a chance to accept those terms, though, the application was already collecting and sending information to third parties – including location and the unique device identifier.

The settlement with the FTC prohibits the defendants from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used. The settlement also requires the defendants to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers’ affirmative express consent before doing so.

The defendants also will be required to delete any personal information collected from consumers through the Brightest Flashlight app.

Anomymous Online Study

Photo(Truman Lewis @ ConsumerAffairs) If anyone still doubts Americans are concerned about their privacy online, a new Pew Researcher Center study should dispel those doubts. The researchers found that nearly nine in 10 Web users try to remain anonymous online by clearing their cookies and browser histories, encrypting email or using proxy servers.

Pew also found that consumers frequently edit or delete things they've posted in the past, set their browser to disable cookies, avoid websites that asked for their real names and use fictitious names and email addresses.

The report also found that people are more concerned about the amount of data available about them today online than in the past. In July, 50% of Web users said they were concerned about how much information about them was online, up from 33% in September of 2009, Pew found.

Real problems

The researchers said consumers' fears are often based on problems they've experience because others stole their personal information or took advantage of their visibility online. 

It cited these examples:

  • 21% of internet users have had an email or social networking account compromised or taken over by someone else without permission.
  • 13% of internet users have experienced trouble in a relationship between them and a family member or a friend because of something the user posted online.
  • 12% of internet users have been stalked or harassed online.
  • 11% of internet users have had important personal information stolen such as their Social Security Number, credit card, or bank account information.
  • 6% of internet users have been the victim of an online scam and lost money.
  • 6% of internet users have had their reputation damaged because of something that happened online.
  • 4% of internet users have been led into physical danger because of something that happened online.
  • 1% of internet users have lost a job opportunity or educational opportunity because of something they posted online or someone posted about them.

Some 68% of internet users believe current laws are not good enough in protecting people’s privacy online and 24% believe current laws provide reasonable protections.

Photo

Concern is growing

Consumers' concerns about their privacy have been growing steadily in recent years. Pew found that 50% of those surveyed say they are worried about the amount of personal information about them that is online — a figure that has jumped from 33% who expressed such worry in 2009.  

Another study, this one conducted by advertising agency Omnicom's Annalect, also found consumers increasingly concerned. The study found 57% of web users in July were "concerned" or "very concerned" about their online privacy, up from 48% in June. The jump was attributed to the news that the NSA has been collecting metadata about U.S. citizens for years.

"People would like control over their information, saying in many cases it is very important to them that only they or the people they authorize should be given access to such things as the content of their emails, the people to whom they are sending emails, the place where they are when they are online, and the content of the files they download," the Pew researchers said.

Companies try to duck

The rising tide of consumer resistance, often bordering on outrage, doesn't seem to be making an impression on companies, which are trying to find ways to hide their surveillance activities rather than cutting back on them.

After conducting its study that found 57% of consumers concerned about their online privacy, Annalect, a market research company, said it would "continue to evolve how we measure and triangulate consumer consumption patterns."

Adam Gitlin, global managing director for digital analytics at Annalect's data group, told Online Media Daily his company was "looking at all possibilities" for tracking people without cookies.

Some industry executives have been talking about "device fingerprinting," a method of tracking people by keeping track of the characteristics associated with their computers. 

Anonymous But Controversial Way to Surf the Internet

(Geoffrey Awle. For Wall Street Journal) For more than four years, William Weber has helped run a free service called Tor that makes Web surfing anonymous for anyone.

Then on Nov. 28, the police showed up at the 20-year-old's home in Graz, Austria, and accused him of distributing child pornography. He says the authorities confiscated his computers, and he now awaits formal charges that could lead to jail time.

Mr. Weber says the porn isn't his. But it might have come through his computers as the unavoidable cost of serving as a volunteer for the fast-growing Tor network. "Sure it's bad" that Tor can be used by criminals, he says, but "there is nothing I or the Tor Project can do."

His experience underscores the challenges facing the Tor Project Inc., a 10-year-old Walpole, Mass., nonprofit that is hoping to take anonymous Web surfing mainstream. The network depends on volunteers such as Mr. Weber whose computers help reroute and conceal Internet traffic.

Created in part to hide the online activity of dissidents in countries such as Iran and China that censor the Internet, Tor has seen its popularity grow in the U.S. and Europe amid concerns about online privacy. In the past year, use of the free software nearly doubled to about 600,000 people every day, the group says.

"Ten years ago, no one had this concept of privacy," says Andrew Lewman, Tor's executive director. "But with the [former General David] Petraeus scandal and cellphones recording your location, now this doesn't seem so far-fetched anymore." Today, some 14% of Tor's traffic connects from the U.S.; people living in Internet-censoring countries are now Tor's second-largest user base.

American users include Andrew Whitacre, 32, who works in the comparative media studies department at the Massachusetts Institute of Technology. He set the Tor software to run automatically on his home computer after learning about it from colleagues. "I can't be confident that I know everything out there that might do my computer or contacts harm," he says.

Tor gets about 80% of its $2 million annual budget from branches of the U.S. government that support free speech and scientific research, with the rest coming from the Swedish government and other groups.

To grow further, Tor must convince more volunteers to sign on to extend its network. That is because Tor, which began in 1996 as a project of the U.S. Naval Research Laboratory called Onion Routing, routes a user's Internet data between a series of random volunteer "node" computers.

This process makes it virtually impossible to trace the data request back to the original user. From the outside, it looks like the data request came from the last node on the chain, such as the one Mr. Weber was running.

Today, Tor has enough volunteer nodes—some 3,200—to allow the network to handle two million daily users. But to sustain millions more users and keep traffic from slowing down, Mr. Lewman says it needs 10,000 nodes.

Tor is developing hardware that volunteers could buy and plug into their home Internet connections to automatically become nodes. For people uncomfortable about running their own nodes with illegal activity on the network, Tor offers a program to sponsor a larger one that is operated by someone and serves as the final, and riskiest, node in the chain.

Tor is "a challenge for law enforcement," says John Shehan, executive director of the National Center for Missing & Exploited Children in Alexandria, Va. It is being used regularly to trade sexually exploitative images of children, he says, but there is little Tor's creators can do about it.

A spokeswoman for the Federal Bureau of Investigation, which polices child pornography, declined to comment.

Services such as Tor "provide lifesaving privacy and security for people who otherwise could face extreme reprisal from their governments," says Andre Mendes, director of technology, services and innovation at the U.S. government's International Broadcasting Bureau, which has given $2.5 million to Tor since 2006.

Tor's Mr. Lewman says the organization has received subpoenas, but hasn't ended up in court because it doesn't actually store any data that could be of use. "We spend a lot of time talking to various law enforcement agencies," he says, adding that some police use Tor themselves for undercover work.

Marcia Hofmann, senior staff attorney at digital-liberties group and Tor partner Electronic Frontier Foundation, says Tor volunteers are likely protected by U.S. law, but it hasn't been tested in court. "At the end of the day, a Tor is a neutral tool," she says, noting that Internet service and telephone providers aren't held accountable for how criminals use their networks.

Still, she recommends Tor volunteers with the largest exit nodes set up their servers at third-party server facilities rather than their homes or offices, if only to prevent authorities from temporarily seizing computers that they are using for other purposes.

In San Francisco, members of a nonprofit hacker workspace called Noisebridge decided a year ago to spend about $800 per month to run a node of their own. "We really care about freedom of expression," says Andy Isaacson, 35, one of the group's founders.

Initially, some of Noisebridge's members were concerned about potential legal challenges. So the group decided to host its node at a commercial server facility in Los Angeles instead of their San Francisco office. Still, they field queries from law-enforcement officials about three times a month, and twice have had officers show up at their San Francisco office.

To deal with these situations, Mr. Isaacson says Noisebridge keeps handouts about Tor near its front door to hand out to any police who show up. "We haven't had any really bad interactions," he says. "But it is always uncomfortable to have them stop by."

Write to Geoffrey Awle. For at geoffrey.fowler@wsj.com

AntiVirus Only Stops 45% - Symantec

Photo(Jennifer Abel  @ ConsumerAffairs) Computer technology has evolved considerably in the past quarter-century, but hacking-into-computer technology has too.

Symantec Corporation, which introduced the first commercially available anti-virus software 25 years ago, is shifting its focus away from anti-virus programs into other security strategies, the Wall Street Journalreports. Symantec senior VP for information security Brian Dye told the Journal that anti-virus “is dead.”

Here's why: traditional anti-virus software focuses primarily on keeping hackers out of computers, specifically by looking for certain bits of code hackers use to break in where they don't belong. But hackers develop new viruses so quickly, anti-virus writers simply can't stay ahead of them.

Dye estimated that anti-virus software now only succeeds in stopping 45% of cyberattacks. Furthermore, viruses are far from the only method hackers have of gaining entrance to a system, anyway.

When all else fails ...

Since keeping hackers out of a system doesn't always work, computer security now focuses also on how to minimize the damage hackers can do once they're in.

Last March, for example, a U.S. Senate committee released a “kill chain” report about the various ways Target ignored chances to stop the massive security breach which put up to 40 million customers at risk (and cost their banks and credit card companies a lot of money, too).

Among other things, the report said that Target ignored multiple automated warnings from its own security software indicating that hackers were in the system, installing damaging malware and sending secure files out.

The security software Target chose to ignore was created by FireEye Research Labs, the security firm which recently made headlines after discovering the zero-day security flaw which potentially gave hackers access to all versions of Internet Explorer from IE6 on up. Target's first line of defense — keep hackers out of the system altogether — failed after a hacker acquired fake credentials sufficient to enter the system; no anti-virus software could possibly have prevented that, since “a virus” wasn't the problem.

The second line of defense — prevent hackers from causing trouble once they're in the system — might have worked, had Target acted upon its security warnings.

Though Brian Dye said anti-virus is “dead,” that does not mean that you, the everyday computer user, should stop using properly updated anti-virus software on your machine; it means you can't blithely assume “Since I have an updated anti-virus program, I have nothing to worry about.”

You still need to exercise due diligence yourself: for starters, don't click on suspicious-looking links, open spammy-looking emails or download unsolicited files. And if you are Target or any other enormous multinational corporation, don't give third-party air-conditioner repairmen access to the super-sensitive database where you store your customers' confidential financial information, either.

If you can't keep hackers out, you can at least limit what happens once they're in!

AntiVirus Only Stops 45% - Symantec

Photo(Jennifer Abel  @ ConsumerAffairs) Computer technology has evolved considerably in the past quarter-century, but hacking-into-computer technology has too.

Symantec Corporation, which introduced the first commercially available anti-virus software 25 years ago, is shifting its focus away from anti-virus programs into other security strategies, the Wall Street Journalreports. Symantec senior VP for information security Brian Dye told the Journal that anti-virus “is dead.”

Here's why: traditional anti-virus software focuses primarily on keeping hackers out of computers, specifically by looking for certain bits of code hackers use to break in where they don't belong. But hackers develop new viruses so quickly, anti-virus writers simply can't stay ahead of them.

Dye estimated that anti-virus software now only succeeds in stopping 45% of cyberattacks. Furthermore, viruses are far from the only method hackers have of gaining entrance to a system, anyway.

When all else fails ...

Since keeping hackers out of a system doesn't always work, computer security now focuses also on how to minimize the damage hackers can do once they're in.

Last March, for example, a U.S. Senate committee released a “kill chain” report about the various ways Target ignored chances to stop the massive security breach which put up to 40 million customers at risk (and cost their banks and credit card companies a lot of money, too).

Among other things, the report said that Target ignored multiple automated warnings from its own security software indicating that hackers were in the system, installing damaging malware and sending secure files out.

The security software Target chose to ignore was created by FireEye Research Labs, the security firm which recently made headlines after discovering the zero-day security flaw which potentially gave hackers access to all versions of Internet Explorer from IE6 on up. Target's first line of defense — keep hackers out of the system altogether — failed after a hacker acquired fake credentials sufficient to enter the system; no anti-virus software could possibly have prevented that, since “a virus” wasn't the problem.

The second line of defense — prevent hackers from causing trouble once they're in the system — might have worked, had Target acted upon its security warnings.

Though Brian Dye said anti-virus is “dead,” that does not mean that you, the everyday computer user, should stop using properly updated anti-virus software on your machine; it means you can't blithely assume “Since I have an updated anti-virus program, I have nothing to worry about.”

You still need to exercise due diligence yourself: for starters, don't click on suspicious-looking links, open spammy-looking emails or download unsolicited files. And if you are Target or any other enormous multinational corporation, don't give third-party air-conditioner repairmen access to the super-sensitive database where you store your customers' confidential financial information, either.

If you can't keep hackers out, you can at least limit what happens once they're in!

AntiVirus Only Stops 45% - Symantec

Photo(Jennifer Abel  @ ConsumerAffairs) Computer technology has evolved considerably in the past quarter-century, but hacking-into-computer technology has too.

Symantec Corporation, which introduced the first commercially available anti-virus software 25 years ago, is shifting its focus away from anti-virus programs into other security strategies, the Wall Street Journalreports. Symantec senior VP for information security Brian Dye told the Journal that anti-virus “is dead.”

Here's why: traditional anti-virus software focuses primarily on keeping hackers out of computers, specifically by looking for certain bits of code hackers use to break in where they don't belong. But hackers develop new viruses so quickly, anti-virus writers simply can't stay ahead of them.

Dye estimated that anti-virus software now only succeeds in stopping 45% of cyberattacks. Furthermore, viruses are far from the only method hackers have of gaining entrance to a system, anyway.

When all else fails ...

Since keeping hackers out of a system doesn't always work, computer security now focuses also on how to minimize the damage hackers can do once they're in.

Last March, for example, a U.S. Senate committee released a “kill chain” report about the various ways Target ignored chances to stop the massive security breach which put up to 40 million customers at risk (and cost their banks and credit card companies a lot of money, too).

Among other things, the report said that Target ignored multiple automated warnings from its own security software indicating that hackers were in the system, installing damaging malware and sending secure files out.

The security software Target chose to ignore was created by FireEye Research Labs, the security firm which recently made headlines after discovering the zero-day security flaw which potentially gave hackers access to all versions of Internet Explorer from IE6 on up. Target's first line of defense — keep hackers out of the system altogether — failed after a hacker acquired fake credentials sufficient to enter the system; no anti-virus software could possibly have prevented that, since “a virus” wasn't the problem.

The second line of defense — prevent hackers from causing trouble once they're in the system — might have worked, had Target acted upon its security warnings.

Though Brian Dye said anti-virus is “dead,” that does not mean that you, the everyday computer user, should stop using properly updated anti-virus software on your machine; it means you can't blithely assume “Since I have an updated anti-virus program, I have nothing to worry about.”

You still need to exercise due diligence yourself: for starters, don't click on suspicious-looking links, open spammy-looking emails or download unsolicited files. And if you are Target or any other enormous multinational corporation, don't give third-party air-conditioner repairmen access to the super-sensitive database where you store your customers' confidential financial information, either.

If you can't keep hackers out, you can at least limit what happens once they're in!

Antivirus Makers Struggle to Keep Up

(The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses.

Security experts at the Symantec Security Operation Center in Alexandria, Va. The word “antivirus” is less used on its products.

Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. That is prompting start-ups and other companies to get creative about new approaches to computer security.

“The bad guys are always trying to be a step ahead,” said Matthew D. Howard, a venture capitalist at Norwest Venture Partners who previously set up the security strategy at Cisco Systems. “And it doesn’t take a lot to be a step ahead.”

Computer viruses used to be the domain of digital mischief makers. But in the mid-2000s, when criminals discovered that malicious software could be profitable, the number of new viruses began to grow exponentially.

In 2000, there were fewer than a million new strains of malware, most of them the work of amateurs. By 2010, there were 49 million new strains, according to AV-Test, a German research institute that tests antivirus products.

The antivirus industry has grown as well, but experts say it is falling behind. By the time its products are able to block new viruses, it is often too late. The bad guys have already had their fun, siphoning out a company’s trade secrets, erasing data or emptying a consumer’s bank account.

A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.

On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses. And two of the products with the best detection rates — Avast and Emsisoft — are available free; users are encouraged to pay for additional features. This despite the fact that consumers and businesses spent a combined $7.4 billion on antivirus software last year — nearly half of the $17.7 billion spent on security software in 2011, according to Gartner.

“Existing methodologies we’ve been protecting ourselves with have lost their efficacy,” said Ted Schlein, a security-focused investment partner at Kleiner Perkins Caufield & Byers. “This study is just another indicator of that. But the whole concept of detecting what is bad is a broken concept.”

Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its “signature” — unique signs in its code — before they can write a program that removes it.

That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years.

 Mikko H. Hypponen, chief researcher at F-Secure, called Flame “a spectacular failure” for the antivirus industry. “We really should have been able to do better,” he wrote in an essay for Wired.com after Flame’s discovery. “But we didn’t. We were out of our league in our own game.”

Symantec and McAfee, which built their businesses on antivirus products, have begun to acknowledge their limitations and to try new approaches. The word “antivirus” does not appear once on their home pages. Symantec rebranded its popular antivirus packages: its consumer product is now called Norton Internet Security, and its corporate offering is now Symantec Endpoint Protection.

Imperva, which sponsored the antivirus study, has a horse in this race. Its Web application and data security software are part of a wave of products that look at security in a new way. Instead of simply blocking what is bad, as antivirus programs and perimeter firewalls are designed to do, Imperva monitors access to servers, databases and files for suspicious activity.

The day companies unplug their antivirus software is still far off, but entrepreneurs and investors are betting that the old tools will become relics.

“The game has changed from the attacker’s standpoint,” said Phil Hochmuth, a Web security analyst at the research firm International Data Corporation. “The traditional signature-based method of detecting malware is not keeping up.”

Investors are backing a new crop of start-ups that turn the whole notion of security on its head. If it is no longer possible to block everything that is bad, the thinking goes, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached.

The hottest security start-ups today are companies like Bit9, Bromium, FireEye and Seculert that monitor Internet traffic, and companies like Mandiant and CrowdStrike that have expertise in cleaning up after an attack.

Bit9, which received more than $70 million in financing from top venture firms like Kleiner Perkins and Sequoia Capital, uses an approach known as whitelisting, allowing only traffic that the system knows is innocuous.

McAfee acquired Solidcore, a whitelisting start-up, in 2009, and Symantec’s products now include its Insight technology, which is similar in that it does not let any unknown files run on a machine.

McAfee’s former chief executive, David G. DeWalt, was rumored to be a contender for the top job at Intel, which acquired McAfee in 2010. Instead, he joined FireEye, a start-up with a system that isolates a company’s applications in virtual containers, then looks for suspicious activity in a sort of digital petri dish before deciding whether to let traffic through.

The company has received more than $35 million in financing from Norwest, Sequoia Capital and In-Q-Tel, the venture arm of the Central Intelligence Agency, among others.

Seculert, an Israeli start-up, approaches the problem somewhat differently. It looks at where threats are coming from — the command and control centers used to coordinate attacks — to give governments and businesses an early warning system. As the number of prominent online attacks rises, analysts and venture capitalists are betting that corporate spending patterns will change.

“Technologies that once were only used by very sensitive industries like finance are moving into the mainstream,” Mr. Hochmuth said. “Very soon, if you are not running these technologies and you’re a security professional, your colleagues and counterparts will start to look at you funny.”

Companies have started working from the assumption that they will be hacked, Mr. Hochmuth said, and that when they are, they will need top-notch cleanup crews. Mandiant, which specializes in data forensics and responding to breaches, has received $70 million from Kleiner Perkins and One Equity Partners, JPMorgan Chase’s private investment arm.

Two McAfee executives, George Kurtz and Dmitri Alperovitch, left to start CrowdStrike, a start-up that offers a similar forensics service. Less than a year later, they have already raised $26 million from Warburg Pincus.

If and when antivirus makers are able to fortify desktop computers, chances are the criminals will have already moved on to smartphones.

In October, the F.B.I. warned that a number of malicious apps were compromising Android devices. And in July, Kaspersky Lab discovered the first malicious app in Apple’s app store. The Defense Department has called for companies and universities to find ways to protect mobile devices from malware. McAfee, Symantec and others are working on solutions, and Lookout, a start-up whose products scan apps for malware and viruses, recently raised funding that valued it at $1 billion.

Read More - Click Here!

Apple Finally Released Standalone Virus Removal Tool

In its ongoing battle against the widespread Flashback malware attack, Apple has released a standalone removal tool. The utility is available only for users of the most recent version of OS X who have chosen not to install Java.

In its ongoing battle to clean up the Flashback malware mess, Apple has now released a standalone removal tool.

The downloadable utility is available exclusively for Mac owners running OS X Lion. It will not run on Mac OS X 10.6 (Snow Leopard) or earlier versions.

A description and download link are available here. The accompanying security bulletin says “This update is recommended for all OS X Lion users without Java installed.”

Read More - Click Here!

Apple MAC Flashback Virus How To Detect And Fix

With 500,000+ MACS reportedly infected with this trojan virus, Kaspersky Labs, the company to first inform the public about the Flashback threat, has introduced a website called Flashbackcheck. There, you can check to see if your computer is infected, and if it is, download software to delete the rogue virus. Similarly, anti-virus company F-Secure has released its own cure, a tool called Flashback Removal. The download is a relatively small file that scours your computer for the virus and helps isolate and eliminate the threat if your Mac is infected.

Neither of these are official solutions from Apple. Still, with no word on exactly how long Apple's fix will take, they make a really good substitute for anyone who's developed a well-founded case of digital germophobia.

Read More - Click Here!

Apple operating systems vulnerable to password theft

Apple released a new macOS operating system Monday, but already security experts are saying it is vulnerable to a zero-day exploit that puts users’ passwords at risk.

Patrick Wardle, a white-hat hacker who formerly worked for the National Security Agency, posted a video of how the exploit can steal plaintext passwords that are stored in Mac keychain – an app that stores passwords on Mac operating systems. In a statement to Ars Technica, he explains that Apple’s security measures have long fallen short of the mark.

“As a passionate Mac user, I’m continually disappointed in the security on macOS,” said Wardle. “I don’t mean that to be taken personally by anybody at Apple – but every time I look at macOS the wrong way, something falls over. I felt that users should be aware of the risks that are out there.”

Hacking users’ passwords

In his demonstration, Wardle shows how using a “keychainStealer” app can expose users’ passwords for several different accounts, including Facebook, Twitter, and even Bank of America.

In a statement, Apple said that macOS is “designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in [Wardle’s video], and prevents them from launching the app without explicit approval [from the user].”

It’s true that Gatekeeper keeps Mac users from installing apps that aren’t digitally signed, such as the one that Wardle used in his video. However, it should be noted that a hacker can easily digitally sign an app by applying for membership in the Apple Developer Program, which costs $99 per year. With those credentials, hackers could then use an app similar to Wardle’s to execute the same actions.

Additionally, Wardle says that he reported the vulnerability to Apple back in August so that the company could fix it before rolling High Sierra out to the public. Unfortunately, it seems that Apple decided to release the new OS without fixing the issue first.

Wardle points out that the vulnerability may not be exclusive to High Sierra, and that earlier versions of macOS could be similarly affected.

Are Apps Uploading Your Address Book to the Internet

Photo(Jim Hood @ ConsumerAffairs) Does the information in your online address book have any value? A group of online developers say it doesn't and that, therefore, you shouldn't complain if they copy it without bothering to ask. 

 

Using that argument, the developers want a federal judge to throw out a lawsuit accusing them of violating consumers' privacy by swiping the names and email addresses stored on their computer or smartphone. 

The developers basically say the consumers have no "standing" -- meaning that they have not been harmed or affected in any way and therefore should, basically, sit down and shut up. 

Besides, the developers note, in most cases they didn't charge the consumers anything for the apps they downloaded so there were no economic damages.

You might ask why somebody would bother to steal something that has no value, but that's another question.

It all started ...

The origin of the case dates back to March 2012, when a Texas resident, Marc Opperman, sued Path and other developers who allegedly uploaded address books from his iPhone. A month earlier, the Federal Trade Commission had sued Path for allegedly violating its users' privacy by swiping their address books.

Path, a somewhat obscure social network, apologized and said it had deleted the information. It also settled the FTC complaint.

Since then, Opperman's original case has expanded to include many more developers, including Instagram, Yelp, Hipster and Twitter.

The developers have asked U.S. District Court Judge Jon Tigar in San Francisco to dismiss the suit with prejudice, meaning that it could not be refiled, saying that consumers have not demonstrated any damage. 

“Plaintiffs have not identified any use of their address books by any defendant or third party that caused plaintiffs any harm or that devalued plaintiffs’ address book information,” they argue.

Are Cloud Services Secure

Photo(Mark Huffman @ ConsumerAffairs) To make it easier to share huge files, as well as ensure the safety of important data, businesses are making increasing use of the cloud – storing their computer files on remote servers.

 

But two researchers at Johns Hopkins have questioned the security of the growing number of companies now offering cloud storage services.

Lead author Duane Wilson, a doctoral student, and his faculty adviser, Giuseppe Ateniese, an associate professor of engineering, say they have found a flaw that could allow the company storing the supposed secure data to view it.

Zero-knowledge environment

When a company stores its secure data in the cloud, they typically are promised that the information will remain in a “zero-knowledge environment,” meaning that no one except those who have permission to access the data can see it.

Encryption is supposed to protect the data. The researchers say it doesn't always work that way.

“Our research shows that as long as the data is not shared with others, its confidentiality will be preserved, as the providers claim,” Wilson said. “However, whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers’ files and other data.”

In other words, the company that is holding and protecting the data is also able to view it. This weakness, the researchers say, calls into question the privacy protection these digital warehouses claim to offer.

Trusted middleman

In cloud-based storage, a trusted third party acts as sort of a middleman to verify the identity of the parties accessing the data, making sure they are cleared for access.

After completing an authentication process, the middleman issues “keys” that can unscramble and later recode the data. But Wilson says he found that many cloud storage companies were not turning to an outside third-party, but carrying out the verification function in-house.

That might not be a problem in a perfect world, where all employees are committed to maintaining the clients' confidentiality. Unfortunately, says Wilson, it's not a perfect world.

“The storage businesses could use a phony ‘key’ to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient,” Wilson said.

Reverse engineering

The researchers say they substantiated the security flaw by reverse engineering a typical cloud storage system. They also carried out a network traffic analysis to study the type of communication that occurs between a secure cloud storage provider and its customers.

They stress that they have no evidence that any cloud storage provider is illegally accessing their customer's confidential data, but say it is important that consumers and businesses using these services understand the potential risks.

The study focused on storage providers that promise their clients complete confidentiality. File-sharing services commonly used by consumers, like Dropbox and Google Drive, don't guarantee privacy and consumers shouldn't assume they have it.

The flaw is easily fixable, Wilson says, if storage companies are required to actually use third-party companies to serve as the file-sharing middleman, instead of performing the function in-house.

Still dealing with Heartbleed

The revelations from the Johns Hopkins researchers come at a time when security experts are still scrambling to deal with the fallout from the recently-revealed Heartbleed flaw.

“Everyone should worry about Heartbleed and should change passwords,” said Guy Hembroff, associate professor and chair of the Computer Network and System Administration program at Michigan Technological University. “An average user logging into their Amazon account may be logging into a server that was compromised.”

If that happened to be the case, he says their username, password, and account information – such as address and credit-card information -- would be in the memory of the server where the vulnerability is targeted.

“Therefore changing passwords of these accounts is important,” he said.

Are We Sharing Too Much On Facebook?

Facebook is all about sharing, but things may be getting out of hand.

Facebook has developed an Open Graph platform for apps, to facilitate "frictionless sharing." That means we can share whatever has captured our attention on the web with our friends.

Social media apps take the multimedia content we access online and publish the information to our Facebook profiles without the need to click on anything, such as the "Like" button.

But many users aren’t even aware what these new social apps are posting to their profiles. These apps are busy broadcasting your content without your ever being aware of it.

The folks at Facebook claim to think they are doing their members a favor. As they claim to see it, they are making it easier to share information, assuming the things you access online were going to be shared anyway. They've just saved you a step.

Read More - Click Here!

Are you giving away too much information

(Mark Huffman @ ConsumerAffairs) Scammers are really good at playing head games with their victims, in hopes they will reveal things they shouldn't. Sensitive information can be used to steal identities, money, or both.

Whatever the scammers are doing, it appears to be working. The 2016 American Mobile Usage Survey found consumers are revealing twice as much sensitive information than they did last year.

First Orion, the company sponsoring the survey, says consumers are bombarded by dubious telemarketers placing over 30 million calls to their mobile phones every day. With those kinds of numbers, it only makes sense that many consumers getting these calls will spill too much information.

In particular, the survey found consumers are a bit too willing to give out their credit card numbers. First Orion estimates about 15 million consumers fell for a caller's pitch and request for a credit card. Worse, an estimated 10 million consumers gave scammers their Social Security numbers in response to a call.

Getting more aggressive

"Scammers are getting more aggressive and becoming more effective at targeting our mobile phones," said Jonathan Sasse, CMO of First Orion. "Nearly three quarters of the people we surveyed received a scam call this year, which is over 60 million more mobile phone owners than in 2015.”

Sasse says scammers have moved to mobile phones in a big way, with 3% of consumers saying they got at least 10 such calls in the last month. Many people said they changed their mobile phone number in an effort to stop the calls.

First Orion, of course, is in the business of blocking unwanted calls. Its PrivacyStar service is marketed to phone companies as well as consumers as a way to identify and block calls from robocallers, who are often scammers.

As we reported last year, the PrivacyStar app also has a feature that could allow consumers to profit from all those unwanted robocalls, if they are from a real company doing business in the U.S. For consumers hounded with hundreds of robocalls from the same company, the app will refer them to consumer lawyers in their area.

PrivacyStar provides the lawyers with the documentary evidence and the lawyers pursue settlements, often in the thousands of dollars.

In the meantime, it goes without saying that anyone calling your cellphone out of the blue and trying to sell something or solicit information is probably up to no good. It's best to hang up, then use the feature on your smartphone to block the number in the future.

As net neutrality vote looms-FCC chair shares article about Sriracha

(Amy Martyn @ ConsumerAffairs) Early this morning, a group of about 100 people were gathered in the freezing weather outside FCC Chair Ajit Pai’s office, doing anything they could to lobby him before Thursday’s planned vote to gut net neutrality.

"I think it’s devastating that we have an FCC chair who is just willfully ignoring the facts, the law, the people, the companies, pretty much everyone except the phone and cable companies,” says Candace Clemente, a campaign director with the pro-net neutrality advocacy group Free Press.

Not taking net neutrality seriously

Clemente spoke to ConsumerAffairs shortly after returning back from the protest. She did not see Pai make any attempt to address the crowd, at least while she was there. His social media indicates that he may have other concerns at the moment.

“Restaurant patron arrested after causing ‘disturbance inside when she did not receive what she believed to be an adequate amount of #Sriracha sauce,” Pai wrote on Twitter this morning, sharing an article about a Sriracha-related arrest to his followers.

Clemente -- who points out that Pai most certainly used the open internet to find that story -- sounds unsurprised to learn of the tweet.

A video that leaked last week shows Pai, a former Verizon attorney, making jokes about being a shill for the company, seemingly making light of real concerns consumers and advocacy groups have shared. Advocates say that gutting net neutrality would benefit cable powerhouses at the expense of consumers and companies that do business on the internet.

"I feel like that tweet is really in line with that attitude, of not taking it seriously, treating it like a joke,” Clemente tells ConsumerAffairs.

Consumers urged to make their voices heard

Advocates warn that the issue is not a joke. Everyone from the ACLU to Tim Berners-Lee‏, the man credited with creating the World Wide Web, describes the FCC’s planned vote to kill the current rules as catastrophic to the state of the internet today.

Clemente says the most effective way for consumers to make their voice heard right now is to contact their representatives, because Congress could potentially overturn the FCC vote under the Congressional Review Act.

As it stands, if the FCC goes ahead with gutting net neutrality Thursday, immediate aftermath is uncertain. Many pundits predict the FCC will move forward, despite some commissioners who promise to vote against the consensus.

Implementing the new regulations could take anywhere from one day to one year -- it all depends on how long it takes the FCC to update the Federal Register, Clemente says. Advocacy groups also plan on suing the FCC to overturn the ruling should it not go in their favor.

Meanwhile, Jessica Rosenworcel, one of the FCC commissioners who plans to vote against killing net neutrality, tweeted from her office this morning that the internet at the FCC was temporarily down. “I think we can call this some fierce irony,” she wrote.

August 2012 Patch Tuesday

August brings a wild array of Microsoft technologies to update this month, with both significant client side and server side targets in this month's list of vulnerable software. Nine security bulletins (MS12-052 through MS12-060) are being released to update 26 enumerated vulnerabilities (13 from Microsoft, 13 from Oracle), most urgently including the code in Internet Explorer, an ActiveX Control exposed via Microsoft Word and Excel, and multiple network services. The Microsoft community is faced with five bulletins that contain secured code for a slew of critical rated CVE's.

The MSCOMCTL.ocx ActiveX component exposed by Word, Excel, IE, and Wordpad has been actively and heavily abused in high value targeted attacks around the world over the past handful of months, because of flawed code described by CVE-2012-0158. We described an example of such an APT related exploit in June, and on a global scale, we continue to prevent newly developed exploits abusing CVE-2012-0158, especially with our "automatic exploit prevention". Well, we are going to see the Word and Excel spearphish bait continue to chum the proverbial waters, as Microsoft patches CVE-2012-1856 this month. My guess is that we will see attackers casting their lines with more password protected archives containing these exploits, as network defenders tighten up their networks and network security solution developers improve their product capabilities to make it somewhat more difficult to reach better defended, high-value targets.

MS12-052 patches critical flaws in Internet Explorer code, including another one from the problematic "use-after-free" class of memory corruption errors described by CVE-2012-1526. These bugs are the sort that make their way into the COTS exploit packs like Blackhole and Phoenix, and have been included in mass exploitation schemes when Wordpress and other platform bugs crop up. Multiple other bugs for Internet 7, 8 and 9 are all being patched, including the missing MSXML5 update for CVE-2012-1889 (only "certain versions" of Office 2003 and 2007 delivered that version of the component).

An odd set of bugs in string parsing network service code provides attackers already inside a network with a way to make their post-intrusion lateral movement within an enterprise. Microsoft predicts that public exploits will be available for these vulnerabilities within 30 days of this patch release. MS12-054 provides this critical but harder to reach path with secured code.

On the server side, Oracle's buggy "Outside In" third party libraries running on Exchange are being patched - public reports and investigations of bugs in the content-indexing code first started surfacing in July. The US-CERT delivered a descriptive note for the problem on Jul 17th for not only Exchange, but Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise. It appears to be the first time Microsoft has ever included a patch for Oracle code in their releases, but unfortunately, it's probably not an indication that Oracle updates will be maintained and pushed with Microsoft Update on Windows anytime soon.

Bottom Line - Restart your computers Wednesday Morning 8/15/2012.

Read More - Click Here!

 

Average Security Incident Costs SMBs $85k

The average cost of a security incident for large businesses is $861,000, and for SMBs is $86,500, according to new research from Kaspersky Lab. The report, Measuring the Financial Impact of IT Security on Businesses, released this week, details the financial impact of security breaches and what companies around the world are doing about it.

The report is based on the 2016 results of the annual Corporate IT Security Risks survey, conducted by Kaspersky and B2B International. The survey included 4000 respondents from different sized organizations in 25 countries.

Roughly half of businesses in the U.S. (49 percent) and globally (52 percent) assume that their IT security will be breached sooner or later. This is a recognition of reality, as 77 percent of U.S. businesses and 82 percent globally have experienced between 1 and 5 seperate data security incidents in the last year.

Over one-third of businesses (38 percent) have lost productivity to malware or viruses in the last 12 months, while 36 percent have had inappropriate IT resource used by employees, and 21 percent have experienced data loss or exposure caused by targeted attacks.

Additionally, close to 3 out of 10 companies physically lost a device containing data. Of all security incidents, 43 percent resulted in data loss or exposure of some kind, adding significantly to the high cost of incidents. The largest area of additional cost from security incidents is additional wages for IT staff.

Considering the costs breaches entail, it makes sense that SMBs are particularly concerned with security when selecting cloud hosting providers, as indicated by a recent survey. A survey of SMBs in the U.S., U.K., and Australia released late last year by Webroot suggested their cybersecurity budgets would increase by 22 percent this year.

In part because of the difference in overtime costs, fast recognition of a breach greatly reduces cost, with attacks recognized over a week later costing almost four times as much for SMBs and almost three times as much for enterprises as those recognized nearly instantly by a detection system. Shockingly, 1 in 10 U.S. businesses said it can take up to a year to discover a breach.

1 in 10 U.S. businesses say it can take up to a year to discover a #security breach: Kaspersky

“The survey proves that reaction time post-breach has a direct impact on financial losses,” Vladimir Zapolyansky, Head of SMB Marketing, Kaspersky Lab said in a statement. “This is something that cannot be remedied via budget increases. It requires talent, intelligence and an agile attitude towards protecting one’s business. As a security vendor, our goal is to provide tools and intelligence for businesses of all sizes, keeping in mind the difference in ability to allocate security budgets.”

It security budgets are increasing, however, by an average of 14 percent over the next three years. Similar numbers of enterprises (48 percent) and SMBs (42 percent) see IT infrastructure complexity as a driver of security budgets. Enterprises are more impacted by hacktivism, while SMBs have a higher proportion of exploitation of mobile devices.

Avoid fake emails from Apple and Spotify

If you were one of the 30 million Facebook users whose data was accessed by unauthorized third parties, then Facebook has its own version of encouraging news. The hackers were spammers who wanted your money, not foreign agents trying to influence your vote. Congratulations?

A new report by the Wall Street Journal says that, according to Facebook, the hackers were linked to a digital marketing company that specializes in deceptive advertising. People familiar with Facebook’s internal investigation assured the paper that the hackers didn't have ties to a nation-state.

Apple scam

A Reddit user reportedly caught a new, realistic phishing email scam that could trick iPhone users into handing over the usernames and passwords to their Apple accounts. The email appears to be from Apple and lets a user know that they have completed a purchase through Spotify. Once the confused recipient clicks to review the purchase, they are directed to a site that is a realistic imitation of an Apple login page.

But a look at the web address, according to a screenshot captured, shows that the address does not correspond to Apple. It’s all part of what security expert Tim Sadler says is a classic phishing scam.

"Phishing emails, like spam, are bulk in nature, but are often farming for a user's credentials by mimicking the identity of a trusted website or service – in this case, Apple and Spotify,” he told the Sun.

Minnesota private records

Government employees, it’s time to do a better job of screening suspicious emails. A phishing email scam targeting state email accounts in Minnesota may have revealed the social security numbers, medical records, employment information, and financial records for 21,000 residents.

“Because the Minnesota Department of Human Services respects and values the privacy of your personal information, we want you to know about two recent data security incidents that may have resulted in someone accessing your personal information without permission,” the state wrote in a recent letter to potential victims of the hack.

Victims are urged to keep an eye on their credit card records.

Backdoor found in D-Link home routers

Hand on cables The backdoor could let attackers spy on net traffic

An easy-to-exploit backdoor has been found in seven different models of domestic routers made by D-Link and Planex.

The backdoor, if used, would let an attacker take complete control of a router or modem and spy on a home's browsing activity.

D-Link has acknowledged the existence of the backdoor and said a fix would be available by the end of October.

So far, the backdoor does not seem to have been exploited "in the wild".

The backdoor was discovered by security researcher Craig Heffner, who reverse-engineered the software used to control a D-Link DIR-100 router. Deep analysis of the code revealed a string of letters that, if used in the right way, unlocked remote access to the gadget.

Writing about his findings on his blog, Mr Heffner speculated that the password string was included to make it easier for D-Link to remotely update some of its products.

The same string has been found to work on seven D-Link routers (DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and the TM-G5240) and two from Planex (BRL-04UR and BRL-04CW).

Many thousands of people are believed to have bought the routers before they were revealed to be vulnerable.

In a statement, D-Link said it was working with Mr Heffner and other security researchers to find out more about the backdoor. And it was also conducting a review of its other products to see if it was present in other models.

It added that it would soon produce a update for the software that keeps the routers running, known as firmware, that would close the backdoor. The company urged users to be vigilant and to disable remote access to their router if it was not needed.

Planex has yet to issue a statement about its products.

Banking ATMs Face Deadline to Upgrade From Windows XP

ATMs Face Deadline to Upgrade From Windows XP(@ BusinessWeek) One-dollar bills. Envelope-free deposits. Stamp dispensers. These are a few of the features that Wells Fargo (WFC), Bank of America (BAC), JPMorgan Chase (JPM), and other banks tout as the latest and greatest features of their fleets of ATMs. It’s hardly stuff to set the heart racing.

When ATMs were introduced more than 40 years ago, they were considered advanced technology. Today, not so much. There are 420,000 ATMs in the U.S., and on April 8, a deadline looms for nearly all of them that underscores how sluggishly the nation’s cash delivery system moves forward. That’s the day Microsoft (MSFT) cuts off tech support for Windows XP, meaning that ATMs running the software will no longer receive regular security patches and won’t be in compliance with industry standards. Most machines that get upgraded will shift to Windows 7, an operating system that became available in October 2009. (Some companies get a bit of a reprieve: For ATMs using a stripped-down version of XP known as Windows XP Embedded, which is less susceptible to viruses, Microsoft support lasts until early 2016.)

Inside every ATM casing is a computer, and like all such devices, each one runs on an OS. Microsoft’s 12-year-old Windows XP dominates the ATM market, powering more than 95 percent of the world’s machines and a similar percentage in the U.S., according to Robert Johnston, a marketing director at NCR (NCR), the largest ATM supplier in the U.S.

The many offshoots of the country’s jumbled ATM network, ranging from convenience stores that operate a single antiquated cash machine to national banks that oversee tens of thousands of terminals, are feeling the deadline in different ways, says Suzanne Cluckey, the editor of ATM Marketplace, a news site that serves the industry. More advanced ATM fleets can do the update over their networks. Older ATMs must be upgraded one by one or even replaced entirely if they don’t have enough computing power to run the newer, more demanding software. “My bank operates an ATM that looks like it must be 20 years old, and there’s no way that it can support Windows 7,” says Cluckey. “A lot of ATMs will have to either have their components upgraded or be discarded altogether and sold into the aftermarket—or just junked.”

Aravinda Korala, chief executive officer of ATM software provider KAL, says he expects only 15 percent of bank ATMs in the U.S. to be on Windows 7 by the April deadline. “The ATM world is not really ready, and that’s not unusual,” he says. “ATMs move more slowly than PCs.” While ATMs seem to be everywhere, their total number—an estimated 3 million worldwide, according to consulting firm Retail Banking Research—isn’t very many compared with the global base of Windows users. As a rule, security patches that directly affect the machines might be issued only once a quarter, Korala says.

Microsoft is selling custom tech support agreements that extend the life of Windows XP, although the cost can soar quickly—multiplying by a factor of five in the second year, says Korala. JPMorgan is buying a one-year extension and will start converting its machines to Windows 7 in July; about 3,000 of its 19,000 ATMs need enhancements before the process can begin, according to spokeswoman Patricia Wexler. A Wells Fargo spokeswoman says that the company is working with Microsoft and ATM manufacturers to upgrade its machines.

The cost to upgrade a single ATM to Windows 7 can range from a few hundred dollars if its hardware is adequate, says Stewart, to thousands of dollars if new components are required.

ATMs whose operators ignore the deadline will continue to function, says Dean Stewart, an executive at Diebold (DBD), which makes ATMs. They’ll just become more vulnerable to malware and other attacks against weaknesses discovered over time in Windows XP. (Customer balances are safe under the standard protections banks offer to ATM users against fraud.) “It’s a very real risk,” Stewart says. “No ATM operator wants to get his name in the paper.”

The ATM industry has faced deadlines of this kind before. “Basically, since the year 2000, they’ve gotten pretty good at these kind of planned crises,” says Rob Evans, the director of marketing at Nautilus Hyosung, another ATM manufacturer. New encryption standards became mandatory in 2002. In 2011 banks had to upgrade ATMs with audio technology to comply with the Americans With Disabilities Act.

with secure microchips. Amid reports of the recent theft of as many as 40 million card records from Target (TGT), some ATM operators are upgrading to the chip-based hardware at the same time they ditch Windows XP. “Banks will also look at this from a business perspective: If I’m tearing apart the machine, what else can we do?” says Evans.

U.S. Bancorp (USB), with the fifth-largest bank ATM network, began planning for the switch in 2010, when its 5,000 machines were an average of 13 years old. That will be cut to five years by the April deadline, says Senior Vice President Patty Henneke. If all goes as planned, customers won’t notice any differences. “We hope it’s invisible,” she says.

Windows 7 brings new features such as support for multitouch interfaces. “Windows 7 allows a true, modern touch ability,” says NCR’s Johnston. “You can swipe, pinch, drag things around. That starts to meet customers’ expectations of what self-service should be as they move into the 21st century.” With iPad-like functionality on the horizon, ATMs would finally enter, if not the future, at least the recent past.

Bash Shellshock security flaw worse than Heartbleed

Photo

A typical Bash screen

(My customer system were fixed over the weekend)

(Jennifer Abel @ConsumAffairs) Shellshock, a newly discovered security flaw in a type of software widely used in UNIX, Linux and Mac OS X systems, is considered even worse than last April's “Heartbleed” security flaw, and Heartbleed was bad enough and far-reaching enough to threaten any [supposedly secure] website using OpenSSL encryption.

The list of potentially infected sites from Heartbleed included Yahoo and the FBI, and it's only a slight exaggeration to say, “As a result of Heartbleed, dang-near everybody on the Internet had to change dang-near every password they had.”

Shellshock, also called simply “the BASH bug,” is even worse. After all: “change your passwords” is something you can actually do, an active step you take to protect yourself. So far, though, it appears there's no equivalent step ordinary, everyday Internet users can take to protect themselves from Shellshock; identifying and fixing the problem is in the hands of webmasters and systems administrators.

Even worse: Heartbleed would only allow hackers to see what you were doing on or with your computer; they couldn't actually control it. Hackers exploiting the BASH bug might be able to.

BASH is an acronym for Bourne Again Shell, an open-source software system found in UNIX-type systems. Like all shells, it basically translates commands (from a server or website) into something which your computer or device can read.

The newly discovered security bug basically lets hackers take over the shell and slip in malicious bits of code.

In home-security (rather than computer-security) terms, Heartbleed was like a situation where the front door to everybody's house suddenly unlocked all at once, so everybody had to lock their doors (change their passwords) before any burglars walked in through those unlocked doors to steal things. But the BASH bug is more like a new device a burglar can use to break into a locked door.

The security flaw is bad enough that the U.S. Computer Emergency Response Team issued a security alert to “experienced users and administrators” – another subtle reminder that, while everyday Intenet users are at risk from Shellshock, there's little if anything they personally can do about it.

Behavioral Tracking Widespread on Children's Sites Says FTC

The FTC (Federal Trade Commission), CDD (Center for Digital Democracy (CDD), along with 16 consumer, health, privacy, and child advocacy groups, endorsed the Commission’s proposals to update the Children’s Online Privacy Protection Act (COPPA) rules. The "Groups"  recommend critical changes in its regulations aimed at addressing contemporary data collection and marketing practices. 

CDD also released an analysis of tracking and targeting techniques employed by the leading child-targeted websites, which found that the great majority of the sites (81%) engage in some form of tracking through the use of such “persistent identifiers” as flash cookies, web bugs, and other online data collection tools. 

“The online data collection practices we originally identified in the 1990s have been eclipsed by a new generation of tracking and targeting techniques, as online data collection in this era of Big Data,” commented Kathryn Montgomery, Professor of Communication at American University, who, along with CDD Executive Director, Jeff Chester, spearheaded the campaign to pass COPPA in 1998. “It is imperative that the rules be changed if they are going to continue protecting children’s privacy in the growing digital marketplace.” 

Nearly half of the sites (48%) appear to be using behavioral targeting technologies...

Read More - Click Here!

Best Free Antivirus Protection of 2016

(Neil J. Rubenking @ PC) Early adopters, daredevils, and purchasers of new computers are all running Windows 10 by now. Those who err on the side of caution, or whose IT department forbids them to, are still running Windows 8. Whether you run Windows 8 or Windows 10, your computer is theoretically under the protection of the built-in Microsoft Windows Defender. However, our hands-on tests and independent lab tests show that you're better off with a third-party solution. Fortunately, you've got plenty of free choices, and the best of them are better than many competing commercial products. Which one is best for you? We've rounded them up to help you choose.

Quite a few of these products are free only for noncommercial use; if you want to protect your business, you have to pony up for the paid edition. At that point, you should probably consider upgrading to a fullsecurity suite. After all, it's your business's security on the line. And if you've grown beyond SMB status, investing in a SaaS endpoint protection system will let you monitor and manage security across your entire organization.

Related StorySee Our Top Paid Antivirus Solutions

Your antivirus should definitely have the ability to root out existing malware, but its ongoing task is to prevent ransomware, botnets, Trojans, and other types of nasty programs from getting a foothold. All of the antivirus programs in this collection offer real-time protection against malware attack. Some take the fight upstream, working hard to ensure you never even browse to a malware-hosting site, or get fooled into turning over your credentials to a phishing site.

Independent Antivirus Lab Test Results

Around the world, researchers at independent antivirus testing labs spend their days putting antivirus tools to the test. Some of these labs regularly release public reports on their findings. I follow five such labs closely: AV-ComparativesAV-Test InstituteSimon Edwards Labs(the successor to Dennis Technology Labs), Virus Bulletin, and MRG-Effitas. I also take note of whether vendors have contracted for certification by ICSA Labs and West Coast Labs.

Security companies typically pay for the privilege of being included in testing. In return, the labs supply them with detailed reports that can help improve their products. The number of labs that include a particular vendor serves as a measure of significance. In each case, the lab considered the product important enough to test, and the vendor felt the price was worthwhile. The labs don't necessarily test a vendor's free product, but most vendors pack full protection into the free product, enhancing premium versions with additional features.

PCMag Antivirus Test Results

In addition to carefully perusing results from the independent labs, I also run my own hands-on malware blocking test. I expose each antivirus to a collection of malware samples, including a variety of different malware types, and note its reaction. Typically the antivirus will wipe out most of the samples on sight, and detect some of the remaining ones when I try to launch them. I derive a malware blocking score from 0 to 10 points based on how thoroughly the antivirus protects the test system from these samples.

Since I use the same samples month after month, the malware-blocking test definitely doesn't measure a product's ability to detect brand-new threats. In a separate test, I attempt to download malware from 100 very new malicious URLs supplied by MRG-Effitas, typically less than a day old. I note whether the antivirus blocked all access to the URL, wiped out the malicious payload during download, or did nothing. Avira Free Antivirus holds the current top score in this test, followed by McAfee and Symantec, both paid products.

If you're interested in learning more about my testing techniques, you're welcome to read more about how we test security software.

Useful Features

Just about every antivirus product scans files on access to make sure malware can't launch, and also scans the entire system on demand, or on a schedule you set. Once that cleaning and scheduling is done, blocking all access to malware-hosting URLs is another good way to avoid trouble. Many products extend that protection to also steer users away from fraudulent websites, phishing sites that try to steal login credentials for financial sites and other sensitive sites. A few rate links in search results, flagging any dangerous or iffy ones.

Behavior-based detection, a feature of some antivirus products, is a two-edged sword. On the one hand, it can detect malware that's never been seen before. On the other hand, if it's not done right, it can baffle the user with messages about perfectly legitimate programs.

One easy way to keep your PC protected is to install all security updates, both for Windows and for browsers and other popular applications. Windows 10 makes it easier than ever to stay up to date, but there are plenty of security holes in older Windows versions, in popular apps, and in add-ons. Scanning for vulnerabilities in the form of missing updates is a feature most often found in commercial antivirus products, but it does turn up in some free ones. In the chart above you can see which products include these useful features.

What's Not Here

This article reports only on free antivirus products that received at least a good rating in our reviews—three stars or better. Among those that didn't make the cut is Microsoft Windows Defender, with 2.5 stars. All of the independent labs I follow do include Microsoft in testing, but most use it as a baseline. If a product can't do better than the baseline, it's got real problems.

FortiClient fans may notice that this product doesn't appear in chart. It did get three stars, but it's quite different from the rest. FortiClient is actually designed to work as a client for Fortinet's network security appliance, but is incidentally available as a free standalone.

Furthermore, I'm aware that my review of Bitdefender's Free Antivirus is getting long in the tooth, but the company simply doesn't update its free utilities as often as its premium ones. Rest assured, I'm in close contact with Bitdefender and I'll review its new offering when it becomes available. Now that the commercial Bitdefender 2017 line is out, perhaps the developers will have more time to work on the free edition.

There are also numerous free antivirus utilities that work solely to clean up existing malware infestations. You bring out these cleanup-only tools when you have a nasty malware infestation. When the problem's gone, they have no further use, since they offer no ongoing protection. Our Editors' Choice in this category is Malwarebytes Anti-Malware 2.0, and it's definitely one you should try if you've got a malware problem. But since they're free, you can keep trying others if the first one doesn't do the job. When the scare is over, you'll need a full-blown antivirus for ongoing protection.

What's Best

Our current Editors' Choice products for free antivirus utility are Avast Free Antivirus, AVG AntiVirus Free, and Panda Free Antivirus. All three get very good scores from the independent labs, and in our own tests as well. All three include some useful bonus features. Avast in particular packs a password manager and a network security scanner in its toolkit. If you do have a little cash in your budget for security, the best paid antivirus products do tend to offer more and better protection. If not, try a few of these free tools and see which one you like best.

Best Way to Protect Your Data Online

Nowadays, using social networks and buying merchandise from online retail stores is as common as washing the dishes, and the more it becomes ingrained into our everyday lives, the more we get comfortable and maybe even complacent when it comes to guarding our personal information.

Throughout the years we've all heard millions of tips on how to protect our private data, and with all of those warnings, it's easy to be a little confused about just what's the most important safeguard.

So what's the first thing one should remember while losing themselves inside the vast world of the Internet?

“Don't click on links in email messages or open attachments purporting to come from retail or social networking sites as notifications. When you do, you might be taken to a fake site and prompted to type in personal account information, or infected with malware, said security researcher Cameron Camp in an interview with ConsumerAffairs.

“If you click on an attachment in a notification email, you may be unwittingly starting the process of infecting your computer. Instead, visit the website directly to make sure you're visiting the legitimate one, then interact with your account directly,” said Camp, a researcher at ESET, a company that deals in IT security.

What can be so tricky in today's digital world is the fact that hackers perpetually develop new ways to steal your information, so just as consumers protect themselves from one hacking scheme, a new and more advanced one follows.

Fake notifications

And just what do some of these new hacker tactics entail?

“Fake notification emails with malicious attachment payloads,” said Camp. “Leaving your mobile device unprotected (no password or other lock), paving the way for scammers to open it up and harvest information in a few easy steps, especially if they steal the device.”

Consumers should also not be “using Java when it really isn't needed, or isn't patched and up to date,” he added. “This can allow tricky malware in the back door, so to speak, and can allow disturbingly powerful tools and techniques to be used against you, regardless of the platform or operating system.”

Camp also says using the same password for all of your accounts is still one of the most common mistakes people make in their daily computer use.

“If one of your accounts becomes compromised by hacking or any other means, your others might soon follow in a cascading fashion, messing up a lot more of your life,” he said.

“Shopping at websites that aren't reputable, or connecting to shopping websites using unencrypted connections,” are also common errors people make, said Camp. “Instead, use https (encrypted), rather than http (unencrypted). Your browser should tell you when you are using an encrypted site by displaying a lock symbol.”

More risks

PhotoHe also says that although there are more ways to guard your data nowadays, there are also a lot more ways for you to be scammed.

“While there may be some improvement in securing single pieces of your information, the average user interacts with hundreds more services directly, and many more third party services that share that information secondarily,” explained Camp.

“This mean there are now exponentially higher numbers of ways to scam you and/or get a very complete digital snapshot of your life, and they would all have to be secure which is unlikely,” he added.

Camp also says using only one method of protection to guard your information isn't good enough, and online users should install backup safety measures just in case the first level of protection is compromised.

“This is the argument that it's better to have one super-secure lock on a box and hope no one breaks it, because if they do then they get everything,” he says. “A better approach is to have a reasonable lock on the box, and also a reasonable lock on the door to the room, the front door to the house, and the gate.”

“Layering defenses in this manner creates a sufficiently high barrier that criminals will go elsewhere to look for easier targets,” said Camp.

Such as ...

And what are some of the software and other safeguards consumers should buy to protect their personal data?

“Find a method (other than post-it notes, don't laugh, that's extremely common) to keep track of your passwords, and make sure it's encrypted in case it falls into the wrong hands, says Camp. “Sometimes a browser has this feature, but search customer and security reviews before you choose.”

Also “have basic anti-malware software for your computer devices, both traditional PC's and mobile. Remember, users interact with their mobile devices in many of the same ways as they did on their PC and the same protections and scams are also both applicable too, especially in the future,” he said.

“Have a firewall on your primary network you use. This doesn't have to cost many thousands of dollars, just try to enable the defenses on the unit you have. Many modern home routers have surprisingly sophisticated defenses, like intrusion detection/prevention (IDS/IPS) — if you enable them,” Camp said.

Read More - Click Here!

Best privacy protection plan is lying

Photo(James Hood @ ConsumerAffairs) Consumers frequently complain that they're always being asked for personal information they'd rather not disclose -- like their phone number, email address or birthdate.

Well, there's a simple way to deal with that. It's called lying and a survey finds it's also a very popular strategy. Researchers said Americans routinely hide their personal details and intentionally falsify information when asked for it by websites, services and mobile app providers.

The findings suggest that many people are skeptical of the need for services to collect personal data, leading people to lie, click away or decline app downloads. According to the survey, people engage in these behaviors to create a sense of privacy and control over their personal information.

Afraid and angry

“Before we did the survey, we’d heard from data aggregators that something like 50% of their data might be incorrect. The survey showed that much higher rates of obscuring data is happening," said study co-author Mary Hodder. "People are afraid and angry, as reflected in their comments to the survey, and they are doing the only thing they can to protect themselves: hiding, lying or withdrawing."

Hodder is on the board of directors of Customer Commons, the California-based non-profit that conducted the study.

The study found that some people will accurately represent themselves only when online services show a clear upside. Otherwise, people don’t want to reveal more than is necessary when all they want to do is download apps, watch videos, shop or engage in social networking.

Key findings in the report include:

  • Only 8.5 percent of respondents always accurately disclose personal information.

  • As many as 70% of respondents regularly withhold at least some personal data.

  • Many respondents lie about various line items as a strategy to protect their privacy. For example, 34.2% intentionally provided an incorrect phone number, and 13.8% provided incorrect employment information.

The concept of trust was raised in 22% of the written responses explaining why people hide their information. Some examples include:

  • “I cannot trust a random website”

  • “I do not want spam and do not want to expose others to spam. I also don't know how that information could be used or if the people running the site are trustworthy.”

  • “If I know why info is needed then I might provide, otherwise no way”   

People are afraid or distrustful of sites, services and phone apps that request their personal data. They withhold or falsify information because they do not believe the sites need their data, and because they do not want to disclose information that might lead to spamming or other intrusions. Moreover, the techniques that people employ to preserve their sense of privacy online are largely improvised, informed by fear, and based on their subjective evaluation of entities that solicit personal information.

Customer Commons describes itself as "a not-for-profit working to restore the balance of power, respect and trust between individuals and the organizations that serve them, especially in the online world." Funding for the study came from CommerceNet, a not-for-profit research institute.

 

Beware of Fake emails from Homeland Security

(Reuters) - The U.S. government on Thursday warned computer users to beware of fake emails they may receive from hackers claiming to be from the Department of Homeland Security and demanding money to reinstate use of their computer.

Homeland Security's U.S. Computer Emergency Readiness Team, or US-CERT, published an alert on its website warning it had received reports of DHS-themed "ransomware."

"Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it," the warning said, adding that the ransomware falsely claims to be from the department and its National Cyber Security Division.

Ransomware is increasingly widespread malicious software that purports to encrypt a user's files and then demands payment to unlock them.

US-CERT urged users and systems administrations to use caution if they find a questionable email message that could contain the ransomware. It said to urge users not to click on the messages or submit any information to Web pages.

(Reporting by Deborah Charles; Editing by Doina Chiacu)

Blacklisted Again?

So your email is being blocked by their spam filters. You didn't use any questionable words or send pictures or HTML mail or do anything else that would make your message look like spam, but it's still being blocked. Why is this happening?

It might be because your address is on one of the many "known spammer lists" (also called blacklists or black hole lists) that are compiled and used by some spam filtering software. But you aren't a known spammer - you've never sent a spam message in your life! So how did you end up on a blacklist?

Here's the problem: some of the black list organizations will put an ISP's entire domain name on the list because some of that ISP's customers are spammers. When the entire domain is blacklisted, that includes the mail of innocent customers who send mail from that ISP's mail servers, too. What can you do about it if you find yourself in that situation?

You could change ISPs, of course - but that can be a big inconvenience if you've had your address for a long time and it's widely known. You can ask people with whom you want to correspond to configure their "white lists" or "safe senders" lists to allow your mail through; most anti-spam software gives precedence to the white list and allows mail from addresses on it even if those addresses/domains are also on a black list. But if you can't send them mail in the first place, this means you'll have to call each correspondent or send snail mail or contact them in some other way to let them know to do this. Some ISPs use blacklists themselves to protect their users from incoming spam, but this means if you get on the list, you won't be able to send mail to customers of that ISP and the customers themselves may have no control and no way to "whitelist" you so your mail can get through. You're just considered "collateral damage" in the war against spam.

Being on this black list is bad for our reputation ... if it were any other media, you could probably sue the blacklist company for slander. In this case they don't even respond to messages ... There should be a way to be protected from the behaviour of blacklist companies if you don't produce spam. A simple way would be to forbid them to blacklist ranges of IP addresses, only those addresses that have been proven to be used for spam."

For a company, being blacklisted is more than just frustrating - it can result in real monetary losses if you're unable to correspond with customers, partners, vendors and others critical to your day-to-day business. For an individual, being blacklisted can interfere with your personal relationships, keep you from getting a job or prevent you from communicating with organizations with which you do business.

One of the first and most popular blacklists was the Mail Abuse Prevention System Real-time Blackhole List (MAPS RBL). It compiled thousands of entries and is used by hundreds of servers all over the world. It was acquired by Trend Micro in 2005. Spamcop.net is another service that takes spam reports and provides a free DNS-based blocking list.

Unfortunately, when it comes to getting blacklisted, you're guilty until proven innocent, and guilt by association (merely having the same ISP as a spammer) is the order of the day for some lists. Black list compilers (also known as DNSBL operators) publish their lists of individual addresses, domain names, or IP addresses without any sort of warranty that those on the list really are spammers. Spamcop, for example, explicitly states on its web site that their list is provided "as is" and they do not in any way guarantee it or take any responsibility for the results of using it.

There's nothing regulating the operation of a blacklisting service; all you need is a domain, a DNS server and a list of addresses to publish. Different blacklist operators have different policies regarding how they verify their information, how long an address stays on the list, procedures for challenging the listing and having it removed, etc. Some lists add addresses submitted by users, and it's possible to get on a blacklist just because you made the wrong person mad at you.

Nobody wants to get spam, and the intent of the lists is good, but as with any technology, good intentions aren't always enough to prevent bad results. Intelligent spam filtering requires more than just consulting a list; modern filtering programs such as IHateSpam use sophisticated metrics to examine the content of messages themselves and determine whether they're likely to be spam. This results in far fewer false positives.

Block Unwanted Facebook Posts

(Kim Komando USA TODAY) ...It's easy to block updates from Facebook friends who are temporarily getting under your skin. Hover over your friend's name, then hover over the Friends menu and deselect Show in News Feed.

Selecting Settings under the Friends menu allows you to control the amounts and types of updates you receive from a friend. You can screen a friend's status updates, life events and photos, for example, but continue to receive her music and video posts.

Not in the mood for a Facebook quiz this week? You can hide stories and unsubscribe from any person, Page, group or app.

If you encounter a political post or other story that is particularly annoying, report it as spam. That will remove it from your news feed, and Facebook's filters will try to block similar content in the future.

For more industrial-strength filtering, install a browser extension such as Social Fixer.

Social Fixer lets you define rules - similar to email - to control what stories you want to see and hide. You can quickly choose one or all of your friends, then choose to hide status updates, photos and other types of posts. The ability to add key words makes this free tool even more powerful.

Keep in mind that Social Fixer is a browser plug-in; it has no effect on your Facebook account or what you'll see on a different computer or gadget.

On Twitter, there isn't much you can do to filter content short of blocking or unfollowing users. But Twitter's own TweetDeck app for mobile and desktop contains a global filter in Settings to block people, words, and hashtags.

You might also want to visit the extension galleries of Firefox, Chrome and Safari to find other plug-ins that promise to clean up your Twitter news feeds.

If you like to watch movie or video game trailers on YouTube, but avoid the site because of all the nasty comments and spoilers, there's help.

Clea.nr Videos for YouTube not only blocks comments, it also removes the clutter of ads and promoted videos. The free extension works with Safari, Chrome and Firefox; there's also an Apple iOS app ($1).

More generalized browser plug-ins can help you hide the comments sections across blogs and other websites you visit.

These controls and tweaks aren't perfect -- an irritating post will get through somehow -- but they should help you regain some of your sanity.

Read More - Click Here!

Bots roam the internet, threatening businesses and consumers

(Mark Huffman @ ConsumerAffairs) You're expecting a package from Amazon, or from one of the package delivery services. An email pops into your inbox about a problem, and there's a link where you can get more information.

Only the email is not from any legitimate company. It's a scammer posing as the legitimate company.

While it's a big problem for consumers, it's a huge problem for the companies that are being impersonated. Their brand can suffer as a result.

MarkMonitor is in the brand protection business, on the lookout for cases where a client's brand has been misappropriated, for any reason.

“We are basically monitoring across multiple digital channels – websites, marketplaces, social media, mobile apps and emails,” Akino Chikada, MarkMonitor's Senior Brand Protection Manager, told ConsumerAffairs. “We're scanning through the entire internet looking for any potential online abuse of that brand.”

It's a never-ending job because scammers keep getting more technologically powerful. The latest wrinkle is the deployment of bots – web robots – to seek out and engage victims, meaning one scammer can become a million times more effective.

“As we know there is a significant number of bots driving internet traffic,” Chikada said. “A recent report found humans account for about 51% of traffic. The rest is driven by bots.”

Whole new dating game

And these bots have added a whole new dimension to the online dating scam. A decade ago, this scam consisted of an individual scammer seeking out and engaging a potential victim, building trust, then swindling him or her out of thousands of dollars. It was a labor-intensive and time-consuming enterprise.

Today, bots do the work, engaging males on Tinder, pretending to be females. Chikada says it's easy to program these bots to engage in dialog.

“They can remember user details like names, age, location, so it's easy to start engaging a victim,” she said. “They're definitely a lot smarter and more sophisticated.”

Tinder's popularity makes it a target-rich environment. Scammers are using bots to persuade victims to send them money, and also download malware.

How to spot a bot

How can you tell if the “person” you are engaging with on Tinder is actually a machine? If you pay close attention, you can do it.

Bots tend to type faster than the average human and yet they don't make as many typos. Also, responses can be generic and not always specific to what you have said.

The big tip off? Chikada says they will eventually ask you to do something for them, and it either requires clicking on a link or giving them your credit card information.

And finally, if the “person” is really attractive, you just might be conversing with a machine.

Business Gone In 60 Seconds vis a vis Poor Email Policy

Just this week, an area manager for a local company decided to go into business for himself. 

The company policy allowed each employee to use their own personal email accounts to conduct company business. As a result of that policy, ALL sales leads in that area now go to “HIS” iCloud email account, and there is nothing the company can do about it. 

Essentially, their business in that geographical area is GONE. Their current customer base in that area only communicates with the company through “HIS” email address. They can forget about repeat business. And their long list of current prospects use “HIS” email to request new service, AND, the new prospect contact list is only in “HIS” contact list. The company does not even know who their prospects are. OUCH!!!

Lesson learned: Never Never Never allow an employee to use their own email account to conduct company business, and Never Never Never use free email gmail, yahoo, iCloud, knology... as a business email address.

Why? According the Dr. W. Edwards Deming, “he who owns the data owns the business”. In this case, the former employee owns their business.

How can a business email account make a difference?

  1. Email and Contact information could be archived so that the company could have full use of the data for sales, marketing, and customer service .

  2. Products like Thunderbird provide the ability to monitor company email in real-time. An employee defection may have been detected much earlier.

  3. With a click of a mouse or password change, emails and contacts can be securely blocked from one employee and made to another employee (“HIS” replacement), thus denying future access to company data.

There are hundreds of reasons why a business should control their company email like Control, 
Security, Brand Recognition, Credibility, and the memorable impression that it makes. But this one incident really makes the case.

If you need assistance setting up a company email account or policy, please let us know.

CBS - Cicada 3301: Code-breaking scavenger hunt has the Internet mystified

Cicada 3301: Code-breaking scavenger hunt has the Internet mystified

A screenshot of a Cicada 3301 clue from a website.

A screenshot of a Cicada 3301 clue from a website. net-netz-blog.de

Is there a secret society attempting to recruit the best coder breakers in the world, using clues that spans across the globe and Internet? That’s what some people believe the case is with the elusive Cicada 3301 online puzzle, which, if history repeats itself, will make a return within days.  

Tekk Nolagi, a teenager from the San Francisco Bay Area who asked not to be identified by his real name, says he was sitting in a high school robotics lab in 2012 with his friends when the photo first appeared on the image message board 4chan.org.

“It was posted on the paranormal activity thread or something like that.” Tekk told CBS News over the phone. “A bunch of people said, ‘wow, that’s creepy’ and didn’t say anything else.”

It was an image of white text against a black background that said:

“Hello. We are looking for highly intelligent individuals. To find them, we have devised a test. There is a message hidden in this image. Find it, and it will lead you on the road to finding us. We look forward to meeting the few that will make it all the way through. Good luck. 3301.”

And with that image, a scavenger hunt began that involved online images, cryptography, number theory, physical clues, phone calls, QR codes and websites on the “darknet.”

Some of the theories about who is behind the puzzle include the National Security Agency, Central Intelligence Agency or a secret society. Some have speculated that the puzzle is a recruitment program or an alternate reality game, where players collect clues, interact with other players and solve puzzles in real life.

According to the participants online, when the image was opened in a text editing program, a cryptic message appeared that was interpreted as a Web address. Those who were trying to solve the mystery were led to a website, which in turn led to a Reddit.com forum called "a2e7j6ic78h0j" that revealed a series of symbols and coded messages.

Several more clues were uncovered -- including hidden messages that suggested the key to breaking the code was already posted on the a2e7j6ic78h0j forum. Once decoded, a U.S. phone number was revealed. 

The number, which has since been disconnected, had a message for callers that was yet another clue. This time, a riddle led to a website that had a picture of a cicada and what appeared to be geographic coordinates.

According to online reports, posters were found at some of the locations around the world, including Paris, Warsaw, Seoul and Miami. Each poster had an image of a cicada and a QR code that, when scanned, revealed a message.

Tekk says he worked with a group of nine active participants and several additional helpers to solve the breadcrumb trail of clues left by the game’s creators. One of the people working with him sent his brother out to see one of the posters, which was located in Australia, in real life. It was a physical piece of the worldwide puzzle that they could confirm existed.

“I was in awe and frightened because I didn’t know exactly what the reach of these people were. Imagining they have access to all these different places around the world at the same time kind of blew all our minds. We started getting a little bit nervous in the chat room,” he said.

After a series of increasingly intricate clues, a final message was discovered on the Reddit forum with the symbols and coded text that read:

“We have now found the individuals we sought. Thus our month-long journey ends. For now. Thank you for your dedication and effort. If you were unable to complete the test, or did not receive an email, do not despair. There will be more opportunities like this one.”

Soon after, the trail went cold and no new clues were release until a year later on Jan. 4, 2013, when a new image appeared on 4chan.

Tekk chose not to continue chasing the clues the following year, saying, “I stopped after my first year because it was too time consuming.”

Just like the previous year, a similar trail of clues was revealed after the initial image appeared on 4chan, including a sequence of prime numbers, an audio file and a mysterious Twitter account tweeting coded messages.  

One of the clues post on Wikia led to a bizarre test that was reportedly emailed to participants asked multiple-choice questions like: “I am the voice* inside my head” and “Observation changes the thing being observed.” The choices in answers included: true, false, indeterminate, meaningless, self-referential, game rule, strange loop and none of the above.

One of the final pieces of the 2013 puzzle is an email that was reportedly sent to those who passed the test. There hasn’t been much activity since that time, and much of the community following Cicada 3301 anxiously waits for Jan. 4, 2014 to arrive, when a new clue might be posted online.

What little information is known about Cicada 3301 has been posted on websites like Wikia and Github, but no one seems to know who is behind the puzzle and what their motives may be for creating such an elaborate trail of clues.

Tekk has some theories of what the group’s end game may be, which he says was revealed to him when he found himself in a chat room, of sorts, with people claiming to the organizers the Cicada 3301 puzzle.

“It seems like their end goal would be to have some kind of free and open cryptography and anonymity software released to the public, but that’s just a small facet of what they’re trying to do. I don’t think anybody actually knows what they’re going to do from there,” he said. 

CCLEANER Hacked

Consumers who downloaded the CCleaner security program thought that they were protecting their devices from malware, but security researchers at Cisco Talos say the app directly delivered malware to millions of users.

The discovery made earlier this month involves what the researchers call a “supply chain attack.” Supply chain attacks happen when hackers target a company or manufacturer that delivers a product to consumers.

In this case, the download servers used by Avast (CCleaner’s parent company) were breached. Hackers used their access to the servers to modify CCleaner’s download package to include malicious malware that was delivered to users.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” explained the researchers.

Millions of users affected

CCleaner is an extremely popular tool amongst consumers for ridding computers of malware and improving speed and performance. In November, Avast boasted that the program had been downloaded over 2 billion times, with 5 million users downloading the app per week. Unfortunately, the researchers say that these high growth numbers can be disastrous from a security standpoint.

“If even a small fraction of those systems were compromised, an attacker could use them for any number of malicious purposes,” said Cisco Talos researcher Edmund Brumaghin in a blog post.

Piriform, the company that operates the affected download servers, has confirmed that versions 5.33.6162 and 1.07.3191 of CCleaner for 32-bit systems were compromised by hackers. The company estimates that as many as 2.27 million people are using the affected software or have downloaded a compromised version of CCleaner Cloud.

“The compromise could cause the transmission of non-sensitive data…to a 3rd party computer server in the USA,” the company said. “We sincerely apologize for this and are committed to making sure nothing similar happens again.”

What to do

Brumaghin says that users who have downloaded a malicious version of the CCleaner program need to restore their devices to a state before August 15, 2017 and update to the latest available version of the program to avoid infection.

Piriform encourages users to download the latest version of the software here. (Note that visiting this link will initiate a download for the latest version of CCleaner.)

CNN Says Online privacy is dead

 online anonymity

 

(Jose Pagliery  @ Jose_Pagliery) It's getting harder to remain faceless online. Even far-out measures of data encryption are under attack. These are dark times for online privacy.The U.S. government is spying on its own citizens' online activities. The FBI was able to suss out and shut down the anonymous black market Silk Road. Even the Internet-within-the-Internet called the Tor network -- the most secretive way to browse the Web -- is being monitored by the National Security Agency.

Strong passwords and encrypted email services were never truly enough to protect users' online privacy. But recent revelations about government surveillance even throw into doubt the effectiveness of far-out measures of data encryption used by the most careful people surfing the Web.

Silk Road serves as a prime example. It operated as a hidden service on Tor, an anonymizing tool that helps users and sites keep their identities secret. Everyone buying and selling drugs, weapons and other illicit items on the site thought they couldn't be tracked.

But federal agents managed to track down a computer server Silk Road used, and the FBI monitored more than 1.2 million private communications on the site.

Related story: Facebook kills search privacy setting

If online privacy can't stand up to good, old-fashioned police work, it doesn't stand a chance against some of the more potent tools the government uses:

 

  • The NSA figured out how to track down who's who on Tor by exploiting weaknesses in Web browsers, according to documents former NSA contractor Edward Snowden leaked to The Guardian -- a bug that was only recently fixed.
  • PRISM, the government's hush-hush mass data collection program, lets even low-level NSA analysts access email, chats and Internet phone calls.
  • The U.S. government issues frequent, secret demands for customer data from telecommunications companies.

 

It's no wonder, then, that many have declared the death of online privacy.

Shopping for LSD and AK-47s online
 

"Unfortunately, online anonymity is already dead," said Ladar Levison, founder of e-mail service LavaBit that closed its doors in the wake of the NSA's PRISM controversy. "It takes a lot more effort and skill than most have in order to keep your anonymity today."

Remaining unrecognizable and keeping conversations private online is immensely important. It's not just an issue for civil libertarians -- online privacy is crucial for crime victims, whistleblowers, dissidents and corporations trying to keep secret the latest high-tech research.

The result has been tantamount to a cryptographic arms race. On one side are independent programmers usually writing free software. On the other are a dozen U.S. intelligence agencies supported by a $52.6 billion black budget.

And while some claim unbreakable encryption is coming, large-scale availability is still years away.

"It's an open question how much protection Tor or any other existing anonymous communications tool provides against the NSA's large-scale Internet surveillance," said Roger Dingledine, Tor's lead developer.

Still, Aleecia McDonald, a privacy expert at Stanford University's Center for Internet & Society, said there's still a benefit to guarding yourself with a network like Tor. At least you make it harder to get spied on.

"The NSA has to attack Tor users one by one, not en masse as they do with non-Tor users," she said

Can FaceBook and Twitter Affect Your Credit Score and Insurance?

Facebook and Google are big names in the online privacy debate, but maybe the real threat is from unseen data brokers behind the scenes. In observance of Data Privacy Day, here are some things to know and consider in conducting your online life.

Did you know January 28 is Data Privacy Day in the United States, Canada, and the European Union? The intention behind Data Privacy Day is to raise awareness of the importance of protecting the privacy of personal information—not just amongst individual users of things like social networking, but also amongst businesses, organizations, and corporations that collect, retain, and access information about their clients, customers, and users. Companies like Facebook, Google, Microsoft, and Yahoo have been drawing the attention of privacy advocates and regulators in recent years, but the reality is that there are tens of thousands of companies out there collecting, processing, and distributing personal information about individuals all the time. Increasingly, those companies are looking to things like social networking for cues about individuals’ behaviors, lifestyle, interests, and activities.

Facebook CEO Mark Zuckerberg — Time’s 2010 Man of the Year — once famously declared privacy is not a “social norm,” and Facebook and other companies have consistently borne out that idea in the online world, collecting increasing amount of information about individuals and hiding behind privacy policies longer than the U.S. Constitution. Clauses of implied consent decree that users legally agree to having their information gathered and tracked, so long as they continue using accounts or services. In other words: Users can either agree to be tracked, or they can agree not to use a service. However, this cavalier approach to data collection and user profiling is drawing increased scrutiny not just from consumer and privacy advocates, but by governments and everyday people. The European Commission has just proposed new data protection laws that would enshrine a “right to be forgotten” for individuals, and the U.S. Federal Trade Commission has forced Facebook to toe the line on sharing user information with third parties. Google’s recent ground-up revamp of its privacy policies and user tracking is almost certain to draw FTC scrutiny as well.

Read More - Click Here!

Can Facebook videos be a scam?

Q. I tried to watch a video on Facebook, but it didn't work. It made me install a new driver and then still didn't play the video. What gives?

A. I doubt that was a real video at all. This is a scam that is common on Facebook. The post looks like a really interesting or scandalous video. When you click it, it asks you to install a driver to watch it. What you actually download is usually a junk file or a virus. When you try to install the "driver," you share the scam video with all your friends so they'll be tricked. When you see a video on Facebook, do a search for the video on YouTube or Google. If you can't find the video, it's probably a scam. You can also see if the scam has been reported on sites like Facecrooks and Snopes.

Can GPS Spy On You

The Supreme Court issued a landmark decision 1/16/2012 regarding warantless surveillance that could have vast implications for privacy and technology in the years to come. In a unanimous ruling, the justices said the police violated the Constitution when they placed a GPS device on the underside of a suspect’s car and used the device to track and record his movements for a month. The court, however, was closely divided on its reasoning for the decision, and the split could leave several important privacy-related questions unresolved.

The question in the case was whether Washington, D.C. police violated the Fourth Amendment rights of the defendant, Antoine Jones, when they placed a GPS tracking device on his car to gather evidence for a potential drug trafficking case. The government argued that Jones had no “reasonable expectation of privacy” in either the location of the device — the underside of his car — or in the places where he drove the car, such as public roads. The police failed to obtain a warrant before attaching the device to Jones’s car.

All nine of the justices agreed that the action was unconstitutional, but split 5-4 on why. Writing for the majority, Justice Antonin Scalia offered a narrow justification for the ruling, citing the Fourth Amendment’s guarantee that the “right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated.” A vehicle, Scalia wrote, counts as an “effect,” and physically placing a GPS device on a person’s car counts as an “unreasonable search.” Once the court determined that a physical trespass had occurred, Scalia wrote, there was no need to go any further:

It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information. We have no doubt that such a physical intrusion would have been considered a “search” within the meaning of the Fourth Amendment when it was adopted.

This reasoning, however, leaves unanswered the broader and arguably more important question of whether the government’s use of technologies that don’t involve physical trespassing — cell phone location tracking, for example — violates the Constitution. What if, instead of attaching a GPS device to your car, the police decide to intercept the digital information that streams from your iPhone to cell towers every time you use Yelp to find nearby restaurants or search for directions on Google Maps?

This ruling, according to the majority, leaves that question unresolved. In concurring opinions, the four remaining justices argued that the court should have used this case as an opportunity to answer the bigger, privacy-related questions now. Those justices said they would have used a different and more far-reaching standard than the physical trespass analysis used by Scalia.

That standard, Justice Sonia Sotomayor wrote in a concurring opinion, is irrelevant to many modern forms of surveillance which don’t involve physical intrusion. Auto manufacturers can install tracking devices in cars right there in the factory. Smartphones come equipped with location-tracking GPS technology. These devices can reveal a wClick ealth of data about a person’s relationships, political and religious affiliations and so forth, without requiring any physical intrusion on a person’s private property. But they may still violate a person’s reasonable expectation of privacy, Sotomayor wrote:

Awareness that the Government may be watching chills associational and expressive freedoms.  And the Government’s unrestrained power to  assemble data that reveal private aspects of identity is susceptible to abuse. The net result is that GPS monitoring — by making available at a relatively low cost such a substantial quantum of intimate information about any person whom the Government, in its unfettered discretion, chooses to track — may “alter the relationship between citizen and government in a way that is inimical to democratic society.”

Read More - Click Here!

Can Hackers Attack My Laser Printer?

Computerworld reports that millions of Web Enabled  printers contain a security weakness that could allow attackers to take control their systems, steal data, and issue commands that could cause the devices to overheat and catch fire. This finding is cooberated by reseachers from Columbia University. Whilst HP was named specifically, it is likely that printers manufactured by other vendors may have the same issue, leaving users of those devices exposed to similar threats, the researchers said. Read More – Click Here!

Can They Hack Your Voicemail

First, I hacked my own voice mail. Then, when colleagues came around to see, several volunteered their phones, too.

With a few clicks of a mouse, we accessed our mobile phone voice mails from a desktop computer. No password needed. No cellphone needed.

It was surprisingly easy.

The alleged phone hacking at the heart of the scandal at the now-defunct News of the World tabloid can be performed here in the U.S. — and easily. 

It works because some voice mail systems allow you to hear your messages without a password when you're calling from your own phone. They system knows you're calling from your own phone based on your caller ID number.

But there are several online services which, for a small fee, allow you to "spoof" — or fake — a caller ID number. Just $10 gets you access to this trickery, and to clear access to voice mail messages.

I first heard about the technique this morning, in a tweet by Chirstopher Soghoian, a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. Within an hour, I'd hacked my own phone.

Our WNYC experiment was not a scientific study — and, again, we accessed only our own cell phone accounts — but we tried two AT&T accounts, two Sprint accounts, two T-Mobile accounts and two Verizon accounts. Once we figured out the technique, we had easy access to voice mail messages in both AT&T accounts and one of the Sprint ones. We couldn't get into those of the T-Mobile and Verizon phones.

The Password Issue

You probably have a password for your voice mail account, which you use to access your messages remotely.

But AT&T spokesman Mark Siegel said that for convenience, AT&T customers "also have the option of not entering your password when accessing your voice mail from your mobile phone."

That's certainly true for my AT&T iPhone. Siegel said for the best security, AT&T recommends customers change their settings to require a password even when checking voicemail from their own phone, which people can do by logging into their account on the AT&T website.

Having that functionality definitely blocked our "spoofing" access to several accounts — though together, one of our newsroom staffers and I were able to access her AT&T account even though her phone requires a password every time she checks her voice mail.

A spokeswoman for Verizon Wireless said the company's customers must enter a password every time they check voice mail, from any phone. That seemed to be why we couldn't access those phones. A spokesman for Sprint said it offers customers the option of disabling their access password, and warns them that doing so can make their account vulnerable.

Is This Legal?

Spoofing caller IDs does not, in itself, appear to be illegal. There are actually several services that use this technique to legitimately offer people an alternative telephone number.

But, under the Truth in Caller ID Act of 2009 it's clearly not legal if you're faking a caller ID "with the intent to defraud, cause harm, or wrongfully obtain anything of value."

Steps You Can Take

First, you can set up your phone to require a password every time, even when checking from your own phone.

But quick access to your messages is pretty convenient. Our in-office experiments suggest another way to help protect yourself is to delete (not just skip) messages you've already heard. That way there's nothing to listen to.

And here's a big red flag: A missed call that looks like it's from your own phone number. That was a byproduct of the trick we used — and a clear sign of our "hacking."

Read More - Click Here!

 

Can They Really Hack Your Car

High-tech car thieves are using electronic devices to easily unlock vehicles.

( @ Credit.com) With AAA predicting the biggest Labor Day travel weekend since the recession hit, many Americans will be stealing away for that final summer trip. Unfortunately, they won't be the only ones stealing.

There's a new type of crime happening on America's highways and byways. A nationwide crime spree in the making, if you will, whereby high-tech thieves can unlock vehicles easier than you'd like to think possible.

We're way beyond rocks, cobblestones, baseball bats, shims and crowbars now. Using improvised electronic devices that recreate the same signals as the key fobs many of us carry, thieves can pop the lock on your car from afar, then rifle through your belongings and steal whatever they like, all without the noise and trouble of breaking a window or jimmying a lock.

Once the stuff of urban legend, this kind of crime is now on the rise, according to police. "We believe that this code-grabbing technology was utilized and we are looking into it," Sgt. Andrew Schoeff of the Chicago Police Department told ABC News after thieves there broke into multiple cars in one neighborhood.

Technology experts have warned for years that key fob crimes were possible. In 2011 Swiss researchers announced they had cracked the encrypted remote entry systems of ten car models by eight different manufacturers, using equipment that cost as little as $100. That research has now become reality, as crime rings from Chicago to Long Beach have figured it out.

The way this crime works is still somewhat of a mystery in crime-fighting circles. And while there are doubtless ways to avoid becoming a victim, I'm not sure what they might be beyond owning a car that doesn't use the fob system.

A Terrifying Turn

While it's unsettling to have your car invaded or stolen while you're on a Labor Day trip with your family, it's not life threatening. What scares me is when a car hacker evolves from messing with your doors to invading your car's computer system.

The possibility of this even stranger and more dangerous crime is lurking on the horizon. Most modern cars use computers to control everything from engine compression to cruise control, airbags and brakes. Those computers communicate with each other on open networks. Using an $80,000 grant from the Defense Advanced Research Projects Agency (DARPA), two researchers recently hacked the onboard computers of a Toyota Prius and a Ford Escape SUV.

They made the Prius accelerate and brake, as well as jerk the wheel while traveling at high speeds. They managed to turn the Ford's steering wheel at low speeds and disable the brakes, which caused researcher Charlie Miller to drive the SUV into his garage and totally destroy his own lawnmower. This is the stuff of nightmares.

"Once you are through that initial barrier, you can and will be able to do almost anything you want to," security researcher Don Bailey recently told NPR.

Beyond Account Takeovers

It gets worse. At last month's Def Con, an annual convention for hackers, Miller and his co-researcher Chris Valasek showed a packed audience how they could drive a brand-new Prius using a Nintendo video game controller from the 1980s. They did it by plugging a laptop into the car's On-board Diagnostics (OBD) jack, which mechanics use to diagnose mechanical problems. Experts believe that soon it will be possible to accomplish this by way of a wireless hack.

Can You Avoid Identity Theft

Photo(Daryl Nelson @ ConsumberAffairs) “Identity theft cannot be prevented. It can’t.”Those were the words uttered by identity theft expert Adam Levin, who’s the chairman and co-founder of Identity Theft 911, a company that provides data protection services for businesses.

This could make a consumer feel pretty helpless.  After all, there are things you can do to prevent home burglaries and auto theft, but identity theft? That's another matter.

By now, you’ve probably heard that the Social Security numbers and credit reports of some famous individuals were posted by a covert group of folks  who have, so far, done a pretty decent job of staying anonymous and remaining behind digital walls.

So far, the data bandits posted the Social Security numbers of former Vice President Al Gore, presidential candidate Mitt Romney, Michelle Obama and a bunch of entertainment and sports figures like Tiger Woods, Britney Spears, Jay-Z, Kim Kardashian and Mel Gibson.

Additionally, the hackers released bank account and credit card balances of the celebrities since this information was on most of the credit reports.

Now let’s face it, some of you will probably roll your eyes at the fact that some of the rich and famous were hacked into, since it’s logical to think their level of wealth and celebrity makes them bigger targets and more likely to be stolen from.

Too much information

But Levin says everyday consumers should be just as worried, because identity theft isn’t something that can be completely halted, for the mere reason that there’s an unprecedented amount of information being exchanged today.

“There’s way too much information out there about people," said Levin in an interview with ConsumerAffairs.

“People have a tendency to overshare information and there have been so many breaches at so many levels of government and business. And oftentimes businesses put in fairly well-thought-out security systems, but the problem is a security system is only as good as its weakest link and historically people are the weakest link.”

“So you see a company like RSA, which is arguably the most secure company in the world getting breached, because a low-level employee clicked on a "spearfishing" email that allowed [others] to crawl into the bowels of the company by collecting his email and following the trail to where it led them and basically comprising the security codes of the company and forcing the company to replace 40 million fobs.”

Levin says that between people’s newly developed need to share, state-sponsored hackers and independent hactivists, the world presents a new kind of danger that hasn’t been fully grasped by the everyday consumer, and because identity theft is still relatively new—at least in digital realms—a lot of people haven’t realized that they need to do more than change their password every now and then.

New mindset

What needs to happen, says Levin, is that people need to develop a completely new mindset when it comes to dealing with data thieves.

“You’ve got to have a paradigm shift in the way you think, stop thinking you can prevent it,” he says. “It doesn’t mean you shouldn’t do everything you possibly can to minimize your risk of exposure.

“That means you do everything that everybody from the beginning of time when the subject of identity theft comes up has told you: Don’t carry your Social Security number, don’t give information to people you don’t know, don’t click on things ever if you can avoid it, certainly not things that don’t look right."

Photo"Have the best security systems on your computer and your smartphone. People think smartphones are communication devices they’re really mini storage devices. Shred everything in sight," said Levin.

One of the most effective ways to learn if your identity or financial information has been tampered with is to request a free credit report, which helps people understand and manage their credit better.

If possible, people should look at their credit information on a daily basis to determine if anything looks off, even slightly, and if it does you should immediately jump into action, instead of assuming something was your fault and that maybe you forgot to pay something off on time.

Joining a transactional monitoring program through your bank and credit card company will help you stay on top of each daily transaction, which may sound a bit drastic to some, but Levin says these are the measures that consumers need to take these days.

In short, the level of consumer vigilance needs to be stepped up tenfold if people expect to keep their information secure, Levin says.

Once you sign up with the transactional monitoring program you can either ask to be notified after every transaction or only on those transactions that reach a certain limit.

In addition, Levin says that thieves are stealing information in much more advanced ways today and often it’s not by hacking or by breaking your password.

He says scammers are moving a lot more slowly and more methodically these days and they'll take long amounts of time to gather the information they need to begin their scam.

Not a hack

In the case of the celebrities, Levin says their information wasn’t actually hacked, it was gradually collected.

“It wasn’t a hack,” he said. “What they did was they assembled all of this information, because that’s what these guys do. They [gather] together information slowly, sometimes from social networking sites, sometimes from businesses of social networking sites and their goal is how much information can they get together to answer the authentication questions.”

Another piece of advice Levin has for consumers is to make up answers for those authentication or security questions that ask you for your mother’s maiden name, for example. Although you may have to write your answer down to remember it, it’ll be hard for someone to use that piece of information in their intended scam.

A big place that people slip up and release personal information is when they’re faced with convenience over using slow and careful safety measures, Levin says.

But even with all of the statistics on identity theft and even after the numerous stories of people having their identities used in a number of different frauds, a lot of people still consider all of the identity theft talk just another scare tactic and just like other dangers in the world, many people don’t believe those dangers will happen to them, at least not on a large scale.

In a poll conducted by research company GFK and released by telecommunications company Omnitel, researchers interviewed 1,000 people, consisting of 500 adult males and 500 adult females.

When the participants were asked if they believed the issue of identity theft was just a scare tactic and not a serious problem, 390 people (39%) said they strongly agreed with that statement. That's a substantial amount and indicative of just how many opportunities there are for people that want to steal your data.

And they’re not just stealing money, scammers are into all kinds of nasty little deeds from child identity theft to medical theft, where a person can steal your information, get medical care under your name and create all types of confusion and harm, says Levin.

What to do

Besides doing all of the traditional things if you learn your information has been stolen or compromised, like changing your passwords and contacting your banks and credit reporting agencies, it’s important to communicate with your insurance company to see what type of identity theft protection you have. In some cases the protection may be free, Levin says.

In addition, filing a police report is imperative.

“You’ve got to file a police report,” Levin says. “If you don’t file a police report it is a nonstarter, because the sense is, if you don’t file a police report that means maybe you’re the identity thief.”

And if your information isn’t just compromised but outright stolen, you’ll have to do a little more legwork, which can be labor-intensive, but extremely necessary to start fixing some of the wrongs that were committed against you.

“You’ve got to communicate with those government agencies that are appropriate,” says Levin.

“There are some states that have an identity password and that’s something where a card is issued in most cases by the Attorney General confirming that you’re a victim, so if you encountered any issues you have the card.”

Can You Hear Me Scam

(Mark Huffman @ ConsumerAffairs) If you answer the phone and hear that question, just hang up!!!

Scammers will often try to bring back old scams that have fallen out of style and make them work. Now, one of the oldest ones, with a new wrinkle, is making a comeback. It's called the "can you hear me" scam.

Not to be confused with Verizon Wireless's old marketing slogan, the "can you hear me" scam is used by outlaws who have established valueless telecommunication services that they trick telephone customers into purchasing.

It works like this: a robocaller dials your number and if you answer, a human being comes on the line. The first thing he or she says is "can you hear me?"

It seems like a perfectly reasonable question. After all, maybe he's having trouble hearing you and thinks there is a bad connection. So you instinctively answer "yes."

The caller hangs up because he's got you. The next thing you know, a charge for some weird service shows up on your phone bill.

So, how did that happen?

Your answer is recorded

When the scammer asked "can you hear me," he or she was recording your answer. The scammer now has your voice saying "yes." The question might have been "can you hear me," but your answer will be spliced to another question, something like "do we have your permission to add the Acme call forwarding service to your telephone account?"

If you'll recall, anytime you change your telephone account, the customer service rep transfers you to a third party who verifies that you are making the change to your account. You give your consent by saying "yes."

But how can the scammer begin to charge your account? You can thank Congress.

Telecommunications Act of 1996

In 1996, Congress updated the Telecommunications Act, adding a provision allowing small, third party companies to market and sell their services to consumers. If a consumer wanted the service, he or she would be billed for it through their local telephone provider.

It was supposed to increase competition, allowing little companies to go head to head with the big boys. But the unintended consequence was the proliferation of something called "cramming" -- whereby unscrupulous companies and outright scammers added these services to customers' phone bills without their permission.

The current scam takes it to another level. It's been reported so far in Virginia, Florida, and Pennsylvania, but there's no reason to think it won't go nationwide soon, if it hasn't already.

So if you answer the phone and the first thing you hear is "can you hear me," fight the urge to respond. Just hang up. You've got a scammer on the other end of the line and engaging him in any kind of conversation could be dangerous.

Can Your Computer Make You An Easy Target For Criminals?

I know many other people, in many different occupations, whose work has been made easier by the Internet. I know many others whose jobs wouldn't even exist if not for the 'net. But it's not just those of us with legitimate jobs who are aided by today's technology. Unfortunately, in our increasingly connected society, it's also easier for criminals to do their dirty work. And I'm not just talking about phishes and hackers and others who operate solely at a distance.Believe it or not, local thieves and con artists benefit from the internet as well...

Take burglars, for instance. Once upon a time, it took some time and effort to be a successful "break and enter" guy. Since most burglars don't want a confrontation - they just want to get in and get the loot and get out as quickly as possible without getting caught - they would spend some time conducting surveillance ("casing the joint") to learn the habits of occupants, to be able to predict when they would be away. They would knock on doors, pretending to be door-to-door salespeople or survey takers, to get a look inside the house so they could determine if there was anything worth stealing. They used clues such as newspapers piling up in the driveway to signal them that homeowners were away on vacation.

Today fewer people subscribe to newspapers - many of us get all our news online or via TV - but that's okay, because burglars have much better sources for finding out that your house is empty. They can just follow you on Twitter or become your FaceBook friend, and you'll let them know not just that you're leaving town, but where you're going and how long you're going to be away. If they're really lucky, you might even post other useful info, such as the fact that your dog died last week, or that your alarm system has been on the blink.

And it's even better (for the burglar) if you also recently bragged about the expensive painting that you just added to your collection or the high-dollar TV that you bought last week. Now there's no need to try to guess, based on the outside of the home, what goodies might be inside. Our bad guy can "shop online" for exactly the merchandise he's interested in stealing. Last year, an Arizona man tweeted that he was going out of town and his home was promptly burglarized. Computer equipment worth thousands of dollars was stolen:

http://www.abc15.com/content/news/southeastvalley/mesa/story/Home-burglarized-after-owner-twittered-he-was/Jq5LLx3ra0exDfw_pwFwOg.cspx

Of course, it could take a lot of time to try to follow the comings and goings of everyone in the neighborhood that you're targeting. Surely, with today's technology, there's a way to expedite the process. Indeed there is; our would-be crook can just go to a helpful web site and find "new opportunities" - posts gathered from social networking sites indicating that people are not at home:

http://pleaserobme.com/

The site ostensibly exists not to help burglars, but to raise people's awareness about posting their location data in public venues. There's nothing illegal about it; they're just aggregating posts that are available to anyone from social networking pages that are open to the public. And according to a survey done by a British insurance and investment management company, 40% of social networking users share their holiday plans on sites like FaceBook and Twitter. If you absolutely must post that you and your whole family are five hundred miles away from home, it might be a good idea to mention in that post how much you're missing your three pit bulls, who had to stay home, or how thankful you are that your cousin, the Marine sharpshooter, volunteered to house-sit while you're gone.

Even if you're diligent about not revealing your location in your posts, that doesn't mean you're safe. Location-aware applications are becoming more and more popular, especially for smart phones, which have built-in GPS chips. Now some laptop computers also include GPS. This means software programs can access the information from the GPS hardware and know where you're located (or more precisely, where your cell phone or laptop is located). Some apps use this information to provide you with location-specific information; for example, if I look up a restaurant with Bing on my Omnia II phone, it displays ads for restaurants that are here close to my house.

Location-awareness can be used by program developers for all sorts of purposes. Some apps (such as Twittelator for the iPhone) let you automatically send your location to your followers. The intent is to be able to keep up with where your friends are so you can get together when you're in the same vicinity. But if you aren't careful, these applications can also expose your location to burglars, stalkers, or other people who will use the information for nefarious purposes.

Google Buzz is a new service that integrates with your Gmail account, and there is a mobile version of it for iPhone, Windows Mobile, Android and Symbian phones. According to the Google folks, "Rather than simply creating a mobile version of Buzz, we decided to take advantage of the unique features of a mobile device - in particular, location." The app can attach location tags to your posts and although this can be turned off, it is one of the key features of the program so many people will be using it without thinking about the ramifications.

https://sites.google.com/a/pressatgoogle.com/googlebuzz/mobile-blog

Another location-centric phone application is Foursquare, which comes in versions for iPhone, Android, Blackberry and Palm. I guess the Foursquare folks are anti-Microsoft, so we WinMo users aren't at risk from this one. The purpose of Foursquare is to "check in" - which means divulging your location so the app can then tell your friends where you are.

http://foursquare.com/learn_more

Yet another similar application is Loopt, which "shows users where friends are located and what they are doing via detailed, interactive maps on their mobile phones. Loopt helps friends connect on the fly and navigate their social lives by orienting them to people, places and events."

http://www.loopt.com/

All of these apps can be fun to use and useful, but it's important to think about the downside of constantly having your whereabouts known. And it's not just your own posts and apps that you have to worry about. If your friend comes over to your house and he tweets that he's visiting his friend, (insert your name here), and his location-aware app sends a map out to all his followers, those people now have your address.

For kids, the dangers are even greater - and they are often too naïve to understand that giving out information about where they are can put them at risk. With so many teenagers and pre-teens carrying cell phones these days, it's something parents need to keep in mind. Of course, location-awareness can also be used by parents to keep tabs on those kids. AccuTracking is just one company that offers real-time cell phone tracking services:

http://www.accutracking.com/

Google Latitude can be used to do basically the same thing, and it's free:

http://forums.wxpnews.com/messageview.aspx?catid=36&threadid=3345&enterthread=y

As for me and my household, we will keep our privacy!

Captcha Battles SpamBots on Web Forms

Once upon a time, you could put a form on the internet, capture good information about your visitor, and use it to service their needs. Today, SpamBots peruse WebSites and fill unprotected online forms with profanity, vulgarity, or at the very least, a bunch of nonsense. Then, to add insult to injury, the SpamBots capture the email address that the form is directed to, and fills that mailbox with email spam. What to do?

CAPTCHA is an answer.

CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human or a SpamBot. The purpose of CAPTCHA is to block form submissions by SpamBots, which are automated scripts that post spam content everywhere they can.

clip_image002

The idea is to place on the form a security code that humans can read and that computer programs and SpamBots can’t read. Computers can read letters and number text and images. But if you add a background, a strikethrough, very spacing, pitch, and distort the image, it knocks them dead in their tracks. The trick is to find that balance where humans can read the code but computers can’t.

The CAPTCHA we use presents 5 characters randomly picked from 0-9, a-z, plus @#$=?. This character set alone offers 69090840 permutation. However, the computer SpamBot has no idea what character set we used, so it must assume that we used the entire keyboard. That means that it must go through 137^32 or 137 followed by 32 zeros.

To further confuse SpamBots, in the background we add either a grid or a salt ‘n’ pepper background, present the characters at different angles and different spacing, and sizes. Then we add a little character distortion. Of course the characters change, a new random character pick is made, with each screen refresh. This has been enough to eliminate virtually all automated form spam.

We tried other methods. For instance, CAPTCHA can present a simple math problem where the human has to supply the answer, like 1+2-2=. But we found that many of the humans could not add and subtract. Another popular method is to present a riddle. But what if the human can’t figure it out? Since we do have a successful track record with 5 character random pick CAPTCHA, we’ll stick with it until something better comes along.

Careful What You “Like” & “Share” on Facebook

Careful What You “Like” & “Share” on Facebook

You might inadvertently be showing support for Terrorists, Organized Crime, A Religious Organization that you do not agree with, or for material that is Vulgar, Violent, Raciest, and Sexist.

I know, the picture looks funny, cute, or tugs at you heart strings. But the link behind the the picture can lead to a place on the Internet you don't want your friends and family to go, and, more importantly, may imply that you support risqué or illicit activity.

Example:

  • “I Can't Believe I Work This Hard To Be So Poor”… points to a website with adult humor that is Vulgar, Raciest, and Sexist.
  • “When they keep talking to the cashier after they already paid for the stuff...” Profanity!
  • “There are only three things that tell the truth...” Leads to Profanity, risqu'e talk, and “a curse”
  • “Simple way of explaining our God Exists” Leads to an evangelical group in the Philippians. They use Social Media to promote their website and their religion.

Protect your reputation! Careful What You “Like” & “Share” on Facebook

Carnegie Mellon study says cell phone apps are tracking you more than you know

Photo(Jennifer Abel @ ConsumerAffairs) Smartphone users take note: you know that your apps sometimes share information with “third parties” – it's one of those fine-print phrases you see everywhere nowadays – but there's a high chance you'd be horrified if you knew just how much information those apps share: enough to make tracking your movements and whereabouts ridiculously easy.

That's the conclusion computer scientists from Carnegie Mellon reached in a peer-reviewed study they released this week. As Carnegie Mellon News announced: “An experiment at Carnegie Mellon University shows that when people learn exactly how many times these apps share that information they rapidly act to limit further sharing.”

That experiment was simplicity itself: 23 smartphone users in the study signed up to receive a daily message called a “privacy nudge” telling them how many times their apps shared their location, phone call logs, contact lists or other information.

Those numbers were considerably higher than any of the study participants expected. One smartphone user received this notable privacy nudge: “Did you know? Your location has been shared 5398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days.”

Study participants were not happy with the results. “4,182 [times] — are you kidding me?” one of them asked. “It felt like I’m being followed by my own phone. It was scary. That number is too high.”

Sometimes it's necessary

Of course, a certain amount of location-tracking is necessary for various location-specific apps: you can't get discount offers from your local neighborhood businesses unless the app can determine exactly where “your local neighborhood” actually is.

Problem is, many apps seem to check locations far more frequently than necessary to provide their services. For example, the Weather Channel's app doesn't merely request device locations when necessary to provide location-specific weather forecasts; the Wall Street Journal noted that the app requested locations an average of once every ten minutes during the study period.

Groupon's app, which offers discount deals to local businesses, requested one smartphone user's coordinated 1,062 times in two weeks. Tracking a device's location every 10 minutes, or even every 20, is enough to provide a pretty comprehensive overview of that device-holder's regular movements and whereabouts.

Norman Sadeh, one of the Carnegie Mellon professors who co-wrote the study, said: “Does Groupon really need to know where you are every 20 minutes? The person would have to be accessing Groupon in their sleep.” (Neither Groupon nor the Weather Channel have offered comment about the study.)

Further complicating the problem is the fact that, as Sadeh noted, “The vast majority of people have no clue about what’s going on.” Indeed, most smartphone users have no way of accessing the relevant data about their apps' behavior anyway — but the study shows that when smartphone users do manage to get this information, they quickly change their privacy settings.

Change default password on home router before hackers do it for you

 

Photo

Photo © Rawpixel - Fotolia

(Jennifer Abel @ ConsumerAffairs) This rule applies to any password-protected device you buy - Here's a piece of home-computer-security advice which sounds too insultingly obvious to mention: when you buy a password-protected wireless-controlled anything, you need to assign it a new custom password right away. Otherwise, your new device can easily be hacked by anybody who knows its factory-set default password.

As obvious as this recommendation sounds, astonishing numbers of people continue to ignore it. There are even voyeurism websites devoted to streaming camera footage from unprotected personal IP (Internet protocol) cameras, of the sort found in wireless home baby monitors, or even laptop or computer webcams.

It's especially important to set a strong password on your home wireless Internet router, or else hackers will find it ridiculously easy to steal your online banking information and any other sensitive data you send over your home connection.

This week, security blogger Brian Krebs reported a new scam which so far seems limited to home Internet users in Brazil but could come to the United States with ridiculous ease, because the scammers operate by takling control of home wireless routers whose owners never changed their factory-set default passwords:

Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

What makes such security threats especially dangerous is that they can completely bypass ordinary computer-security tools, such as antivirus protection.

Did you change the default password on your router when you first installed it? As Krebs said, “If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t.”

If you visit RouterPasswords.com and type in the make and model of your router, you will learn its default password. If you do need to change yours, remember as always to give it its own unique password, rather than use the same one across multiple accounts.

Chase slapped for illegally robo-signing court documents

(Truman Lewis @ ConsumerAffairs) The bogus debt sales led to collection efforts against consumers

JPMorgan Chase faces more than $200 million in penalties and refund payments for selling "zombie debts" and illegally robo-signing court documents as a result of enforcement actions by the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and 47 states.

Chase allegedly sold bogus debts to third-party debt buyers -- accounts that were inaccurate, settled, discharged in bankruptcy, not owed, or otherwise not collectible. Many of the debt buyers then began hounding consumers in an attempt to collect the non-existent debts.

“Chase sold bad credit card debt and robo-signed documents in violation of law,” said CFPB Director Richard Cordray. “Today we are ordering Chase to permanently halt collections on more than 528,000 accounts and overhaul its debt-sales practices. We will continue to be vigilant in taking action against deceptive debt sales and collections practices that exploit consumers.”

The order requires Chase to document and confirm debts before selling them to debt buyers or filing collections lawsuits. Chase must also prohibit debt buyers from reselling debt and is barred from selling certain debts. Chase is ordered to permanently stop all attempts to collect, enforce in court, or sell more than 528,000 consumers’ accounts.

Chase will pay at least $50 million in consumer refunds, $136 million in penalties and payments to the CFPB and states, and a $30 million penalty to the Office of the Comptroller of the Currency (OCC) in a related action.

The CFPB found that Chase violated the Dodd-Frank Wall Street Reform and Consumer Protection Act’s prohibitions against unfair, deceptive, or abusive acts and practices. Chase sold faulty and false debts to third-party collectors, including accounts with unlawfully obtained judgments, inaccurate balances, and paid-off balances.

Chase also sold debts that were owed by deceased borrowers. Chase also filed misleading debt-collections lawsuits against consumers using robo-signed and illegally sworn statements to obtain false or inaccurate judgments for unverified debts.

Chinese hackers seen as increasingly professional

Beijing hotly denies accusations of official involvement in massive cyberattacks against foreign targets, insinuating such activity is the work of rogues. But at least one element cited by Internet experts points to professional cyberspies: China's hackers take the weekend off.

Accusations of state-sanctioned hacking took center stage this past week following a detailed report by a U.S.-based Internet security firm Mandiant. It added to growing suspicions that the Chinese military is not only stealing national defense secrets and harassing dissidents but also pilfering information from foreign companies that could be worth millions or even billions of dollars.

Experts say Chinese hacking attacks are characterized not only by their brazenness, but by their persistence.

"China conducts at least an order of magnitude more than the next country," said Martin Libicki, a specialist on cyber warfare at the Rand Corporation, based in Santa Monica, California. The fact that hackers take weekends off suggests they are paid, and that would belie "the notion that the hackers are private," he said.

Libicki and other cyber warfare experts have long noted a Monday-through-Friday pattern in the intensity of attacks believed to come from Chinese sources, though there has been little evidence released publicly directly linking the Chinese military to the attacks.

Mandiant went a step further in its report Tuesday saying that it had traced hacking activities against 141 foreign entities in the U.S. Canada, Britain and elsewhere to a group of operators known as the "Comment Crew" or "APT1," for "Advanced Persistent Threat 1," which it traced back to the People's Liberation Army Unit 61398. The unit is headquartered in a nondescript 12-story building inside a military compound in a crowded suburb of China's financial hub of Shanghai.

Attackers stole information about pricing, contract negotiations, manufacturing, product testing and corporate acquisitions, the company said.

Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.

China denies any official involvement, calling such accusations "groundless" and insisting that Beijing is itself a major victim of hacking attacks, the largest number of which originate in the U.S. While not denying hacking attacks originated in China, Foreign Ministry spokesman Hong Lei said Thursday that it was flat out wrong to accuse the Chinese government or military of being behind them.

Mandiant and other experts believe Unit 61398 to be a branch of the PLA General Staff's Third Department responsible for collection and analysis of electronic signals such as e-mails and phone calls. It and the Fourth Department, responsible for electronic warfare, are believed to be the PLA units mainly responsible for infiltrating and manipulating computer networks.

China acknowledges pursuing these strategies as a key to delivering an initial blow to an opponent's communications and other infrastructure during wartime -- but the techniques are often the same as those used to steal information for commercial use.

China has consistently denied state-sponsored hacking, but experts say the office hours that the cyberspies keep point to a professional army rather than mere hobbyists or so-called "hacktivists" inspired by patriotic passions.

Mandiant noticed that pattern while monitoring attacks on the New York Times last year blamed on another Chinese hacking group it labeled APT12. Hacker activity began at around 8:00 a.m. Beijing time and usually lasted through a standard workday.

The Rand Corporation's Libicki said he wasn't aware of any comprehensive studies, but that in such cases, most activity between malware embedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone.

Richard Forno, director of the University of Maryland Baltimore County's graduate cybersecurity program, and David Clemente, a cybersecurity expert with independent analysis center Chatham House in London, said that observation has been widely noted among cybersecurity specialists.

"It would reflect the idea that this is becoming a more routine activity and that they are quite methodical," Clemente said.

The PLA's Third Department is brimming with resources, according to studies commissioned by the U.S. government, with 12 operation bureaus, three research institutes, and an estimated 13,000 linguists, technicians and researchers on staff. It's further reinforced by technical teams from China's seven military regions spread across the country, and by the military's vast academic resources, especially the PLA University of Information Engineering and the Academy of Military Sciences.

The PLA is believed to have made cyber warfare a key priority in its war-fighting capabilities more than a decade ago. Among the few public announcements of its development came in a May 25, 2011 news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China's "online" army.

"Currently, China's network protection is comparatively weak," Geng told reporters, adding that enhancing information technology and "strengthening network security protection are important components of military training for an army."

Unit 61398 is considered just one of many such units under the Third Department responsible for hacking, according to experts.

Greg Walton, a cyber-security researcher who has tracked Chinese hacking campaigns, said he's observed the "Comment Crew" at work, but cites as equally active another Third Department unit operating out of the southwestern city of Chengdu. It is tasked with stealing secrets from Indian government security agencies and think tanks, together with the India-based Tibetan Government in Exile, Walton said.

Another hacking outfit believed by some to have PLA links, the "Elderwood Group," has targeted defense contractors, human rights groups, non-governmental organizations, and service providers, according to computer security company Symantec.

It's believed to have compromised Amnesty International's Hong Kong website in May 2012, although other attacks have gone after targets as diverse as the Council on Foreign Relations and Capstone Turbine Corporation, which makes gas microturbines for power plants.

Civilian departments believed to be involved in hacking include those under the Ministry of Public Security, which commands the police, and the Ministry of State Security, one of the leading clandestine intelligence agencies. The MSS is especially suspected in attacks on foreign academics studying Chinese social issues and unrest in the western regions of Tibet and Xinjiang.

Below them on the hacking hierarchy are private actors, including civilian universities and research institutes, state industries in key sectors such as information technology and resources, and college students and other individuals acting alone or in groups, according to analysts, University of Maryland's Forno said.

China's government isn't alone in being accused of cyber espionage, but observers say it has outpaced its rivals in using military assets to steal commercial secrets.

"Stealing secrets is stealing secrets regardless of the medium," Forno said. "The key difference is that you can't easily arrest such electronic thieves since they're most likely not even in the country, which differs from how the game was played during the Cold War."

Read More - Click Here!

Cisco VoIP Security Fears

(Mark Huffman Consumer Affairs) Voice over Internet Protocol (VoIP) telephones are much more common now, providing an alternative to traditional phone service. But because the system uses the Internet for its voice communications, the technology may have more security vulnerabilities than a traditional telephone system.

Columbia University computer science professor Salvatore Stolfo and PhD candidate Ang Cui says they have found serious vulnerabilities in VoIP telephones made by Cisco. They note these devices are used around the world by a broad range of networked organizations from governments to banks to major corporations.

At a recent conference on the security of connected devices, Cui demonstrated how it is easy to insert malicious code into any of the 14 models of Cisco VoIP phones. Not only can the hacker start eavesdropping on private telephone conversations, the telephone mouthpiece also acts as a microphone when the phone is not in use, allowing the hacker to listen in on what's going on in the room.

Software flaw

According to Cui and Stolfo, the problem stems from the software running on the small computer inside the phone. The software, they say, has many security flaws.

They say they are particularly concerned with embedded systems that are widely used and networked on the Internet, including VoIP phones, routers and printers. And they say the problem is not limited to just one company.

“It’s not just Cisco phones that are at risk,” Stolfo said. “All VoIP phones are particularly problematic since they are everywhere and reveal our private communications. It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones -- they are not secure.”

The professor and his student have proposed a fix, developing a new defensive software called Symbiotes. It's designed to safeguard embedded systems from malicious code injection attacks into these systems, including routers and printers. It can be installed on new systems as well as old systems that are already in place.

Patch called 'ineffective'

Since Stolfo and Cui first made their findings public Cisco has issued a patch for its VoIP systems but Cui said it's ineffective.

“It doesn’t solve the fundamental problems we‘ve pointed out to Cisco,” Cui said. “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”

Consumer use of VoIP services has taken off since 2004. Consumers utilize existing broadband Internet access and can place and receive telephone calls just like they would on a traditional telephone system. Since that time, Vonage has become a major provider of consumer VoIP services.

In recent years corporations have also made the move to VoIP systems because they tend to be much cheaper to operate.

Read More - Click Here!

Cloud Security IT Managers Speak Their Mind

Imagine being able to tap into the knowledge of 200 IT managers all in some stage of cloud development. Imagine being able to get a better understanding of how they are handling the biggest questions of cloud deployment, security. Imagine if their experiences could be boiled down to 5 common feedback points. Well imagine no longer.

Watch this video, IT Managers Speak Out about Cloud Security, for the comprehensive results of a survey of 200 IT managers and what they are saying, but more importantly doing about the cloud in their organizations.

Read More - Click Here!

Comcast using YOUR Wi-Fi as a hotspot – how to disable it

( @ BGR) Comcast has a brand new feature for its Internet subscribers called Xfinity Wi-Fi, but it’s going about it the wrong way, likely making even more enemies in the process. SeattlePi reports that Comcast is turning some of the Wi-Fi routers placed in the homes of subscribers into a “massive public Wi-Fi hotspot network,” but it’s doing so without giving customers the opportunity to opt out before the service is rolled out.

In theory, Xfinity Wi-Fi sounds like a neat idea, as it can provide free Internet access to other Xfinity subscribers as long as they’re within reach of such an Xfinity Wi-Fi hotspot. Moreover, the extra load on the router does not affect the bandwidth of the customer who houses it, as the device creates two independent networks, one private, and one public, using additional bandwidth for the public one.

As such, any users on the public Xfinity Wi-Fi network will not slow down customers’ connections, according to the company.

Comcast apparently informed its subscribers about the move in the mail a few weeks ago, and then email notifications go out after the service is turned on for each user. The company on Tuesday turned 50,000 Comcast Internet customers into public Wi-Fi providers in Houston, with 100,000 more hotspots to be activated by the end of June.

Users only have the opportunity to disable the service after it’s activated. A Comcast FAQ section further details Xfinity Wi-Fi, while the following guide, as listed by SeattlePi, should help Comcast customers disable the new Xfinity Wi-Fi hotspot feature:

Log into your Comcast account page at customer.comcast.com.
Click on Users & Preferences.
Look for a heading on the page for “Service Address.” Below your address, click the link that reads “Manage Xfinity WiFi.”
Click the button for “Disable Xfinity Wifi Home Hotspot.”
Click Save

Companies Salt Servers With Fake Data To Thwart Hacjers

And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception.

The Waseca, Minn., company began planting fake data in Web servers to lure hackers into “rabbit holes” in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.

“We’re taking the hackers’ strengths and we’re making it their weaknesses,” said Nathan Hosper, a senior information technology officer at Brown. “They get caught up in this cycle of fake information.”

Brown is only one of a number of companies that are adopting tactics long used by law enforcement and intelligence agencies to turn the tables on hackers.

The emerging trend reflects a growing sense in industry that companies need to be more aggressive in fighting off intruders as the costs of digital espionage soar. The theft of intellectual property and other sensitive documents — from military weapon designs to files on contract negotiations — is so rampant that senior U.S. officials say it may be the most significant cyberthreat the nation faces over the long term.

“Companies are tired of playing defense,” said Michael DuBose, a former chief of the Justice Department’s Computer Crime and Intellectual Property Section who now handles cyber-investigations for Kroll Advisory Solutions. “They want to feel like they actually can fight back. Most of us in the industry agree that we ought to push the envelope to protect the rights and properties of U.S. businesses.”

In the parlance of network security, digital deception is known as a type of “active defense,” a controversial and sometimes ill-defined approach that could include techniques as aggressive as knocking a server offline. U.S. officials and many security experts caution companies against taking certain steps, such as reaching into a person’s computer to delete stolen data or shutting down third-party servers.

Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire — hackers who identify data as bogus may be all the more determined to target the company trying to con them.

Just how far companies should be allowed to go to defend themselves is the subject of intense debate in the industry and on Capitol Hill.

Rep. Mike Rogers (R-Mich.), the chairman of the House Intelligence Committee, said at a recent conference that disrupting another party’s server is an offensive act that could trigger retaliation that a company might not be prepared for. “It’s best not to go punch your neighbor in the face before you hit the weight room,” he said.

Nonetheless, most experts say deceptive tactics fall within legal boundaries, as long as fake data are planted only inside a company’s network and do not damage a third party’s computer system. Such tactics, they argue, can also be highly effective.

Digital deception tools date back at least 20 years in the academic research community. They are sometimes called “honey pots,” reflecting the notion that they not only attract hackers but keep them inside a network long enough so that they can be watched.

“The use of deception is a very powerful tool going back to Adam and Eve,” said Salvatore Stolfo, a Columbia University computer science professor who has created a technique that uses decoy data to trick intruders. “If the hackers have to expend a lot of energy and effort figuring out what’s real and what’s not, they’ll go elsewhere.”

Anecdotal evidence suggests the techniques can work in the private sector.

Stolfo, whose research is funded by the Pentagon and the Department of Homeland Security, tested his technology with a major U.S. bank two years ago. The bank put $1,000 in an online decoy account registered to a fictitious user, then Stolfo exposed the account to malware from Web sites controlled by hackers. Within three days, the bank began seeing attempts to shift money from the dummy account into a real account, whose owner the bank knew, Stolfo said.

The bank shut the fake account. Had it been a real theft, the bank would have turned the culprit in to the FBI, said Stolfo, who has created the firm Allure Security to bring the technology to market.

In another case, a Northern Virginia cybersecurity firm that works closely with U.S. intelligence agencies and has been targeted by hackers in China has used honey pots to collect data on intruders. The firm, whose director requested anonymity to avoid drawing attention to the company, has created encrypted data files labeled with the names of Chinese military systems and put them in folders ostensibly marked for sharing with the National Security Agency and the CIA.

With such bait, the firm has been able to document how individual hackers work and has linked their pseudonyms, which are sometimes embedded in source code, to real people. The honey pot “has given us a lot of information about these guys,” the director said. “It confounds them.”

Some experts point out that deceptive tactics can inadvertently ensnare ordinary customers and possibly pose liability risks. But software companies say they are mindful of that danger.

Mykonos Software, a San Francisco company that created the tools used by Brown Printing, began using fake data commercially about three years ago, said David Koretz, the firm’s founder and general manager. Mykonos places the false data on clients’ Web sites in places no ordinary customer would look, such as in source code and in configuration files that only a real system administrator or a hacker would find useful.

“When the good guy uses the site, they’re never going to touch the fake things,” Koretz said. When a hacker hits a piece of false code, Mykonos, which is owned by juniper Networks, tags him with a “super cookie,” a digital file that tracks his device. “We’re now tracking every bad thing he does,” he said.

Sometimes, he said, a hacker trying to trick a client’s server into giving him access might be met with a surprise. He might see a Google Map pop up on his screen identifying his location, next to a list of nearby lawyers and a note reading, “It looks like you’re going to need a criminal attorney.”

Within the first week that Brown Printing installed the deception tools in 2010, it detected 375 suspicious probes against its Web sites. “That was the first time that we could say, ‘Wow, we’re seeing those events and we know what’s occurring,’ ” said Hosper, the senior information technology officer.

The bottom line, he said, is the feeling that “you’re no longer just having to sit passively by and take it. You have the ability to take control of the situation.”

Read More - Click Here!

Computer Crime When and How To Report It

You hear a lot about computer crime, and you know that good citizens report criminal activities to the proper authorities. But you also know that, in practice, the police often don’t have the time and manpower to deal with every minor offense.

As good citizens, we should report computer crimes to the proper authorities. However, many are not be sure exactly which activities observed are illegal and should be reported, and to whom should we report to.

This article is designed to assist in making that decision with confidence. We will cover ten potentially-reportable activities and groups them into three categories: activities you should not report, activities you may report, and activities you should always report. We’ll also provide contact information for the law enforcement agencies that investigate computer crime.

In general, computer crime laws in the U.S. can be divided into two categories: federal offenses and state offenses. If a state statute applies, you can call your local police department or state police agency – but they may or may not have the technical expertise and resources to conduct a proper investigation. The FBI and other federal agencies, on the other hand, may be able to get more done – if the case is important enough for them to get involved.

Before reporting any incident to law enforcement, follow your chain of command within the company and ensure that upper management approves. Involving law enforcement can result in significant costs. For example, personnel may be required to take time off to prepare for and appear at trial, equipment may be confiscated as evidenced and not returned for long periods, the company's "inside" information may be subpoenaed by the defense attorneys and exposed to the public through the media before and during the trial. It's not a decision that you would want to make alone.

Don’t report port scanning and similar “non-intrusive” activities.

Although port scanning is often a precursor to intrusion or attack, in most jurisdictions it’s not, in itself, a crime. It’s more like walking down a hallway in an apartment building and trying each door to see if it’s locked. If they find an unlocked door and go inside, that’s criminal trespass – but as long as they don’t go inside, they haven’t committed a crime.

Don’t report viruses, Trojans, worms, and Spyware to law enforcement agencies.

Although malicious software is a huge problem that does a great deal of damage and costs companies millions of dollars, law enforcement agencies generally don’t (can’t) respond to individual malware reports. While those who release viruses and other malware can be prosecuted under Title 18 of the U.S. Code, prosecutors generally go after those whose malware is widely distributed and causes a large amount of harm. If you encounter a new variety of malware, check the pages of popular antivirus vendors and report to them if it isn’t listed. Remember that the sender of a virus often doesn’t even know he/she is sending it. However, if you have evidence that a particular person actually wrote and originally released a piece of malware, you should contact local law enforcement or the FBI computer crime squad.

You may report intrusions and attacks that bring down the network.

Unauthorized access to a computer network is a crime under the laws of many states. If there is little or no documentable injury or monetary loss, however, you may find that law enforcement agencies simply file a report and don’t do much more. Jurisdictional issues and caseload often prevent in-depth investigation of computer crimes that are considered “minor.”

Report intrusions/attacks on large corporate dealing with sensitive data.

If sensitive data such as client financial information, medical records, customer credit card information, social security numbers, and the like has been compromised, you should report it to the authorities. This is also true if the company has government / defense contracts or deals with other types of regulated information. The FBI’s computer crime squad investigates major network intrusions and network integrity violations. You can report these types of attacks to both federal and local/state authorities and let them sort out the jurisdictional issues.

Report intrusions or attacks that result in large monetary losses.

The amount of monetary loss often determines whether a theft type offense is considered a misdemeanor or felony. Felony offenses will get more attention from law enforcement agencies.

Report cases of suspected industrial espionage.

If an intruder goes after your company’s trade secrets, this is a serious federal offense that will be investigated by the FBI.

Report cases involving child pornography.

This is an offense that is taken very seriously by law enforcement, and if child pornography is discovered on any company computer and is not promptly reported, as the company and management may be implicated or held liable in a civil lawsuit.

Report e-mailed or other digitally transmitted threats.

All states have laws against threatening and harassing communications. Physical threats against individuals, terroristic threats, bomb threats, blackmail, and similar electronic communications should be reported to local police.

Report Internet fraud to the IFCC.

If one of your users is a victim of “phishing” scams or other fraudulent activities perpetrated by e-mail or the Web, report it to the Internet Fraud Complaint Center (IFCC), which is operated by the FBI in conjunction with the National White Collar Crime Center.

Report suspected terrorist activities.

If you suspect that your network is being used for communications between terrorists, report it to your local police agency, the U.S. Department of Homeland Security, or via the FBI’s “tips” Web site.

Local/State Law Enforcement: Call your local police department, county sheriff’s office or state police agency. Do not call 9-1-1. Ask for the agency’s high tech crimes unit or, in smaller agencies, the criminal investigation division.

FBI Computer Crimes Squad: nccs@fbi.gov or 202-324-9164

FBI Tips site: https://tips.fbi.gov/

US Secret Service Form 4017 - Cyber Threat/Network Incident Report: http://www.secretservice.gov/net_intrusion_forms.shtml

Internet Fraud Complaint Center: http://www.ifccfbi.gov/index.asp

National White Collar Crime Center (NW3C): http://www.nw3c.org/

FTC Identity Theft Web site: http://www.consumer.gov/idtheft/index.html

Computer Virus Got You Down - What To Do

“Boy, is my computer S L O WWW.” “Some of my programs don’t run at all.” “The internet just crawls.” Have you experienced these problems?  One person purchased a new computer because the old one was so slow. In a couple of weeks the new computer was slow too. It wasn’t the computer, it was computer viruses.

Where do they come from? Most folks today still think that viruses come from teenagers sowing some wild oats, kind of like kids spray-painting graffiti on a bridge, toilet papering a house, or putting dish soap in a public fountain. But not so.  According to TechNewsDaily, much of the virus threat comes from organized crime in the U.S., Russia, China,  and North Korea., and it is a billion dollar industry.

How do they make their money? Viruses or BotNets can bombard unprotected computers with pop-up ads. It just amazes me that people buy stuff that they see on a virus generated pop-up ad, but they do – bunches of it!

Other BotNets are designed to watch what you do with your computer. They look at where you go on the internet, how long you stay on an internet site, and where you go next…, without your knowledge or permission. This data is sent to and collected on websites. Companies buy this data and use it to optimize their websites in order to make their products and services more attractive and accessible. Over time, your computer may attract hundreds of BotNet viruses that can tie up computer resources and monopolize your internet bandwidth, making your speedy computer run like a sloth.

Still other BotNets scourer computers for personal information that can be used to empty bank accounts and max out your credit cards.

How do they get on my computer? On Windows computers, the number one method for computer infection is a computer that does not have the latest Microsoft updates and patches. WebBots crawl the internet looking for such computers. Once found, they exploit the unpatched vulnerability, install themselves, and go to work infecting your computer. 

The number two way to infect a computer is to convince the computer owner to infect himself. Deceptive emails are sent promising jobs, love, or a little internet humor. These emails usually carry an attachment that packs a lethal virus payload OR a link to a website that installs the virus. Once installed, the virus will disable your antivirus, then it will open a “back door” on your computer and download other viruses. Next it will propagate itself by using your email software to send the virus to your friends and family, while it collects sellable data. What Rotten Scoundrels!

How can we protect ourselves from Viruses?

1. Use a good antivirus software and keep it up-to-date. All of the expensive brands work, and there are some free antivirus packages, like AVG Free and AVAS, that will do a good job too. The key is, keep the antivirus software up-to-date by using the automatic function within the software!

2. Install the Microsoft patches and updates. Windows has an Auto Update function that can be turned on so that updates occur without you doing anything. Turn it on and use it!

3. Handle your email with care. If you receive something from somebody you don’t know, why look at it? If the email is a “get rich quick” scheme, or looks like it is too good to be true, it probably is, and may be a virus, too. And most importantly, do not click the attachment or link.

4. Also, look closely at email you receive from friends and family. If the email is out of character for what that person usually sends to you, it may be infected with a virus.

Even folks that do all the right things get viruses occasionally. If you get a virus, simply turn your computer off and call an expert. Acting quickly will help minimize the damage caused by viruses. There is no reason to live in fear of viruses. Simply following these suggestions, use a little common sense, and your computer experience will be enjoyable, productive, and virtually virus free.

Consumers Are Lax On Protecting Their Data

It’s important for consumers to take more responsibility for their personal information

If someone asked you how often you reuse passwords and PINs (personal identification numbers), odds are you might confess to using the same ones whether it’s as a passcode on your computer, phone, or bank account.

International Fraud Awareness Week begins November 11, and according to results from the just-released Shred-it’s Consumer Fraud Awareness Survey, consumers are putting themselves squarely behind the data security 8-ball.

The survey results show that more than 50 percent of U.S. consumers admit to using the same security credentials across several platforms, and almost all of those guilty parties admit their security habits make them vulnerable to identity theft, exposure, or worse yet, scams that could sap their bank accounts.

How secure are you?

The Shred-It survey ferrets out the fact that consumers lack the confidence necessary to determine if they were a fraud victim and, if they were duped, don’t understand how to report and remediate fraud/identity theft.

Do your personal security habits put you in the same basket as these findings?

  • More than one-third of consumers have been a victim of fraud or identity theft.

  • Almost three in 10 consumers concede that they don’t know how to find out if they've become a victim of fraud or identity theft.

  • While the majority of consumers think they could determine if an email or phone call they receive is part of a scam, 16 percent say they wouldn’t have a clue.

  • Baby boomers are the least likely to believe they could determine if an email or phone call they receive is part of a fraudulent scam or not, compared to Gen Z’s (72 percent) and Millennials (74 percent).

  • Women are less likely than men to know how to report and remediate fraud or identity theft.

  • When it comes to physical information security, nearly 3 in 10 consumers do not shred paper or physical documents containing sensitive information before throwing them in the trash.

How well do you know how to protect your identity?

The Association of Certified Fraud Examiners is asking consumers to test how well they know the fraudster’s game. If you don’t know the difference between phishing, shoulder surfing, social engineering, or lapping, it might be a good idea to take the quiz.

Consumers aren’t in this alone. Credit card companies and financial institutions continue to step up efforts to beef up fraud protection. However, some consumers say their bank doesn't side with them when they're the victims of fraud. Others say their banks go so far to protect against fraud that it becomes an inconvenience.

"Bank of America's Fraud Department has locked my card at maybe 6 times in my few years of using BofA," wrote one ConsumerAffairs reviewer.

"They have inconvenienced me with this largely, as I have to sit on hold for up to an hour just to ask them to unlock the card. They lock it for buying things I commonly buy. However they didn't catch the time that someone bought Tacos at a place over 100 miles away from me, in a city I've never visited. The fraud department is useless at best, and an inconvenience at worst.”

Shred-It’s survey was conducted in October, 2018, researching 1,200 U.S. respondents age 18+, and qualified respondents with containing the following screener question: "Do you understand what information fraud and identity theft is?"

What can you do to bolster your protection?

Monu Kalsi, VP of Marketing at Shred-It, says that there are plenty of things that consumers can do to better protect their information. He points out that consumers’ lax security habits can often increase their risk of becoming a victim of fraud or identity theft.

Kalsi says the top two things you can do today to take control of your information security are:

  1. Be smart with your digital information. “Simply put, don’t reuse passwords across your accounts. Whether it’s social media, email, bank accounts, health apps and more, varying your passwords across all accounts ensures that in the event one account IS breached, the likelihood of bad actors being able to seize more of your information from other accounts will be limited,” Kalsi said.

  2. Secure your physical information. “Whether at home or at work, physical paper documents containing sensitive information should be stored in a locked console or cabinet. From medical records, tax documents, bank/credit card statements, mortgage and insurance information and more, all of these documents contain a trove of information and would be considered a gold mine if they got into the hands of a fraudster.”

Consumers Give Little Thought to Online Privacy

PhotoPresident Obama last week unveiled a proposed Consumer Privacy Bill of Rights that, in essence, gives consumers the the right to control what information companies can collect from their web browsing and how they use it.

For such a system to be effective, however, one privacy expert says consumers are going to have to become more serious about privacy issues. Fred Cate, who directs the Center for Applied Cybersecurity Research at Indiana University, says Obama's proposal is noble, but will probably fail because "it puts the power of consent into the hands of a public that, for the most part, doesn't know what to do with it and cannot use it effectively to protect privacy."

At the core of the legislative proposal is what the Obama administration calls the "Consumer Control Principle," which would give consumers the right to exercise control over what personal data is collected and how it is used. That is typically achieved through voluntary consent.

Read More - Click Here!

Corporate Networks Infected by Porn Viewing Managers

porn virus

(Jose Pagliery @ CNNMoney) Want to stop nasty worms from spreading on corporate networks? It would help if bosses stopped going to porn sites. A surprising number of IT professionals say they have to clean up corporate devices infected by executives who went to porn sites.

According to a recent survey by software firm ThreatTrack Security, 40% of tech support employees admit they've had to clean an executive's corporate device after the boss visited an infected porn website.

The survey, conducted in October, shows that while it's generally gotten easier for companies to defend themselves from outside attacks, bosses' bad habits make it difficult to keep up. Here are some other mistakes executives make:

  • 56% got malware from clicking on a bad link or getting duped by a fake "phishing" email.
  • 47% attached an infected device, like a thumb drive or smartphone, to their PC.
  • 45% got a virus when they let a family member use a company computer.
  • 33% installed a malicious app on their company device.

Related: Google's dreaded blacklist

Part of the problem is that employees are less cautious with their iPhones and Android smartphones than they are with their office computers, said Dipto Chakravarty, an engineering and products executive at ThreatTrack. But the risk is the same, because the devices are connected to a company's network.

The problem seems to be getting worse now that many companies have adopted the "bring your own device" approach, allowing workers to connect to company networks with their personal devices.

Currently, 36% of companies have a BYOD policy, according to networking giant Cisco (CSCO, Fortune 500) and the British telecom BT (BT).

Companies quiet about hacks: The study also found that 57% of IT analysts say they've confronted a data breach that the company decided to keep secret from customers, partners or shareholders.

Smaller corporations are the least likely to hide that they've been hacked. Those spending less than $500,000 a year on IT security kept quiet less than 30% of the time. Mid-sized companies were most likely to keep things under wraps. Companies with budgets between $500,000 and $10 million remained mute about 76% of breaches.

The scary reality of hacking infrastructure
 

But the largest companies -- those spending more than $10 million annually on tech security -- stayed silent on just 37.5% of cases.

Chakravarty said it's understandable why some companies try to avoid the scrutiny that would come from admitting they've been hacked.

"It's not in the company's interest to admit there's a data breach," Chakravarty said, adding that the time and money spent to combat the problem will be "astronomically high."

Companies are worried about losing their customers' trust as well. If a business admits it has been hacked, consumers might worry about the firm's ability to keep their credit cards or passwords protected -- and take their business elsewhere.

But it looks like many of these data breaches could be avoided if executives just didn't do stupid things like viewing porn on their phone. To top of page

Could Your Business Be Hacked

The latest massive data breach of Visa and MasterCard customers that occurred at Global Payments is just another reminder of how sensitive information can be. While up to three million accounts may be affected, small business owners should take note—experts say no matter what size your company is or how much data you have in your possession, you are just as susceptible to hackers as your larger counterparts.

Alan Wlasuk, managing partner at 403 Web Security, said small businesses almost never give data protection the attention necessary to properly safeguard their information.

“Most believe they are too small, or their data or business is not large enough for hackers to care about them,” Wlasuk said. “They’re not aware of the security problems they might have in their environment.”

Even what may seem like insignificant data like user logins and passwords, for example, should always been encrypted, he said. Most consumers will reuse their logins and passwords on Websites across the board, so hackers will have access to more sensitive information than just what your business has on file.

Ondrej Krehel, CISO at Identity Theft 911, said small businesses often overlook the regulations they must be in compliance with when securing consumer information.

“They need to get more familiar with the standard industry requirements—that should be their number one priority,” Krehel said.

So while you may think your small business is off the radar for hackers, Krehel and Wlasuk said that’s not so.  Here are their tips for getting your business in check with data protection, and keeping your information, and your customers’ data, safe.

Read More - Click Here!
 

Could hackers seize control of your car?

A student at the Freie Universitaet Berlin steers a converted Dodge minivan remotely with an iPhone in November 2009.

(CNN) -- When car companies begin exhibiting at mobile phone shows, it's a sign that the "connected" vehicle has truly arrived -- allowing us to take our digital lives with us as we hit the highway.

But while Ford's unveiling of its latest car at Mobile World Congress -- a major cell phone industry event -- this week may have heralded a new automotive age, it also heightens fears that our technology-crammed cars could be hijacked by hackers.

Just like our PCs and smartphones, the computerized components that have infiltrated almost every aspect of modern vehicles could potentially be broken into, experts say. Only, with a car, this could have far more dangerous consequences.

"We typically don't drive our smartphones at 80 miles an hour," said Brian Contos, security strategist at technology protection firm McAfee. "But safety concerns and privacy concerns all culminate when you talk about automobiles."

Ford isn't alone in integrating mobile phone technology into its cars.

While its networked B-Max compact and its prototype Evos were big hits at the Mobile World Congress in Barcelona, also on display was a BlackBerry-embedded Porsche 911 and a Toyota with an integrated Samsung phone application.

Read More - Click Here!

Could this be the answer to the ransomware threat

 

Photo

Photo (c) santiago silver - Fotolia

(Mark Huffman @ Consumer Affairs) For hackers and cybercriminals, ransomware is literally money in the bank.

If a target clicks on a link in an email, designed to appear as though it is from a familiar source, the malware is unleashed on the victim's computer, encrypting every file.

The only way for the victim to regain access to these files – photos, documents, or multimedia files – is to pay the hacker a ransom in Bitcoin. The threat has grown exponentially, ensnaring individual consumers as well as businesses and organizations.

Researchers at the University of Florida (UF) now say they have developed a solution, a software tool that will stop ransomware in its tracks. They call it CryptoDrop. The researchers say it works in a very different way than antivirus software.

Limiting the damage

 Instead of identifying the ransomware before it can download to a target computer, CryptoDrop springs into action a nanosecond after the process begins. As a result, only a tiny fraction of files get encrypted.

“Our system is more of an early-warning system,” said Nolen Scaife, a UF doctoral student and founding member of UF’s Florida Institute for Cybersecurity Research.

Scaife says CryptoDrop steps in to prevent the ransomware from completing its task. A victim might lose a few photographs, but that is the limit of the damage. There is no reason to pay a ransom.

The UF researchers say antivirus software has a hard time stopping ransomware because it needs to have seen the malware before in order to be effective. But hackers are constantly tweaking their ransomware bugs, making them unrecognizable.

CrytoDrop is like a security guard, always looking for signs of a ransomeware attack. When it sees the malware encrypt a file, it springs into action to stop the process from going further.

Instead of looking for a particular software profile, it is instead looking at what the software does. If hackers come up with a new malware every week, it won't matter.

Growing threat

In the last few years ransomware attacks have targeted hospitals and even police departments. In 2015 police in Tewksbury, Massachusetts, admitted that they'd had to pay an untraceable $500 Bitcoin ransom to the hackers who'd encrypted the department's computer files.

Also last year, a new form of ransomware emerged, in which hackers planted child pornography images on victims' phones until a ransom was paid.

It's gotten so bad that some companies now build ransoms into their operating budgets, expecting that sooner or later they'll have to pay up. The UF researchers, however, say that might not be necessary.

“We ran our detector against several hundred ransomware samples that were live and in those case it detected 100% of those malware samples and it did so after only a median of 10 files were encrypted,” Scaife said.

The research team says its prototype works with Windows-based systems and the researchers are now seeking a partner to put it on the market.

Court challenges the Constitution and your privacy rights

vizio laptop profile.jpg

  •  

     

(Kim Komando @ Foxnews) It's pretty obvious that we as a society are now made up of two groups. There are those who, for better or worse, have moved their lives into the digital realm, and those who haven't.

I would like to introduce you to someone in the latter category. His name is Edward Korman and he is a federal judge in New York state. He had a case before him involving a U.S. citizen – a Ph.D. student at McGill University in Montreal – who had his computer confiscated while returning to the States. The judge ruled, sweepingly, that, yes, the federal government had a right to confiscate laptops at the border without probable cause.

In other words: You are traveling overseas, with your laptop, tablet or smartphone. As you re-enter the United States, a federal official, for any reason or none, can take it away from you and look through it, and there's nothing you can do about it.

Here's what I have on my laptop. Years of email. Private conversations from close friends about personal matters, some of them tragic, heart-wrenching, and life-changing, and similar messages from my husband. There are thousands of family photos, 99.9 percent of which I would prefer to be private. There is medical information about me and my family. I have business plans that are the culmination of years of work and affect my family's current and future livelihood.

Something else is there as well – something more intimate. What's on my laptop is a reflection of my mind – the unadorned evidence, good and bad, flattering and embarrassing, of my victories and pratfalls, my joys and losses, my most elated moments and deepest thoughts. It's me.

Either you live in a world in which this extension of your very consciousness – and your constant access to it – is an inextricable part of your life, or you don't. You either appreciate that a laptop is a costly and delicate instrument you'd just as soon not be cavalierly tossed around by a TSA employee, or you do not. And you recoil at the thought of strangers pawing through that information on a whim, with trivial legal oversight, or you do not.

The taking of a laptop today is a striking act of confiscation almost without an equivalent 25 years ago. Back then, it would have taken a team of FBI agents days if not weeks to so comprehensively vacuum up a single American's health, business, financial and personal information, not to mention that of so many of his or her friends, family members, and business associates.

Today, Nosy McPatterson, your local TSA staffer, or Roscoe the border agent who got up on the wrong side of the bed that morning, can accomplish the same feat, and in an instant. They can paw through your photos and email during their lunch hour. And anyone present with a 13-year-old's understanding of computing can easily and unnoticeably make a quick copy of it onto a device that slips easily into a pants pocket.

Judge Korman says it doesn't happen very often, though there's evidence he's wrong. I don't think it should happen at all.

It was odd – there's surprisingly little talk about the ruling online. (It came down on New Year's Eve afternoon.) The more you read, the weirder the rules are. The so-called "border exemption" extends 100 miles inland from the border. That includes the population of the Eastern Seaboard, Miami, Houston, the west coast, and Chicago.

I wanted to find a smart legal mind who'd considered the issue. I finally found someone who had. He came up with a simple encapsulation to prevent this sort of intrusion into our private lives for no reason. It went like this:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized

That's the Fourth Amendment, of course. The writer was a guy named James Madison, with help from a few friends. Judge Korman, I am quite sure, isn't the sort to carry his life around in his laptop. It's OK that he doesn't. The ironic thing about his ruling is that while initially I thought it encapsulated a division between people who live in the past (the judge) and the future (me and I assume you), but it's obvious this issue was well-debated – and from our point of view, resolved – by some smart people a very long time ago.

In the end, Judge Korman is the one with a different vision for the future. As a professional, mother, friend and citizen, I really don't like the looks of it. 

Copyright 2014, WestStar Multimedia Entertainment. All rights reserved.

Craigslist - How to Avoid Scams


(Alexandra Panzer @ yahoo.com) You really can find everything on Craigslist.org, like amazing deals — and also scams, crooks, and dangerous situations. 

Last month, one Michigan woman went to buy a car she discovered on Craigslist and found herself being robbed at gunpoint, for example, and a Connecticut man was arrested for allegedly selling phony Justin Bieber concert tickets to unsuspecting Craigslist users. 

Craigslist crime isn’t going anywhere, unfortunately, but there are some basic steps you can take to ensure both your safety and privacy.

Craigslist is a fantastic place to find everything from old furniture to exercise equipment to home appliances, so shop smart and don’t be scared off!

1. When browsing for products, avoid these red flags

sellers who post product photos pulled from the Internet instead of shots they have taken themselves
egregious errors in spelling and grammar that could have been generated by a bot
outrageous deals that are simply too good to be true
messages from auto-generated email accounts (i.e., addresses that look like this: “kydixororaqep”)

2. Do the research

Ask detailed questions about the product you want to buy over multiple emails or calls. This gives you information about the product and helps you gauge whether the product is real and the seller has firsthand knowledge of it.

Find out what your product is worth. Search similar listings on Craigslist, or search “completed listings” on eBay to see how much similar products have sold for.

Research the seller. Type the seller’s name, email address, address, or phone number into White Pages, Google, Facebook, or even Craigslist to verify that he or she is a real seller and that there aren’t any existing complaints lodged against her or him.

3. Simple steps for a safe exchange of goods

Local police stations across the country have started offering their lobbies and parking lots as Craigslist “safe zones” for wary users looking to secure the in-person aspect of their online purchase. If there’s one in your area, take advantage.

Meet in person and try to meet in public.

4. Payment “don’ts” to avoid having your money or identity stolenExchange only cash.

Test the product. If you are buying electronics, make sure you meet somewhere with electrical outlets.

Bring a friend.

Do not allow a buyer or seller to change the location of your exchange at the last minute.

4. Payment “don’ts” to avoid having your money or identity stolen

Do not wire funds.
Do not accept cashier checks, certified checks, or money orders.
Do not give out your bank info.
Refuse background or credit checks.

CryptoLocker Ransom Ware Virus

Virus:   CryptoLocker

REAL VIRUS

Example:   [Collected via e-mail, October 2013]

there's a rumor going around that there's a virus called CryptoLocker. It apparently takes all of your files and you have a specific amount of time to pay the person the money they want for you to give it back. You cannot get rid of the virus without wiping your entire computer of all files and nobody's cracked it down yet... The big name virus companies don't even know about the virus quite yet.

Origins:   The so-called "CryptoLocker virus" is an example of ransomware, a class of malware that, once it has infected a particular computer system, restricts access to that system until the user pays a ransom. CryptoLocker is a particular form of ransomware known as cryptoviral extortion, a scheme in which key files on the system's hard drive are encrypted and thus rendered inaccessible to the user unless and until that user pays a ransom to obtain a key for decrypting the files.

The CryptoLocker worm is generally spread via drive-by downloads or as an attachment to phony e-mails disguised as legitimate messages from various business, such as fake FedEx and UPS tracking notifications. When a user opens such a message, CryptoLocker installs itself on the user's system, scans the hard drive, and encrypts certain file types, such as images, documents and spreadsheets. CryptoLocker then launches a window displaying a demand for ransom (to be paid in less-traceable forms such as Bitcoins and Green Dot Moneypaks) and a countdown timer showing the date and time before which the user must submit payment in order to obtain the decryption key before it is destroyed:

According to various accounts, users whose computers have been infected by CryptoLocker have been able to restore their files by paying the demanded ransom (usually $300 to be paid within 72 hours), and computer security companies haven't yet come up with a solid defense against the CryptoLocker malware:

If the ransom is paid before the deadline, a key is given to decrypt the files. If not, the key is destroyed and the files are effectively lost forever. Even advanced software security companies don't really have ways to restore the locked hard drive. Catching the hackers behind CryptoLocker may be the only way to retrieve the files.

The good news is that paying the ransom does actually decrypt the files, and the hackers behind CryptoLocker so far have been honest and not reinfected computers after the ransom is paid.

Security companies are working on a protection, but there isn’t one yet. Users should remain vigilant about their security online, double-checking the legitimacy of links received in emails and social media messages.

As the Guardian noted of CryptoLocker and its victims:

"If you haven't got a backup and you get hit by CryptoLocker, you may as well have dropped your PC over the side of a bridge," says Paul Ducklin, security adviser for anti-virus software company Sophos. Even if you had backed up your files, he says, if your back-up device was connected to your computer when CryptoLocker struck, you may not be able to recover them. Similarly, all the files in shared network drives that were connected at the time of the attack could also become encrypted and inaccessible.

CryptoLocker currently only affects PCs and can easily be removed with anti-virus software, but its effects cannot. "I don't think anyone in the world could break the encryption," says Gavin O'Gorman, spokesman for internet security firm Symantec. "It has held up for more than 30 years."

Ryan Rubin, MD of global risk consultancy Protiviti, agrees: "CryptoLocker has been designed to make money using well-known, publicly available cryptography algorithms that

 

were developed by governments and other [legitimate] bodies. Unless you have the key, you simply cannot unlock the data that is encrypted."

So should anyone hit by CryptoLocker pay up? "You'd be in the same situation if your laptop got stolen — it just feels worse because you know that there is someone out there who has got this key. If your data is worth $300 to you, it must be very tempting to pay up, just in case it works," Ducklin says.

According to Symantec, around 3% of people hand over money in the hope of getting their data back. "But remember, you're dealing with criminals," Rubin says. "There is no guarantee they'll send you the key, and if they know you're susceptible to blackmail what is to stop them from doing it again?"

Bear in mind that every penny you pay them will fund their endeavors to target other victims. "If even a few victims pay then the cybercriminals will think they have got a viable business model and keep infecting people and asking for ransoms. If nobody pays, they will stop these campaigns," says Dmitri Bestuzhev, spokesperson for Kaspersky anti-virus software

 

CryptoWall Ransomware FBI Warning

 

Photo

Photo © santiago silver - Fotolia

(Jennifer Abel @ ConsumerAffairs) The FBI's Internet Crime Complaint Center (IC3) issued an alert yesterday identifying a virulent form of ransomware known as CryptoWall as “the most current and significant ransomware threat targeting U.S. individuals and businesses.” Since April 2014, IC3 said it received 992 CryptoWall-related complaints, with victims' collective losses totaling over $18 million.

CryptoWall and its variants have been attacking targets in the U.S. since at least April 2014. The IC3 said that:

The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.

Demanding a ransom payout

As with most ransomware infections, CryptoWall is usually spread after the victim clicks on an infected link, opens an infected email, downloads an infected file or visits an infected website. Once it gets on your device, it encrypts your files so that you can't read them, and demands a ransom payout (usually via Bitcoin, because it's untraceable) to decrypt your data again.

In April, Karen from Raleigh, North Carolina fell victim to CryptoWall, which she suspects came from a Trojan virus infection on the TaxACT website. She wrote ConsumerAffairs in April to report:

When I downloaded the tax program, a notice popped up along with it that said all of our files were now encrypted and will not open. I closed the message and ran my virus scan. … This virus gets around your virus scan. I had to run the scan in Safe Mode in order to find it and delete it. But all our files, photos, etc. are corrupted and will not open. This type of virus demands you pay a "ransom" to get encryption code. We will have to bring our computer to someone to take it back to factory settings, but we lost all documents and photos.

Bad as Karen's experience was, Christine from Washington State, who wrote us in February, suffered even worse losses. Like Karen, she learned that virus scans won't necessarily detect CryptoWall; she didn't mention (or doesn't know) where she caught the virus, but:

[The virus scan] failed to stop the Cryptowall virus from infecting our computers. This resulted in over 20+ years of client data to be destroyed, a significant loss of income, additional financial expense in having to replace the computers, and on-going problems in attempting to rebuild lost data. Our e-mail program was destroyed as well.

Protecting yourself from malware

How can you protect yourself from CryptoWall and other forms of ransomware? By following the same protection rules for all malware, including:

  • Make sure your operating system, anti-virus, firewall, and other security software are all up-to-date.

  • Install and enable pop-up blockers. Criminals often use pop-up ads to spread malware, and the easiest way to avoid accidentally clicking a malicious pop-up is if it never pops up in the first place.

  • Never click on a link in an unsolicited email, text, or other messages.

  • Never download a zip file or any other attachments in emails from senders you don't know and trust.

  • Make sure the settings on your phone, tablet, computer or any other Internet-connected device are set so that nothing can be downloaded without your permission.

  • When getting messages allegedly from some company or service provider, remember the anti-scam rule “Don't call me; I'll call you” – and don't interact with anyone who breaks it.

In addition to these anti-malware rules, you should also remember to always make regular backup copies of your data and files, just in case some nasty malware (or an ordinary bad-luck hard-drive crash) damages or destroys your files.

The FBI's Internet Crime Complaint Center also recommends:

If you receive a ransomware popup or message on your device alerting you to an infection, immediately disconnect from the Internet to avoid any additional infections or data losses. Alert your local law enforcement personnel and file a complaint at www.IC3.gov.

Cryptolocker Ransomware hits systems and pocketbooks hard

Cryptolocker, a ransomware Trojan virus, encrypts a victim's files and then demands payment for the key, and is indicative of the lengths nefarious types will go to for a few dollars of ill-gotten gains.

Ransomware is on the rise and thanks to more than a few nefarious types and their victims, is proving to be an all too common way for electronic extortion to move into an enterprise. In many cases, it proves to be cheaper to pay for the privilege to unlock your data than it would be to remediate the impacted system, which only makes matters worse.

(TechRepublic) Take for example Cryptolocker, a ransomware Trojan that encrypts files and can spread in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe and can be hard to recognize, simply because Windows hides file extensions by default - that file may look like a PDF file rather than an executable.

Double clicking on the Cryptolocker infected file launches an executable, which infects computers just like any other malware by placing its files in Windows directories and creating registry entries that allow it to restart after a reboot. Cryptolocker also attempts to contact its command and control (C&C) server using a random domain name generation algorithm to try and find a current C&C server. Some sample Crytpolocker domains might look like this:

jkamevbxhupg.co.uk

uvpevldfpfhoipn.info

Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for the specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker's C&C servers, but the public key is saved in a registry entry on the computer. Cryptolocker then uses that key pair to encrypt many different types of files on the computer, including

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

After the encryption process completes, Cryptolocker displays screen with a warning that requires a payment of either $300 or £200 within 72 hours to regain access to the files.

What should I do if I get infected?

If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can't access its C&C, it can't encrypt files. Disconnecting the machine may prevent further files from being encrypted.

There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker's encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today.

If Cryptolocker encrypts some of your files, you should check if you have a backup, which would be the best chance for recovering the lost data. Adding insult to injury is that there are reports claiming Cryptolocker's decryption does work, and paying the ransom may only result in the loss of your money.

How can I avoid Cryptolocker?

Most commercial antivirus (AV) products can detect many variants of Cryptolocker, which means protection starts with using both host-based and network-based AV products that are kept up to date. However, Cryptolocker's authors are very aggressive at re-packing their malware to make the same executable file look different on a binary level, which helps it evade some AV solutions. In short, though AV helps, some variants may get past some AV solutions. Other defenses are becoming a must as well, such as reputation based defense systems that keep track millions of malicious URLS and web sites. That means access to sites that distribute or support malware can be blocked, effectively preventing infected hosts from reaching C&C servers.

Awareness proves to be one of the best defenses, Cryptolocker typically spreads via some obvious phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. Training users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on should prove to be an effective first line of defense

Cyber Mercenaries

(Stu Sjouwerman @ CyberheistNews) There is an interesting development I thought you should be aware of, and perhaps communicate to the powers that be in your organization.

By now it is well known that organizations get attacked all the time, and 91 percent of the organizations that were recently polled by Kaspersky suffered a successful cyber-attack at least once in the preceding 12-month period, while 9 percent were the victims of Advanced Persistent Threats.

What's new is the increasing rate of businesses turning to cyber mercenaries to penetrate their competitors’ networks. Outsourced cybercriminal gangs penetrated networks and exfiltrated terabytes of sensitive information. Other attacks were outright sabotage using malware to wipe data, block infrastructure operations, or DDoS attacks that shut down a competitor's public-facing websites. A data-wipe example was Saudi Aramco where 30,000 workstations were completely wiped out by malware this year.

Unfortunately cybercrime is incredibly innovative, they are constantly improving their malware using unconventional approaches. The most recent wave is a so-called encryptor which spreads both in corporate environments and at the house. Once the Crypto-locker malware takes over the workstation, it asks for $300 ransom to release the files. If this "ransomware" has been able to encrypt the files on a workstation and/or network shares, you better hope you have a working backup and wipe/rebuild that machine.

In 2013 we saw the first instance of targeting full supply chains. An example is discussed in a new research paper (link below) on the discovery of "Icefog"; a small but energetic APT group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. It's obviously some Chinese operation, it started in 2011 and has increased in size and scope over the last few years.

That’s a good example what is now called of cyber mercenaries, small hit-and-run gangs that attack with surgical precision. They appear to know exactly what they need from the victims.

"They come, steal what they want and leave, they are for hire, provide cyber-espionage/cyber-sabotage activities on demand, following the orders of anyone who pays them,” said the report. The Icefog targeted attacks rely on spear-phishing e-mails that attempt to trick the victim into opening a malicious attachment or a website. Security Awareness Training is not a nice-to-have these days, it is a must... Link:
http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf

http://active-technologies.com/content/cyber-mercenaries

 

 

Cyber Threat 2013 Live On Your Devices

(Mark Huffman ConsumerAffairs) The Internet has become more sophisticated over the years and so have the threats to users. Today, hackers are doing more than sending out infected spam emails -- they're exploiting the system's vulnerabilities to threaten consumers.

Experts at Georgia Tech -- the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI) -- constantly work to stay one step ahead of the hackers. They say the coming year will pose some steep challenges.

Here are some threats they say consumers should be aware of:

Cloud-based botnets

The ability to create vast, virtual computing resources will further persuade cyber criminals to look for ways to co-opt cloud-based infrastructure for their own ends. For example, attackers can use stolen credit card information to purchase cloud computing resources and create dangerous clusters of temporary virtual attack systems.

Search history poisoning

Cyber criminals will continue to manipulate search engine algorithms and other automated mechanisms that control what information you see when you do a search. Moving beyond typical search-engine poisoning, researchers believe that manipulating users’ search histories may be a next step in ways that attackers use legitimate resources for illegitimate gains.

Mobile browser and mobile wallet vulnerabilities

This, unfortunately, may be a fertile growth area for scammers. While only a very small number of U.S. mobile devices show signs of infection, the explosive proliferation of smartphones will continue to tempt attackers in exploiting user and technology-based vulnerabilities, particularly with the browser function and digital wallet apps.

Malware counteroffensive

Unfortunately, your anti-virus software may prove less effective against emerging threats. The developers of malicious software will employ various methods to hinder malware detection, such as hardening their software with techniques similar to those employed in Digital Rights Management (DRM), and exploiting the wealth of new interfaces and novel features on mobile devices.

"Our adversaries, whether motivated by monetary gain, political/social ideology or otherwise, know no boundaries, making cyber security a global issue,” said Bo Rotoloni, director of GTRI’s Cyber Technology and Information Security Laboratory. “Our best defense on the growing cyber warfront is found in cooperative education and awareness, best-of-breed tools and robust policy developed collaboratively by industry, academia and government.”

The bottom line, say the Georgia Tech experts, is users must keep their guard up in the coming year.

Read More - Click Here!

Cylab Researchers Expose How Our Ability To Spot Phishing Is Spotty

Interesting news item from Carnegie Mellon's Cylab. Each year, tens of millions of phishing emails make it to employees' inbox, not caught by spam filters. Of the ones that make it through, millions slide past your user's judgment and are clicked and opened. A recent study revealed just how likely users are to take the bait.

“Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems,” says Casey Canfield, a CyLab researcher from Carnegie Mellon’s Department of Engineering and Public Policy.

In the study, on average participants were only able to correctly identify just over half of the phishing emails presented to them. Fortunately, participants displayed a little more caution when it came to their behavior: roughly three-quarters of the phishing links were left un-clicked.

Based on the results, the authors of the study suggest interventions such as providing users with feedback on their abilities and emphasizing the consequences of phishing attacks. One effective training method that companies commonly use, Canfield explains, is sending out fake phishing emails and teaching a user about phishing emails if they open the email. 

“It seems like those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” Canfield says. “Helping people tell the difference may not be as useful as just encouraging them to be more cautious.”

 

D-Link inadequate security on internet cameras and routers

(Truman Lewis @ ConsumerAffairs) The Federal Trade Commission has been warning electronics manufacturers that they must do more to protect consumer privacy. Its latest action is a complaint against D-Link, the Taiwan-based company that mnufactures network routers, internet cameras and other devices.

The complaint alleges that inadequate security measures taken left the devices vulnerable to hackers and put U.S. consumers’ privacy at risk.

“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”         

The D-Link complaint is part of the FTC’s efforts to protect consumers’ privacy and security in the Internet of Things (IoT), which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

 "Easy to secure"

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite those claims, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:

  • “hard-coded” login credentials integrated into D-Link camera software -- such as the username “guest” and the password “guest” -- that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

The complaint was filed in the U.S. District Court for the Northern District of California.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by a federal district court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook (link is external), follow us on Twitter (link is external), read our blogs and subscribe to press releases for the latest FTC news and resources.

Why people still fall for phishing emails

(Mark Huffman @ ConsumerAffairs) Emails that pop into your inbox, appearing to be from a bank, utility, or shipping company, are favorite vehicles for scammers.

These phishing emails are intended to hook you, persuading you to click on a link or provide logins, passwords, and other sensitive data. Many of these scams are seemingly easy to spot, but millions of people still fall for them.

H.R. Rao, a security expert at the University of Texas at San Antonio (UTSA), did a study to find out why. He concludes that too many consumers are overconfident in their ability to determine which email is for real and which one is a scam.

Rao thinks most people believe they're smarter than the criminals behind these schemes, and that is one reason so many fall easily into the trap. Other recent research on the subject has reached similar conclusions.

"A big advantage for phishers is self efficacy," Rao, a UTSA College of Business faculty member, said. "Many times, people think they know more than they actually do, and are smarter than someone trying to pull of a scam via an e-mail."

Remember the Nigerian prince?

Long-time internet users have seen all sorts of phishing emails. A decade or so ago, it was very common to hear from a deposed Nigerian prince who was desperate to get his fortune out of the country and just needed access to your bank account to accomplish that.

But if that is still your view of what a phishing email is, Rao says you could be vulnerable to today's updated, refreshed phishing schemes. Today, he says phishing emails come disguised as messages from companies, and even people, that the recipient knows and trusts.

"They're getting very good at mimicking the logos of popular companies," Rao said.

Speaks from experience

Rao speaks from experience. Last year he says he got an email that appeared to come from UPS, informing him there was a problem with a package he had sent. Since he had just sent out a package via UPS, Rao said his initial reaction was that the message was legitimate.

Remember that the scammer is playing a numbers game. If he sends out 20 million messages that there is a problem with a UPS shipment, the majority of recipients would disregard the message because they had not sent anything recently using UPS.

But suppose 40,000 of the recipients had just sent a package with the carrier. If half fell for the scheme, the scammer would have ensnared 20,000 victims.

Overconfidence is a killer

"In any of these situations, overconfidence is always a killer," Rao said.

In a recent study, participants were asked to judge a large number of emails, identifying the ones that were real and the ones that were fakes. Participants also gave the reasons for their conclusions.

Rao and his colleagues found overconfidence played a major role when participants misidentified a scam email as real.

The defense against these schemes, says Rao, is a healthy dose of skepticism about any email that lands in your inbox.

In the event of a message from UPS that there is a problem with your shipment, don't click on a link. Instead, contact UPS customer service directly.

DNS Changer Fix

If you think you have been affected by this malware, you do need to fix your computer.  The malware tool kits used that change your computer’s DNS settings are very pervasive.  Initially, the only way researchers could ensure that a machine was fixed was to reformat the hard drive and reinstall the operating system from scratch.  The malware affected the boot blocks on the hard disk of the computer, so even if people just reverted their operating system to a prior backup, the malware could reclaim the PC.  Later on, several anti-malware software companies came up with fixes that removed software correctly. Some of them are listed below.

In addition to modifying your computer’s DNS settings, the malware also looked for home routers to which the computer was attached and modified their DNS settings as well.  Not only were the infected computers using rogue DNS services, but other devices in the household or office as well, including wifi-enabled mobile phones, tablets, smart HDTVs, digital video recorders, and game consoles.  The criminals would change the web content that users downloaded to suit their needs and make money.

Below are some steps to follow:

  1. The first thing you want to do is make a backup of all of your important files.  You might go to a computer store or shop online for a portable hard drive and copy all of your files onto that drive.
  2. Either you or a computer professional that you rely upon and trust should follow the “self help” malware clean up guides listed below.  The goal is to remove the malware and recover your PC from the control of the criminals that distributed it.  If you were already thinking of upgrading to a new computer, now may be a good time to make the switch.
  3. Once you have a clean PC, follow instructions for ensuring that your DNS settings are correct.  If you’re not using a new PC, you’ll want to check that your computer’s DNS settings are not still using the DNS Changer DNS servers.  We hope to have some of our own instructions soon.  Until then, the instructions and screen shots found in step 2 at http://opendns.com/dns-changer are quite good if you want to manually set your DNS settings.  You also have the option to return to using your ISP-provided automatic settings by choosing the “automatically” option (Windows) or deleting any DNS servers listed (MacOS).
  4. After you have fixed your computer, you will want to look at any home router you’re using and make sure they automatically use DNS settings provided by the ISP.  We’ll have a document for this soon.
  5. Changing DNS is only one of the functions of the malware kits.  The malware could have been used for capturing keystrokes or acting as a proxy for traffic to sensitive sites like bank accounts or social media.  It would be a good idea to check your bank statements and credit reports as well as change passwords on any online accounts especially saved passwords from your applications or web browsers.

How can you fix, remove, and recover from a DNS Changer Violation?

Please take immediate steps to safe guard your computer and data  if any of the test indicate that you might be violated with DNS Changer. If the Check-Up Site indicates that you are affected then either follow the instructions on that site or run one of the following free tools listed below to remove DNSChanger and related threats:

Name of the Tool URL
Hitman Pro (32bit and 64bit versions) http://www.surfright.nl/en/products/
Kaspersky Labs TDSSKiller http://support.kaspersky.com/faq/?qid=208283363
McAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx
Microsoft Windows Defender Offline http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
Microsoft Safety Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx
Norton Power Eraser http://security.symantec.com/nbrt/npe.aspx
Trend Micro Housecall http://housecall.trendmicro.com
MacScan http://macscan.securemac.com/
Avira http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 Avira’s DNS Repair-Tool

 

How can I use these tools to clean my computer?

Each of these tools has instructions for their use. BUT, the best recommendation is to use one of the proven “self help” malware clean up guides – using several tools to insure you clean all the infections from your computer. Most malware will disable your software and anti-virus updates. The procedures below address that problem, using several tools to remove the blocks, remove the malware, and then update your computer.

Guide How to Use Language
Microsoft's Safety and Security Center Microsoft's authoritative portal for all their security guidance, tools, and capabilities. English
Apple's Security Page with pointers to keep your MAC safe Scroll down to the section on "Checking Security in your System." This has the pointers to insure your MAC is as secure as possible. English
DSL Report’s Security Cleanup FAQ A community driven self help guide to fix malware problems on your systems. English
Andrew K’s Malware Removal Guide Andrew K is an individual who share's his experience on-line. This guide is an often referenced guide to remediate malware problems on a computer. English
Public Safety Canada’a Malware Infection Recovery Guide The Canadian Public Safety office (publicsafety.gc.ca) has a malware removal guide updated and focused to help the general population. English
Australia’s Stay Smart Online Factsheet to help Remove Malware Stay Smart Online Factsheet 11, Part 1 - You suspect your computer is infected with malicious software - what should I do? English

 

 

DVR Malware Hackers Paradise

When looking for the source of a malicious infection on a computer network, a digital video recorder (DVR) might not make it on the radar of a malware fighter. That could be a mistake, according to one security expert.

“I can show you today 10,000 hacked DVRs in the United States alone,” NorseCorp CTO Tommy Stiansen said in an interview.

NorseCorp bills itself as a gatherer of intelligence from the dark side of the Internet. It has more than 1000 computers acting as honeypots around the globe raking in 19TB of data a day on malicious activity and providing real-time threat information to organizations that plug into its API.

Norse recently discovered that one of its clients, a credit union, was spewing malicious traffic to the intelligence firm’s honeypots. “The bank was completely infiltrated with malware,” Stiansen said.


DVR
Protect DVRs from hackers.

The scary part about the situation was that traffic wasn’t being generated by the bank’s infrastructure. “The traffic was coming from a DVR from a cable provider connected to the banks network,” Stiansen added. “The DVR had been compromised and had compromised the whole network of the bank.”

The credit union posted a warning on its website to its customers alerting them that they may be the target of scams, not realizing that the financial institution itself was infecting its customers with the malware that was making them the targets, Stiansen said.

No firewall for the DVR was provided by the cable company, so it was up to the network administrator to segment the DVR from the network. That’s the kind of security precaution most administrators would overlook, Stiansen said. After all, what network administrator would think that their DVR had been compromised?

“It’s scary, but that’s the state of technology today,” he said.

Cybercriminals have long been using malware that allows them to infect banking websites and steal customers credentials with bogus forms and such but recently they’ve adopted automation techniques that allow them to eavesdrop on live banking sessions and perform transactions under a customer’s nose.

However, one of the most popular ways to compromise banking credentials remains the use of banking Trojans like Zeus, whose writers have expanded its targets in recent times to include Facebook members, and payroll services.

Zeus can be a particularly difficult pernicious infection to counter because there are so many variants of it. “There is one new variant of Zeus created every day,” Stiansen said.

Read More - Click Here!

Dangerous Rise in RansomWare

Photo(Mark Huffman @ ConsumerAffairs) Ransomware, malware that takes over your computer and holds your files hostage, is nothing new. But it's latest incarnation is something that has the FBI and other law enforcement officials worried.

That has galvanized official attention and terrorized some computer users is Cryptolocker, a Trojan that encodes all the files on your computer so that you cannot access them without the key. And the key will cost you. A spokesman for the FBI in Boston says having Crytolocker on your computer is about the same as having your computer “destroyed.”

Launched with email

It all starts when you receive an email purporting to contain tracking information about a package that is in transit. This time of year millions of consumers are expecting packages.

The email contains a link with instructions to click on it to find out where your package is. However, if you click on the link you launch cryptolocker and your computer locks up. A screen pops up with instructions to follow, along with a countdown clock. When the clock reaches zero and you have not submitted payment the program destroys all the files on your computer. Yeah, these guys don't mess around.

According to report by WBZ-TV, even the Swansea, Mass., Police Department fell victim. The entire department's computer system fell under control of Cryptolocker and it cost the police $750 to get it unlocked.

The security software firm Sophos says Cryptolocker is a worldwide problem and could get much worse in the year ahead. Once a computer is infected, Sophos experts say the Cryptolocker gang demands a payment of about $300 in untraceable bitcoins in exchange for the encryption key to unlock the files. But as in any extortion scheme, there is no guarantee that they will unlock your computer after they have received the ransom.

Dangerously simple

The danger, says James Lyne, Global Head of Security Research at Sophos, is Cryptolocker's simplicity. It requires no special set of skills and your average non-hacker scammer can easily figure out how to use it. Not only will it become widespread but we could see even more variations of it in the years ahead.

”Cryptolocker is very much a deviation from the norm, and I actually think it is a sign of things to come,” James said in an interview with the BBC.

Security experts at McAfee say Cryptolocker is a significant jump in the threat level from so-called “scareware.” This type of malware flashes a warning that your computer has been infected with a virus and offers to remove it for a the small cost of a download.

McAfee says most scareware programs are easily removed and consumers soon learned they didn't have to pay. Cryptolocker, however, significantly raises the bar.

“The encryption method may be known but if the key used is unknown then decryption is, if not actually impossible (the NSA could probably do it), then not feasible for almost everyone who is affected,” McAfee warns on its website. “Cryptolocker is the most recent and most widespread of this class of ransomware, and someone somewhere is raking in the cash as a result. Note that payment for decryption cannot be done using credit cards: you have to make payments using MoneyPak vouchers or BitCoins.”

In the video below, a British security expert purposely infected a computer and walks you through the steps of paying off the extortionists and getting your files back. As you will see, it is not a simple process.

To avoid falling prey to this scam, never click on a link in an email.  Easier said than done, perhaps, but that's the unfortunate truth.

 

Data Recovery Experience: Lightning Struck Twice

Unbelievable! Two catastrophic failures with total potential data loss within the same company, three years apart. Each time, it was a miracle that the data was recovered. But man was it close.

First time it happened was on a Friday in March 2008. The company was running a ten-year-old NT 4.0 server. One of the old 16 bit SCSI hard drives failed and I was called in to install a new server and transfer data. I thought it was simple because it was the boot drive that failed, and rarely do you find important data on a boot drive. However, in this case, the software vendor insisted on placing their program and data on the boot drive and would,'t you know it, the drive would not spin (work). The boot drive and data was lost.

The administrative assistant was responsible for backups. She used flash drives and carried them home with her each evening. However, this evening, she was on a cruise in the Caribbean and could not be contacted. So here we are, data drive won’t spin and the backups are in the middle of the ocean. What to do:

I contacted every vendor I know to see if I could find a scsii drive like the one that failed. Could not find one. So I broke the news to my customer (they were devastated) and I began setting up the new server, minus critical data. The next day, Saturday, my wife and I went to a local flea market. Wouldn’t you know it, one of the flea market vendors that sold old computer parts, had the right scsii card and cables with three drives attached to it that matched my customer’s broken scsii drive. I bought them all for ten dollars. Next I plugged them into a workbench computer, and they all worked! (In fact, they still had company data on it from a local accounting firm, but that’s another story).

What I did was take one of the flea market drives apart, removed the platters, and replaced them with  my customer’s drive platters. Drive platters degredate quickly when exposed to air, so if this was to work, I would have a limited time to read and backup the data. Talk about good fortunate, the drive spun, and I was able to get all the data off of the drive and onto the new server. Can you imagine the odds against that happening, being successful? I’m not that good, but sometimes it’s better to be lucky than good. There was jubilation and celebration in the office Monday morning when I installed the server with data intact!

We implanted a three-teir backup system. Data on the server mirrored data drives was backup to the boot drive. Data was backed up from the server to the Admin Workstation. Data was also placed on removable media that went home with the Admin each night. Sounds like an “air tight” system, aah.

Fast forward to November 2011. My customer dropped maintenance a year ago due to the economy. They also lost half of their employees, including the one that was responsible for the backup system on the new server. Since her computer was turned off, there were no internal backups, and, of course, and no external backups to removable media. In my absence, their crital data was moved from the mirrored data drives to the “boot drive” by the software vendor, thus negating the backup that occurred within the server. So here was are, three years later, a blown hard drive and no backup! Lightning struck twice!

So here I am, again, reporting to the customer the possibility of catastrophic failure. This isn't good for me, but I feel the pain and anxiety as much or perhaps more than the customer. Each time this happened, I sware it took ten years off my life from worry and stress. Fortunatly, this was a sada drive, and fairly new. I was able to find an exact match that day. But would swapping the platters work again? This is very risky. Well, it worked again, and the next day, their system was up and running with data intact. We reinstated the old backup system with new people, moved the critical data to the mirrored drives and made certain the software vendor had it in their record NOT TO MOVE IT AGAIN. Hopefully, we won’t be doing this again in three years.

Bottom line: make sure you have good backups every day. Make sure you are backing up the right data, and make sure you know how to restore you data if needed. Many companies that lose their critical data go out of business. Don’t let this happen to you!

Disable McAfee Auto Renewal

Photo(Mark Huffman @ ConsumerAffairs) Here's a simple fact that too often gets overlooked: Once you sign up for subscription services, chances are you will find your subscription renewed automatically unless you take steps to prevent it.

Some consumers have trouble with that, particularly with McAfee anti-virus software, which is supposed to protect your computer from viruses and malware.

"I am disappointed in McAfee for auto-renewing my anti-virus subscription,” Steven, of Richardson, Texas, wrote in a ConsumerAffairs post. “I did not authorize McAfee to charge me nor did I authorize McAfee to retain my billing information. I will not be doing business with McAfee again and I will instruct my staff to no longer do business with McAfee.”

By now Steven and other consumers should realize that anti-virus software vendors – and not just McAfee – default to auto renewal when you set up an account. The companies realize that when the contract expires, there's a very good chance you will decide not to renew.

Beat the system?

Anne, of Gilbert, Ariz., thought she didn't have to worry about an auto-renewal since she got a new debit card from her bank and didn't update  her McAfee account to show the new card number. She figured when McAfee tried to charge her for another year, they would hit a brick road. She was wrong.

“I received an email stating that my debit card had been charged $103 for auto renewal,” Anne wrote. “I called and had the charges reversed and cancelled McAfee online. When I asked how they had my new debit card number the customer service rep told me that they had a deal with the bank to send updated card info. Is this sharing of credit card info actually legal and if so then it is definitely not an ethical business practice.”

It's legal, though some consumers might debate whether it is ethical. It's called Visa Account Updater, an automated system that Visa says "enables the electronic exchange of updated account information among participating merchants, their Visa Merchant Bank, and Visa card Issuers.” So without your being aware of it, your bank will provide your updated account information to a company you have been doing business with so they can continue to charge you. 

How to disable

PhotoIf you want to end your subscription service to McAfee, or any other service for that matter, you are going to have to go onto the company's website and disable the auto-renew. Here's how to do it for McAfee:

  • Open a web browser and go to http://home.mcafee.com.
  • Click My Account at the top right of the McAfee Downloads website.
  • Log in using your email address and password, and click Log In. If you do not have a McAfee account, select New User? Register Now, follow the prompts to create your McAfee account, then click Log In.
  • Click Auto-Renewal Settings.
  • Select Turn Off. If your Auto-Renewal is set to Off, you don't need to do anything.

If you require additional assistance, contact Customer Service by chat or phone. Other services likely have similar disabling procedures. To find instructions for the company you're dealing with, Google “how to disable auto renewal for (name of company).

One last thing: You need to disable auto-renew before the subscription renews. The day after is one day too late.

Read More - Click Here!

 

Discard Old Computer Hardware Without The Corporate Secretes

For many companies, the best solution for getting rid of old personal computers is to donate them to schools, churches, or other organizations. But while donating old desktops to tax-exempt organizations is a great idea, donating your corporate data isn't.

When it comes time to purchase new computers, how do you decide what to do with the old hardware? This is a growing concern for organizations, particularly when you consider the rate at which new technology makes its way to the market. The problem has even spawned its own buzzword, e-waste.

For many companies, the best solution is to recycle old personal computers, donating them to schools, churches, or other organizations. While this approach is good for the environment, your corporate image, and a worthy cause, that doesn't necessarily mean your corporate security will fare as well.

Donating old desktops to tax-exempt organizations is a great idea, but donating your corporate data isn't. Before donating or trashing your old computers, you need to take several steps to make sure that is all you are discarding.

Unless you have been using your computers to store nuclear secrets, trademark secrets, or some other top-secret data, the following steps should be sufficient to ensure your own corporate secrets stay safe. First, let's look at what you don't need to worry about.

Memory
You don't need to crush or destroy the computer's memory. Turning off the computer automatically clears the random access memory (RAM).

Monitor
At one time, people used to degauss (i.e., neutralize the magnetic field) the computer's monitor to ensure the removal of any remnant images. With today's monitors, however, this is no longer necessary.

Printers
If your printer uses a ribbon, you can throw it away or burn it if you're really paranoid. Otherwise, there's no need to disassemble the printer and throw away good ink cartridges.

Hard drives
This is the only area that requires special attention. Hard drives should receive a low-level format. And if the data is particularly sensitive, take the drive apart and grind the platters.

Disk Encryption Why You Should Always Use It

Disk encryption is one of those physical security features that determine whether I install a Linux distribution on any computer I use for serious computing. Whether it’s a server, notebook, ultrabook or any other type of *book, if it’s not a crash-and-burn unit, the hard disk drive (HDD) has to be encrypted.

And no, it’s not because I have anything to hide, it’s just that personal data should be just that – personal, and private. If you are not authorized (by the owner) to see it, you don’t.

This becomes especially important in this age of warrantless orders, sational national security letters, and judicial overreach, where a bunch of trigger-happy guys from any government agency can show up at your place and cart everything and anything they can get their paws on.

Take the case of Kim Dotcom, who leaves lives in New Zealand. Back in January 2012, based on charges of copyright infringement related to the Megaupload file-sharing website, the New Zealand police raided his residence and bagged everything they could find. Cloned copies of his HDDs were sent to the FBI in the US of A.

Now, Kim Dotcom is not without blemishes in his character; the guy has a criminal history that dates back to his teenage years. But that’s not the point of discussion here. The gist of this article is what we can learn from the legal aspect of the case against him.

Since the raid of his residence and seizure of his assets, the raid has been deemed, by the courts, to be illegal and the warrant detailing what could be seized too broad. Virtually every single court case has come out in his favor.

 

In the latest decision, the judge overseeing the case ruled that all digital material taken from his residence that are not relevant to the case should be returned (to Kim). And that any copies of HDDs sent to the FBI be returned.

Too late!

Do you think the US government is going to comply with the decision of a New Zealand judge? Fat chance. Even if they did, don’t you think they’ve already made copies of the copies, and copies of the copies of the copies. And if those HDDs were not encrypted, what good will returning them at this point do.

Again, it’s too late. Lesson? Always encrypt your HDDs. It’s not about who is a good or bad guy, or who has something or nothing to hide. It’s about having the final say on who can have access to your personal data. In cases of this sort, it’s better to be in a position where the authorities are going to court to get you to give up your encryption passphrase(s).

Regarding full disk encryption in the graphical installation programs of Linux and BSD distributions, Anaconda, the Fedora systems installer, the Debian Installer, and PC-BSD‘s installer are the best. Note that the graphical installer of Sabayon is a fork of an older version of Anaconda, but it, too, has support for full disk encryption.

Do Not Keep Important Information On Flash Drives

(Mark Huffman ConsumerAffairs) 

A reporter faces the loss of important data and sees the error of his ways. It's a modern nightmare. I had stopped at a 7-11 in Fredericksburg, Va., Wednesday on my way to meet a colleague for lunch. As I was getting back in my car my cellphone rang.

As I retrieved it from my pocket I thought I heard something hit the asphalt parking lot. I looked, saw nothing, continued my conversation and then resumed my journey. Hours later I realized my 64 GB flash drive was not in my pocket where it was supposed to be.

A 64 GB flash drive holds a lot of data and I had put a lot on it, transferring things from one computer to the next. Then I got lazy and started using the drive for storage, meaning I didn't always back up files to other computers, a huge no-no. Worse still, some of the files on the drive were financially sensitive, another taboo.

Violating my own rules

I've written a number of articles about data breaches and have urged consumers to be careful with their data and I had violated nearly all the rules. Not willingly, of course. I had meant to clean up the drive but somehow just never got around to it. Then suddenly, I lost my opportunity.

Returning to the 7-11 hours after my first visit I held out little hope the flash drive would still be where it fell. There was even a young employee sweeping the driveway and he said he was sure he hadn't swept up a flash drive.

That evening I changed passwords and accepted the fact that many original files were lost. But the next morning there was an email from Chris, a computer science student at Germanna Community College, who had found the drive, taken it home and repaired it after a car had run over it. By the end of the day, it was back in my possession.

Better lucky than good

Mine was an extremely humbling experience but in the end, I got very lucky. However, you can't count on luck.

Besides the mistake of storing original and sensitive files on the drive the other mistake I made was carrying it in a pocket. These things are small and it's a sure way to lose them.

Instead, if I continue to use a flash drive I will use some type of accessory to secure it. One of the most common accessories is a key chain attachment. The drive stays on your key ring, and as long as you don't lose your keys you probably won't lose the flash drive.

If a drive contains sensitive data, it should also be password protected. You can use encryption software or you can buy an encrypted flash drive.

But finding ways not to use a flash drive may be the most prudent course of action. A service called Dropbox, for example, allows you to store files in the cloud and sync up all your devices, so files are available on your desktop, laptop, tablet or smartphone. There are other similar services.

Carrying a flash drive in a secure way, password protecting it and not keeping original or sensitive data on it is the way to sleep at night. Lesson learned.

Read More - Click Here!

Read Also - Click Here!

Do You Own Your Digital Music Video And Books

As Bruce Willis considers a legal bid to bequeath his iTunes library, we look at who actually owns your digital content – from music and books to film – and what your rights are

A Kindle and a pile of books
Unlike hard copies, you cannot pass on the digital books you store on your Kindle. Photograph: AP

It used to be so easy: your photographs filled up boxes and albums; your CDs, books and films filled up shelves; your thoughts and ideas filled up notebooks and diaries, and when you died there were physical things to be distributed among your family and friends.

Technology has changed the way we keep and share our memories, and also the way many of us own our books and music. News that Bruce Willis is reportedly considering legal action against Apple to make sure he can leave his virtual record collection to his daughters will have surprised anyone who thought their online possessions were theirs to dispose of as they choose. So what rights do you have over the accounts and goods that exist only virtually?

"Across the world the law is in a state of flux – it hasn't evolved to keep up with innovation in digital content," says Jas Purewal, interactive entertainment and digital media lawyer at Osborne Clarke. "It is set up to deal with physical goods, and it is not clear therefore what the position is with social network accounts, iTunes accounts, your subscription to Netflix, and so on."

There are not yet statutory laws around ownership of virtual goods, nor is there case law. The EU is looking at consumer protection in this area, but nothing has yet been passed, so Purelaw says it is being left to the providers of content to decide what they will allow consumers to do with items they buy and share online. He says there are promising signs judges recognise that virtual content can be owned like physical content, citing the 2011 case of a man jailed for stealing online poker chips.

Music and films

You might be surprised to find that in most cases you are effectively leasing the content, not buying it. This is because you are generally being sold a licence to use the song or film, not the item itself. Where the music is downloaded on to a device you can leave that to someone, but you cannot leave instructions to share out the holdings in your iTunes account after you are gone.

When it comes to the account's contents, "from a legal perspective there is nothing to leave," Purewal says. He works with online entertainment companies and says: "I can't think of any digital content providers who freely and openly allow the passage of ownership from one person to another." Either the terms and conditions will explicitly rule out sharing downloads, or will use language which implicitly rules against it.

Workarounds are possible: you could share your password and other account details with your family or even the person who will execute your estate, but you will be taking a risk as the content provider could suspend the account. But if US courts do decide iTunes has to allow users to pass on licences, this whole area may be opened up.

Books

As with music and films, when you die your virtual library will die with you. Amazon tells Kindle users: "The purchase and download of digital content from Amazon.co.uk, including content from the Kindle Store, is associated with the Amazon.co.uk account used to make the original purchase. As a result, Kindle content cannot be shared like a physical book."

So you can't move a book from one device to another, and you won't be able to split up a collection of books between family and friends. You could leave the device holding your collection to someone else, but if they needed to access the account for any reason they could run in to difficulties. Again, you cannot leave it to someone else with complete certainty.

Social media

"Most social media account holders are bound by their terms of business, and it is common for executors to be unable to access a deceased's customers account," says Nick Rhodes, associate solicitor at Blacks Solicitors. "The service providers seem reluctant to allow access as the accounts contain personal data about the deceased and fear breaching privacy rights. There is no established legislation or cases dealing with the release of personal data to executors."

Facebook's terms and conditions include the line: "You will not transfer your account (including any Page or application you administer) to anyone without first getting our written permission", which effectively rules out handing over your account when you die. However, it will let your family turn your page into a memorial page, provided they provide proof of your death.

Twitter says that when you sign up it "gives you a personal, worldwide, royalty-free, non-assignable and non-exclusive license to use the software", which implies an account cannot be transferred. It seems unlikely it would pursue an individual for logging into a relative's account after their death, but there are inactivity rules. Your account will not stay around forever if nothing is happening with it.

Yahoo!, which owns the photo-sharing site Flickr as well as running a webmail service, also states that users are granted "personal, non-transferable and non-exclusive right and licence" to use its software. It also makes it clear in its terms and conditions that it reserves the right to shut down inactive accounts. This is worth bearing in mind if you want to pass on photos which you are storing online – the account holding them could be deleted one day.

Despite these rules some companies are trying to trade on the idea that people may want to leave their accounts to their families when they die. Loccit, for example, offers to pull together your Facebook, Twitter, Instagram and Foursquare accounts to create an online version of "the secret shoebox of photos and memories we used to keep as children".

iCloud

Apple is very clear about ownership of iCloud accounts. It states in its terms and conditions: "You agree that your Account is non-transferable and that any rights to your Apple ID or Content within your Account terminate upon your death. Upon receipt of a copy of a death certificate your Account may be terminated and all Content within your Account deleted."

Emails

English law states that the copyright of emails and other material stored online forms part of people's estates, and should therefore pass to executors. However, lawyers say internet service providers do not always allow access. There can also be jurisdictional issues where ISPs may be based in a different country to where the user lived.

Rhodes says anyone worried about their digital legacy should "have a will stating that chosen executors have the right to access social accounts and digital assets, and to direct the executors on how the accounts and assets shall be dealt with.

"If the executors still meet resistance from the online providers then they could apply to court for an order allowing them to deal with everything in accordance with the will."

However, he says it remains to be seen how a court would react.

Read More - Click Here!

 

Document Retention Policy - Why and How

If you have grown your business to a profitable and viable enterprise, then chances are you need to have a procedure for the organization, retention, (and periodic destruction) of your important documents and other business information. This is often handled through a Record Retention and Destruction Policy.

Policies of this nature can offer many tangible and intangible benefits to your business:

First and foremost, a policy will assist in the organization and management of your day-to-day business operations, by allowing you to easily locate and access key documents. You will also be able to preserve and enhance your business’ institutional knowledge by archiving key documents and information in a manner so that they can be easily located and accessed.

In today’s environment, businesses are subject to a number of legal, accounting, contractual, and other ongoing requirements and restrictions concerning record retention and destruction. A Record Retention and Destruction Policy will allow you to keep track of (and remain in compliance with) these various requirements.

Policies of this nature typically include procedures for the periodic purging and destruction of documents that are no longer required to be retained. Thus you are able to reduce costs and expenses associated with the retention and storage of obsolete and unnecessary records.

Today’s record retention software will often allow you to control the internal and external dissemination of sensitive or confidential information—allowing you to safeguard and protect your most critical business secrets.

If your business ever gets involved in litigation, a Record Retention and Destruction Policy will help you manage costs, and well as remain in compliance with the various court rules concerning electronic records and discovery.

Finally, a policy will allow you to respond in the event of a potential sale or other strategic opportunity, by allowing you to quickly locate and assemble your corporate documents to facilitate due diligence and other deal-related activities.

Although each policy is different, and depends upon the specific nature and requirements of the business, there are a couple of general considerations to keep in mind:

Assemble your team.  Implementing a Document Retention and Destruction Policy is a multi-disciplinary exercise, and will require coordination among various employees and advisors, including legal, financial, accounting, human resources, information technology, and other professionals. Most companies are now able to use computer software to automate and manage a large portion of the process. Accordingly, a key partner in this project will be your software provider and implementation consultant.

Understand the legal and regulatory requirements.  Odds are that there are a number of statutes and administrative regulations that are applicable to your business—including those that require you to retain certain records for some designated period of time. These requirements increase exponentially if your business operates in a regulated industry, has an international component, or is involved in government contracting. You may also have certain contracts or certification requirements in place that include a document retention component.

Draft a written policy. Your business’ specific document retention and destruction requirements should be memorialized through the preparation of a written Document Retention and Destruction Policy, which will typically designate specific “retention periods” based on document type and content. Your legal and human resources advisors can assist in this process.

Include procedures for implementing a litigation “hold.” In the event of actual or threatened litigation, you will be required to place a “hold” on the destruction of potentially relevant information—even though it might otherwise be destroyed in the ordinary course under the terms of your policy. Your written Document Retention and Destruction Policy should include procedures for implementation of any litigation hold, including: (a) specifying the facts and circumstances triggering a hold; (b) assigning responsibility for initiating the hold; and (c) setting procedures on how the hold is communicated to employees and implemented

Account for “off site” information.  Managing, storing, and disposing of e-mails and other information stored on employee desktop computers is often a fairly straightforward process. However, it may be more difficult to account for documents or information that is stored “off site”—e.g., on an employee's personal computer, laptop, or PDA. Any policy that you implement should include a mechanism for capturing and managing such information.

Ensure that your policy is properly implemented and enforced. Once you have developed a policy, the real work often begins in the form of implementation and enforcement (including employee training). In some cases, it may be more harmful to have a policy that is not enforced, than if you simply had no policy at all. You should also conduct periodic audits of your retention and destruction program, in order to see if any updates or changes are necessary.

Compiling, organizing, and managing your company’s records can often be a daunting task. However, it is critical that you stay on top of your business’ records and other key information. In today’s information age, there is almost no other way to do business

Document Retention and Destruction Policy

Sample policy language can streamline the policy adoption process and is a good starting point. But it is never a good idea to simply insert your organization’s name and present the document to the board for approval. The policy MUST be discussed and tailored to reflect your organization’s culture and to conform to your other policies.

 

This sample policy is distributed with the understanding that Active Technologies, LLC is not engaged in rendering legal or accounting counsel. We urge you to seek professional services to address your specific concerns.

I. Purpose

In accordance with the Sarbanes-Oxley Act, which makes it a crime to alter, cover up, falsify, or destroy any document with the intent of impeding or obstructing any official proceeding, this policy provides for the systematic review, retention and destruction of documents received or created by Arts Organization in connection with the transaction of organization business. This policy covers all records and documents, regardless of physical form, contains guidelines for how long certain documents should be kept and how records should be destroyed. The policy is designed to ensure compliance with federal and state laws and regulations, to eliminate accidental or innocent destruction of records and to facilitate Arts Organization’s operations by promoting efficiency and freeing up valuable storage space.

II. Document Retention

Arts Organization follows the document retention procedures outlined below. Documents that are not listed, but are substantially similar to those listed in the schedule will be retained for the appropriate length of time.

III. Corporate Records

Annual Reports to Secretary of State/Attorney General

 

Permanent

Articles of Incorporation

 

Permanent

Board Meeting and Board Committee Minutes

 

Permanent

Board Policies/Resolutions

 

Permanent

By-laws

 

Permanent

Construction Documents

 

Permanent

Fixed Asset Records

 

Permanent

IRS Application for Tax-Exempt Status (Form 1023)

 

Permanent

IRS Determination Letter

 

Permanent

State Sales Tax Exemption Letter

 

Permanent

Contracts (after expiration)

 

7 Years

Correspondence (general)

 

3 Years

     

Accounting and Corporate Tax Records

   

Annual Audits and Financial Statements

 

Permanent

Depreciation Schedules

 

Permanent

General Ledgers

 

Permanent

IRS 990 Tax Returns

 

Permanent

Business Expense Records

 

7 Years

IRS 1099s

 

7 years

Journal Entries

 

7 years

Invoices

 

7 years

Sales Records (box office, concessions, gift shop)

 

5 years

Petty Cash Vouchers

 

3 Years

Cash Receipts

 

3 Years

Credit Card Receipts

 

3 Years

     

Bank Records

   

Check Registers

 

Permanent

Bank Deposit Slips

 

7 Years

Bank Statements and Reconciliation

 

7 Years

Electronic Fund Transfer Documents

 

7 Years

     

Payroll and Employment Tax Records

   

Payroll Registers

 

Permanent

State Unemployment Tax Records

 

Permanent

Earnings Records

 

7 Years

Garnishment Records

 

7 Years

Payroll Tax returns

 

7 Years

W-2 Statements

 

7 Years

     

Employee Records

   

Employment and Termination Agreements

 

Permanent

Retirement and Pension Plan Documents

 

Permanent

Records Relating to Promotion, Demotion or Discharge

 

7 years after termination

Accident Reports and Worker’s Compensation Records

 

5 years

Salary Schedules

 

5 years

Employment Applications

 

3 Years

I-9 Forms

 

3 Years After Termination

Time Cards

   
     

Donor Records and Acknowledgement Letters

 

7 Years

Grant Applications and Contracts

 

5 Years after completion

     

Legal, Insurance and Safety Records

   

Appraisals

 

Permanent

Copyright Registrations

 

Permanent

Environmental Studies

 

Permanent

Insurance Policies

 

Permanent

Real Estate Documents

 

Permanent

Stock and Bond Records

 

Permanent

Trademark Registrations

 

Permanent

Leases

 

6 years after expiration

OSHA Documents

 

5 Years

General Contracts

 

3 Years

 

IV. Electronic Documents and Records

Electronic documents will be retained as if they were paper documents. Therefore, any electronic files, including records of donations made online, that fall into one of the document types on the above schedule will be maintained for the appropriate amount of time. If a user has sufficient reason to keep an email message, the message should be printed in hard copy and kept in the appropriate file or moved to an “archive” computer file folder. Backup and recovery methods will be tested on a regular basis.

V. Emergency Planning

Arts Organization’s records will be stored in a safe, secure and accessible manner. Documents and financial files that are essential to keeping Arts Organization operating in an emergency will be duplicated or backed up at least every week and maintained off site.

VI. Document Destruction

Arts Organization’s chief financial officer is responsible for the ongoing process of identifying its records, which have met the required retention period and overseeing their destruction. Destruction of financial and personnel-related documents will be accomplished by shredding.

Document destruction will be suspended immediately, upon any indication of an official investigation or when a lawsuit is filed or appears imminent. Destruction will be reinstated upon conclusion of the investigation.

VII. Compliance

Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against Arts Organization and its employees and possible disciplinary action against responsible individuals. The chief financial officer and finance committee chair will periodically review these procedures with legal counsel or the organization’s certified public accountant to ensure that they are in compliance with new or revised regulations.

Does July Mean The End Of The Internet For Some Computers

Google plans to warn more than half a million users of a computer infection that may knock their computers off the Internet this summer.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system will be shut down July 9 -- killing connections for those people.

The FBI has run an impressive campaign for months, encouraging people to visit a website that will inform them whether they're infected and explain how to fix the problem. After July 9, infected users won't be able to connect to the Internet.

An online ad scam is having some unintended ramifications: The fix may prevent as many as 360,000 from getting online. Several sites will show if you're infected:

DNS Changer Working Group: can discern whether you’re infected and explain how to fix the problem.

DNSChanger Eye Chart: if the site goes red, you’re in harm’s way. Green means clean.

The FBI website: type in the IP address of your DNS server to find out if it is infected.

Read more on how to stay safe

On Tuesday, May 22, Google announced it would throw its weight into the awareness campaign, rolling out alerts to users via a special message that will appear at the top of the Google search results page for users with affected computers, CNET reported

“We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results,” wrote Google security engineer Damian Menscher in a post on the company’s security blog.

“If more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it,” he wrote.

The challenge, and the reason for the awareness campaigns: Most victims don't even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

Last November, when the FBI and other authorities were preparing to take down a hacker ring that had been running an Internet ad scam on a massive network of infected computers, the agency realized this may become an issue.

"We started to realize that we might have a little bit of a problem on our hands because ... if we just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service," said Tom Grasso, an FBI supervisory special agent. "The average user would open up Internet Explorer and get `page not found' and think the Internet is broken."

On the night of the arrests, the agency brought in Paul Vixie, chairman and founder of Internet Systems Consortium, to install two Internet servers to take the place of the truckload of impounded rogue servers that infected computers were using. Federal officials planned to keep their servers online until March, giving everyone opportunity to clean their computers.

But it wasn't enough time.

Does Safely Ejecting From a USB Port Actually Do Anything

Does Safely Ejecting From a USB Port Actually Do Anything?

Is there any harm to be incurred by just pulling a flash drive out? Why do we need safe removal at all?

Historically, Operating Systems treat disks as objects that can be trusted not to change state suddenly. When reading or writing files, the OS expects the files to remain accessible and not suddenly disappear in mid-read or mid-write.

If a file is open, a program reading the file expects to be able to return to it and continue reading. Similarly, write commands may be dispatched to a writing subroutine and forgotten by the main program. If a drive disappears between the time the subroutine is called and the data is written to disk, that data is lost forever.

Advertisement

 

 

In ye olde days, there were formal processes to physically “mount” and “unmount” storage media, and the physical act of mounting a tape or a disk pack triggered some mechanical switch to detect the presence or absence of media. Once the mechanism was engaged, the software could start to use the media (a “soft mount.”). Some media even had mechanical interlock to prevent media from being ejected or removed until the software processes using the media released the lock.

The Macintosh floppy and optical disk provide more modern examples of an interlocked physical and soft mount. One could only eject media through a software command, but that command might fail if some program was holding a file open on the medium. Enter USB connected storage. There is no mechanical interlock in a USB connection to coordinate the hard and soft mount. The user can decide to rip the disk out from under the operating system at any time, and endure all manner of programs freaking out about the sudden loss of media. “Hey! I was using that!”

Symptoms could include: Lost data, corrupted filesystems, crashing programs, or hanging computers requiring a reboot. A safe removal executes the “soft unmount” needed to prevent any unexpected Bad Things that may happen if a program loses its access to media.

A safe removal does a few things:

  • It flushes all active writes to disk.
  • It alerts all programs (that know how to be alerted) that the disk is going away, and to take appropriate action.
  • It alerts the user when programs have failed to take action, and still are holding files open.

You can remove a disk at any time, but you are at the mercy of how well programs using the disk cope with the sudden disappearance of that disk.

In the modern computer, many steps have been taken to defend against the capricious and careless removal of media. For example, Windows even introduced a feature called “Optimize for Quick Removal” that makes sure data is written quickly instead of batched up and written efficiently. It is very hard to get people to change habits. If you are doing exclusively reads on a media, safe removal is probably not needed. If you are doing writes, you are probably OK to skip safe removal if you haven’t written recently and you aren’t doing something silly like indexing that disk.

As a good friend of mine once said: Life is too short to safely eject the disk.

However, Safe Removal does a number of important things and is, in fact, the only assuredly safe way to remove a disk. You probably don’t need it most of the time, but it is a good habit to have since data loss sucks

Does Safely Ejecting From a USB Port Actually Do Anything

Does Safely Ejecting From a USB Port Actually Do Anything?

Is there any harm to be incurred by just pulling a flash drive out? Why do we need safe removal at all?

Historically, Operating Systems treat disks as objects that can be trusted not to change state suddenly. When reading or writing files, the OS expects the files to remain accessible and not suddenly disappear in mid-read or mid-write.

If a file is open, a program reading the file expects to be able to return to it and continue reading. Similarly, write commands may be dispatched to a writing subroutine and forgotten by the main program. If a drive disappears between the time the subroutine is called and the data is written to disk, that data is lost forever.

Advertisement

 

 

In ye olde days, there were formal processes to physically “mount” and “unmount” storage media, and the physical act of mounting a tape or a disk pack triggered some mechanical switch to detect the presence or absence of media. Once the mechanism was engaged, the software could start to use the media (a “soft mount.”). Some media even had mechanical interlock to prevent media from being ejected or removed until the software processes using the media released the lock.

The Macintosh floppy and optical disk provide more modern examples of an interlocked physical and soft mount. One could only eject media through a software command, but that command might fail if some program was holding a file open on the medium. Enter USB connected storage. There is no mechanical interlock in a USB connection to coordinate the hard and soft mount. The user can decide to rip the disk out from under the operating system at any time, and endure all manner of programs freaking out about the sudden loss of media. “Hey! I was using that!”

Symptoms could include: Lost data, corrupted filesystems, crashing programs, or hanging computers requiring a reboot. A safe removal executes the “soft unmount” needed to prevent any unexpected Bad Things that may happen if a program loses its access to media.

A safe removal does a few things:

  • It flushes all active writes to disk.
  • It alerts all programs (that know how to be alerted) that the disk is going away, and to take appropriate action.
  • It alerts the user when programs have failed to take action, and still are holding files open.

You can remove a disk at any time, but you are at the mercy of how well programs using the disk cope with the sudden disappearance of that disk.

In the modern computer, many steps have been taken to defend against the capricious and careless removal of media. For example, Windows even introduced a feature called “Optimize for Quick Removal” that makes sure data is written quickly instead of batched up and written efficiently. It is very hard to get people to change habits. If you are doing exclusively reads on a media, safe removal is probably not needed. If you are doing writes, you are probably OK to skip safe removal if you haven’t written recently and you aren’t doing something silly like indexing that disk.

As a good friend of mine once said: Life is too short to safely eject the disk.

However, Safe Removal does a number of important things and is, in fact, the only assuredly safe way to remove a disk. You probably don’t need it most of the time, but it is a good habit to have since data loss sucks

Does Safely Ejecting From a USB Port Actually Do Anything

Does Safely Ejecting From a USB Port Actually Do Anything?

Is there any harm to be incurred by just pulling a flash drive out? Why do we need safe removal at all?

Historically, Operating Systems treat disks as objects that can be trusted not to change state suddenly. When reading or writing files, the OS expects the files to remain accessible and not suddenly disappear in mid-read or mid-write.

If a file is open, a program reading the file expects to be able to return to it and continue reading. Similarly, write commands may be dispatched to a writing subroutine and forgotten by the main program. If a drive disappears between the time the subroutine is called and the data is written to disk, that data is lost forever.

Advertisement

 

 

In ye olde days, there were formal processes to physically “mount” and “unmount” storage media, and the physical act of mounting a tape or a disk pack triggered some mechanical switch to detect the presence or absence of media. Once the mechanism was engaged, the software could start to use the media (a “soft mount.”). Some media even had mechanical interlock to prevent media from being ejected or removed until the software processes using the media released the lock.

The Macintosh floppy and optical disk provide more modern examples of an interlocked physical and soft mount. One could only eject media through a software command, but that command might fail if some program was holding a file open on the medium. Enter USB connected storage. There is no mechanical interlock in a USB connection to coordinate the hard and soft mount. The user can decide to rip the disk out from under the operating system at any time, and endure all manner of programs freaking out about the sudden loss of media. “Hey! I was using that!”

Symptoms could include: Lost data, corrupted filesystems, crashing programs, or hanging computers requiring a reboot. A safe removal executes the “soft unmount” needed to prevent any unexpected Bad Things that may happen if a program loses its access to media.

A safe removal does a few things:

  • It flushes all active writes to disk.
  • It alerts all programs (that know how to be alerted) that the disk is going away, and to take appropriate action.
  • It alerts the user when programs have failed to take action, and still are holding files open.

You can remove a disk at any time, but you are at the mercy of how well programs using the disk cope with the sudden disappearance of that disk.

In the modern computer, many steps have been taken to defend against the capricious and careless removal of media. For example, Windows even introduced a feature called “Optimize for Quick Removal” that makes sure data is written quickly instead of batched up and written efficiently. It is very hard to get people to change habits. If you are doing exclusively reads on a media, safe removal is probably not needed. If you are doing writes, you are probably OK to skip safe removal if you haven’t written recently and you aren’t doing something silly like indexing that disk.

As a good friend of mine once said: Life is too short to safely eject the disk.

However, Safe Removal does a number of important things and is, in fact, the only assuredly safe way to remove a disk. You probably don’t need it most of the time, but it is a good habit to have since data loss sucks

Don't Use PcAnywhere Symantec Warns Customers

Symantec (NSDQ:SYMC) told customers Thursday not to use pcAnywhere until the company can secure the PC remote control software following the theft of its underlying code by hacker collective Anonymous. Symantec issued the warning after completing an analysis of the source code taken by an Indian chapter of Anonymous from an unidentified third party. Samples of the code were given to Infosec Island, an online community of security professionals that handed the code to Symantec, the vendor reported about two weeks ago.

Read More - Click Here!

Don't let identity thieves steal your tax refund

Photo(Mark Huffman @ ConsumerAffairs) Identity theft is already a growing consumer problem. When a hacker assumes your identity they can open up lines of credit in your name and even clean our your bank account.

To add insult to injury, they can even steal your federal income tax refund. In fact, the Internal Revenue Service (IRS) reports this is happening with alarming frequency.

All a hacker needs is your Social Security number. With it, they can file a phony tax return with a made-up W-2 form that shows you are getting a big refund. When the IRS gets the return it processes it, sending out the refund check to the bad guy. The theft isn't discovered until you get around to filing your real return.

Easy money

To the hacker it's easy money. If he has somehow gotten his hands on your actual W-2, you may have a very difficult time getting your money back. In any case, the U.S. taxpayers end up getting victimized as well.

The IRS has stepped up efforts in recent years on finding and prosecuting these specialized identity thieves. In Fiscal Year 2013 the agency began nearly 1,500 criminal investigations related to tax return identity theft, a 66% increase over the previous year. It's better, of course, to stop identity theft before it happens.

“The IRS has taken numerous steps to combat identity theft and protect taxpayers,” the agency said in a statement. “We are continually looking at ways to increase data security and protect taxpayers' identities with assistance from our Identity Protection Specialized Unit. Identity theft cases are among the most complex ones we handle.”

Take action

If you have reason to believe that someone has stolen your personal information you need to take action. For example, you may receive a letter from the IRS stating or learn from a tax professional that you filed more than one tax return, or that someone has already filed a return using your information. You may also learn that you have a balance due, refund offset or have had collection actions taken against you for a year you did not file.

Your identity may also have been stolen if you receive a notification of wages form an employer you have not worked for. If you receive such a letter from the IRS and you suspect your identity has been stolen, respond immediately to the name, address, phone number or fax listed on the IRS letter. Better yet, contact the IRS to determine if the letter is a legitimate IRS letter.

Another tip-off is when you learn that someone is using your Social Security number to seek employment, or for some other purpose not connected to your activities.

People to call

When you find out you have been a victim of identity theft, or suspect that you have been, there is a long list of people to call. First, contact the three credit reporting agencies to place a fraud alert on your credit files. Next, cancel all your credit cards. If someone is using your Social Security number, contact the Social Security Administration.

The IRS asks that you also place it on the list of people to call. Once you do it will place a hold on your account so that the thief will be unable to file a bogus return.

For other identity theft protection tips, check out the IRS video below:

 

 

Browsing Topic: IRS Regulations

Don’t Google anything that enables Google to define your identity

Source: Thinkstock

Source: Thinkstock

If you’re really serious about finding a way around Google’s propensity for constructing a profile to define who you are and how much you’re worth to specific advertisers, then there’s not much recourse but to avoid searching anything that could give Google or advertisers a clue about your identity. As Jeffrey Rosen reported for The New York Times a few years ago, the privacy threats go beyond creepy ads. “Computers can link our digital profiles with our real identities so precisely that it will soon be hard to claim that the profiles are anonymous in any meaningful sense,” Rosen writes.

Paul Ohm, a law professor at the University of Colorado at Boulder, told the Times that companies can combine hundreds or thousands of facts about you into what he terms “a database of ruin.” With discrete and unconnected facts about you, an algorithm could sort through profiles of hundreds of thousands of users like you and accurately predict something unrelated about you or your activity. Ohm argues that there’s at least one closely-guaraded secret that could lead to harm if revealed, like “a medical condition, family history or personal preference,” and the database of ruin makes that secret hard to conceal.

Even if many classifications are inaccurate, they can still harm you with effects like price discrimination, in which companies profile you and determine how much to charge you for goods or services. Rosen reports, “the new world of price discrimination is one where it’s hard to escape your consumer profile, and you won’t even know if companies are offering discounts to higher-status customers in the first place.” He imagines that “As personalization becomes ubiquitous, the segmented profiles that advertisers, publishers and even presidential candidates use to define us may become more pervasive and significant than the identities we use to define ourselves.”

If you’re looking to minimize the amount of information that search engines and advertisers collect on you, there are a few steps you should take. Choose an alternative search engine, like DuckDuckGo, to keep your search history from being recorded and analyzed. Install an extension like AdBlock Plus, Ghostery, or Disconnect to protect yourself against companies who want to track your activity online. Check your privacy settings on popular sites, and always log out of social networks when you’re browsing the web.

Don’t give your search engine hints about your insecurities

Source: Thinkstock

Source: Thinkstock

Advertising is notoriously formulated to create and capitalize upon viewers’ insecurities. Giving your search engine — and all of the advertisers that leverage the information it collects on you — easy access to the insecurities you already have just does the dirty work for them. Making things easier for advertisers who want to capitalize on your insecurities to sell you products and services doesn’t sound like a huge deal compared to what happens when you search for medical information. But it still has some unsettling effects that you should avoid, if you can.

Amanda Hess recently reported for Slate that a category of searches she’s dubbed “Google, am I normal?” is a “scintillating resource for advertisers.” Hess explains, “I’ve been tipping Google off to all the real ailments and imagined insecurities that I already have, at a pace of about once an hour, every hour of the day: celebrity diet, pants are uncomfortablemigraine difficulty speaking, before and after plastic surgery, and worst cramps ever why.” Each of those gives an easy in to advertisers, who don’t even have to show you an ad first to get you to think about your insecurities, and how their products might help.

It may not seem like a big deal compared to having ads about treatments for an illness you may or may not have following you around the Internet. But if you don’t want to see ads that are specifically tailored to things that you already don’t like about your body, even if, objectively, they aren’t a huge deal, you should avoid sharing those insecurities with your search engine in the first place.

Don’t search for anything suspicious (especially at work)

Source: iStock

Source: iStock

A couple of years ago, a story on how a series of Google searches led to a visit by local authorities made the rounds. As Jared Newman reported for Time, searches by different members of a New York family for terms including “backpack” and “pressure cooker bomb” triggered a visit by local authorities when the suspicious Google searches were reported by an employer. Michele Catalano, the matriarch of the family in question, later wrote, “I had researched pressure cookers. My husband was looking for a backpack. And maybe in another time those two things together would have seemed innocuous, but we are in ‘these times’ now.” She continued, “And in these times, when things like the Boston bombing happen, you spend a lot of time on the Internet reading about it and, if you are my exceedingly curious, news junkie 20-year-old son, you click a lot of links when you read the myriad of stories. You might just read a CNN piece about how bomb making instructions are readily available on the Internet and you will in all probability, if you are that kid, click the link provided.”

The lesson learned? Don’t search for suspicious terms, or anything that could be construed as crime-related, when someone is watching your browsing history. (The safest course of action is to assume that someone always is.) On a similar note, it’s a bad idea to search anything crime-related if you have something to hide. Obviously we don’t condone committing a crime. But it’s worth noting that people’s Google searches have been used to convict them of crimes, especially when they just so happen to Google the crime right before or after they’ve committed it. See this Palo Alto case as an example, or read Lee Rowland’s report on how a New York case highlights the problem with finding someone guilty of a conspiracy or an attempt to commit a crime when the only evidence is words shared online. “It’s one thing to use a Google search as evidence of intent or knowledge, when an actual crime has resulted and there’s a real victim.”

Don’t search for information on medical issues or drugs

Source: Thinkstock

Source: Thinkstock

While Google says that it prohibits advertisers “from remarketing based on sensitive information, such as health information or religious beliefs,” the company’s privacy policy reserves the right to record your search results, associate them with your IP address or Google account, and then use that information to target ads on Google properties and across the web. Neal Ungerleider recently reported that researchers have found looking up medical and drug information online is a major privacy risk.

Tim Libert, a doctoral student at the University of Pennsylvania’s Annenberg School for Communication found that more than 90% of the 80,000 health-related pages he looked at exposed user information to third parties. The pages he researched included commercial, nonprofit, educational, and government websites, and the finding is particularly unsettling given a Pew Research Center finding that 72% of Internet users in the United States look up health-related information online. Even worse? Google collects information from 78% of the pages that Libert looked at, which gives advertisers an easy way to figure out that a user has specific health issues, and find out what issues those are. Visits to pages on HIV/AIDS, for instance, can be combined with a user’s browsing history and lead to ads for HIV and AIDS treatments, which Ungerleider notes effectively outs their HIV status.

A bigger privacy issue, Libert worries, are leaks that could expose people’s intimate health information to anyone willing to buy a hacked database. Stolen medical information is routinely trafficked on criminal websites, and are often used for Medicaid fraud and other scams. Third parties could match you with your medical search results, and advertisers could even discriminate against you based on your medical searches, even if they’re never connected to you definitively.

Don’t search for things that clue Google in to your location

Source: Thinkstock

Source: Thinkstock

As Jay Stanley reported last year for the ACLU, one of the earliest instances in which the powerful privacy implications of having your search history recorded occurred in 2006, when AOL released a large set of searches that had been conducted on its sites. While the identity of the searcher was replaced with an arbitrary number — so that all of the searches by an individual were still gathered around the same identifier — members of the media found that it wasn’t difficult to identify searchers’ hometowns, neighborhoods, age, sex, and other identifying details through their searches. The result was “an electrifying sense of just how intimate and revealing the information one ‘shares’ with a search engine can be.”

About a year ago, New York Times columnist David Leonhard told NPR about how search terms differ geographically, with major differences between counties where life is easiest and counties where life is hardest. A high prevalence of searches on health problems like blood sugar and diabetes, searches on “what might be called the dark side of religion,” searches about selling Avon or getting Social Security checks, and searches about “specific kinds of guns” occurs in areas where people are more likely to struggle with money or suffer health problems. Your searches give your search engine a view of how economic trends manifest themselves in your everyday life — something you may not want advertisers capitalizing upon.

 

Doxing What Is It

(Ryan Goodrich @ TechNewsDaily) Doxing, a derivation of the phrase "document tracing," is the act of scouring the Internet for an individual's personal data, usually for a malicious purpose.

While many people may use the Internet to learn more about someone they met at a party, for example, doxing has become more akin to social protest, using publicly available information to identify individuals with the goal of publicly sharing or exposing their personal details.

Example of doxing

Doxing is a common strategy used by hacking groups such as Anonymous and its spinoffs LulzSec and AntiSec.

One such example of Anonymous' work dates back to December 2011, when the group targeted several law-enforcement agencies that had been scrutinizing hacking activities.

The end result of this doxing attack resulted in hackers infiltrating secured databases and exposing the information of 7,000 law-enforcement personnel, which included names, addresses, Social Security numbers, email addresses and passwords.

While Anonymous did not specifically do anything else with the information beyond sharing it with the public, this act potentially opened the floodgates for Internet cutthroats to commit fraud, email theft and more against each of the names exposed. [Related: Bill Gates Joins Ranks of 'Doxed' Notables]

Combating doxing

The more personally identifiable information you share on the Internet, the more at risk you are of doxing. All it takes to begin doxing is a person's email address, which can then be used to find other information throughout the Internet, such as your name, phone number or even your Social Security number.

Considering how long many individuals have used the Internet and the number of websites visited and registered for in the past, it's quite impossible to remove or hide one's digital footprint entirely.

Moving forward, making changes to the sources you have access to immediately can help prevent many instances of doxing.

Several pieces of information commonly targeted include:

  • First and last name
  • Gender
  • Birth date
  • Email address
  • Social networking profile
  • Website

While your employer's IT department is ultimately responsible for the security and safety of your personal information internally, external websites are purely under your control.

When information is optional, such as a birthday on Facebook, don’t share it. You may like getting birthday well-wishing, but such information can put hackers one step closer to exposing your personal life or committing identity theft.

 

Doxxing is Like Hacking only Legal

(Christine Pelisk @ thedailybeast) Hillary, Beyoncé, Ashton: they all got ‘doxxed’ . Christine Pelisek on the cyber pranksters who post stars’ private info for all to see—and why that’s often perfectly legal.

Michelle Obama’s supposed social security number was posted. So was Beyoncé’s purported address. And Ashton Kutcher’s phone number, too. The list goes on: Joe Biden, Donald Trump, Hillary Rodham, Britney Spears, Mel Gibson, and Attorney General Eric Holder were all targeted in the information dump.

In what must have been a particularly galling note for law-enforcement officials, the cyberattack also sussed out the alleged credit report of LAPD chief Charlie Beck. All of these details and more were posted to the mysterious website The Secret Files, which as of Wednesday afternoon was back online after going dark the day before. 

But this wasn’t a hack attack, police and cybersecurity experts say. It was a classic case of “doxxing,” the act of obtaining and posting private information about a person by scouring the Internet. And it’s surprisingly easy to do. In many cases, it’s not even illegal.

“You can post it as long as there is nothing nefarious about it,”  says LAPD cyber crimes detective Andrew Kleinick. “They are public figures and that kind of thing happens. It’s not right, [but] I know of no crime.”

The exception, says Kleinick, occurs when information obtained through doxxing is used to threaten someone, steal someone’s identity, or infiltrate private emails. That was the case with 36-year-old Christopher Chaney, who three months ago was sentenced to 10 years in prison after hacking into the email accounts of actresses Scarlett Johansson and Mila Kunis.

It’s still unclear who’s accountable for the The Secret Files stunt. LAPD officer Bruce Borihanh says the department is partnering with the FBI to find out more information and determine whether criminal charges apply. “They are looking at the sourcing of it,” Borihanh says, “and if it was obtained through illegal means. Otherwise, it is information that was put out there before.”

This isn’t the first time the LAPD has been doxxed. In 2011, a group affiliated with the online hackers Anonymous claimed responsibility for posting personal information of more than 40 officers, including their home addresses, campaign contributions, property records, and names of family members after they claimed the LAPD oppressed them by shutting down the Occupy L.A. Movement.

But it doesn’t take a master hacker to pull off such a feat. Experts say that doxxing has become almost commonplace when it comes to major celebrities. After all, finding a person’s address or phone number is easy to do by searching the web or paying small fees to online search providers. For an extra fee, plenty of search engines will also hand out phone numbers and addresses of next-door neighbors as well as some criminal background information.

“It’s not right, [but] I know of no crime.

Credit reports and social security numbers are also obtainable on the Web, though they are harder to track down—and this is where the case of The Secret Files may have veered into criminal hacking territory. On Tuesday, the nation’s three biggest credit-report agencies said that the perpetrator had input “considerable amounts” of information, including social security numbers, to impersonate the famous victims and come away with their credit reports, which would be illegal. Due to the connection to Obama and Clinton, the Secret Service is reportedly looking into the mess.

Chaney impersonated his victims, too, scouring celebrity magazines and websites for clues to stars’ email passwords. After clearing common security hurdles—mother’s maiden name, favorite pet’s name—he was able to infiltrate the Google, Apple, and Yahoo email accounts of Johansson and Kunis, leaking several nude photos. In fact, during a four-month period, he cracked the passwords of close to 50 celebrities’ accounts.

He pled guilty to nine felony counts including identity theft, wiretapping, and unauthorized access and damage to a protected computer.

"There is no such thing as complete cybersecurity," says John Villasenor, a UCLA professor and nonresident senior fellow at the Brookings Institution. "As the number of devices and services continues to increase, personal information is stored on more and more systems. Not all of those systems are sufficiently secure, which means that we're likely to see more of these sorts of data compromises in the coming years."

The Secret Files bore the Internet suffix .su, originally assigned to the Soviet Union. The front page of the site featured a creepy picture of a zombie-like girl who looks like she is asking viewers to be quiet. Music from the Showtime series Dexter plays in the background; near the girl’s picture is written: “If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve.”

Before it went offline, the website had more than 147,000 visitors.

Kleinick, the cyber crimes expert, says the line between legal doxxing and criminal activity is fairly clear. “You cannot use it to make financial gains,” he said. “You can’t say, ‘I am Tom Cruise send me money for this or that.’ You can’t impersonate someone. I can post Tom Cruise’s birth date because it is public information. If the information was taken illegally or if it was stolen, then it would be something we would handle.”

Kleinick himself says he became a victim of cyber intrusion after a person he was investigating posted some of his private information on the Web. Still, he says that while plenty of people have incurred the wrath of these pesky cyber seekers, it is “technically not a reportable crime.”

“If it is just posting personal information we don’t take a report, because it is not illegal.”

Electronic Monitoring by Justice Department Up 60 Percent

The instances of the Justice Department monitoring electronic communications such as phone calls, emails and even social network updates without a warrant has increased by as much as 60 percent in recent years, according to the American Civil Liberties Union.

The surveillance tools – known as either a “pen register” or a “trap and trace” – record such information as phone numbers and the time and length of calls, but not the content.

Orders to track phone calls increased 60 percent -- from 23,535 in 2009 to 37,616 in 2011 -- according to Justice Department documents, including ones recently acquired by the ACLU.

Orders to track emails and computer network data increased by 361 percent over the same period, though the number of orders was less compared to those for phone calls.

The ACLU argues the legal standard to use the devices is lower because they don’t capture content -- unlike wiretaps, which require a judge’s permission. And the government needs submit only to a court a certification stating that it seeks information relevant to an ongoing criminal investigation.

However, the Justice Department said that in “every instance cited” in the documents a federal judge authorized the law enforcement activity.

“As criminals increasingly use new and more sophisticated technologies, the use of orders issued by a judge and explicitly authorized by Congress to obtain non-content information is essential for federal law enforcement officials to carry out their duty to protect the public and investigate violations of federal laws," the agency said in a statement.

Still, Naomi Gilens, writing in a blog for the ACLU, says the information in the documents “underscore the importance of regulating and overseeing the government’s surveillance power.”

She also calls both devices “powerfully invasive surveillance tools” and points out that nowadays no special equipment is needed to record such information because it is part of phone companies’ call-routing hardware, unlike 20 years ago.

Fox News' Steve Centanni contributed to this report.

Email Account Hacked–What To Do???

In the past week we have witnesses a huge increase in spam email, particularly from AT&T/BellSouth , Gmail, and sc.rr.com email accounts. What is really surprising is that some of these emails came from “top-notch computer geeks” and corporate executives. But Why?

First of all, more folks have email accounts with those 4 vendors than all of the other vendors put together. But the real root cause, these folks are not using strong passwords on their email accounts, and these are the people that should know better!

What’s happening? These email accounts have been hacked by organized crime to disseminate spam advertizing, for anything from legitimate products, to porn sites, to sites that can seize control of your computer and use it as a zombie for more spam. Once your email account has been hacked, the hacker has access to your email address AND your address book, and, you guessed it, they send this filth FROM: You TO: your friends and family. How nice!

But how do they hack email accounts? Not by sitting at a keyboard and trying various passwords. They write a script that does it for them. The script goes from email address to email address, and tries the obvious stuff. And when it gains access, it starts another script that sends out spam email.

What makes this possible is the fact that folks STILL don’t use STRONG PASSWORDS!.Instead, they use stuff like 123456, or abc123, or their name, or birth date. You see, simple alpha numeric passwords can be hacked by these scripts in 5 seconds or less. Simply using a combination of UPPER and lower case letters with numbers moves the time from 5 seconds to 5 minutes. To make it a strong password, though, it needs to be 10 or 12 characters long, and must have a mixture of UPPER CASE, lower case letters, numbers, and special characters like !@#$?*. Put that stuff in your password and you increase hack time from minutes to hours, and the hacker script gives up and moves on to the next.

Problem:

Bottom line is: The password must be impossible to remember and you should never write it down. How’s that for security – even the computer user can’t get into their own computer. OR they write it on a sticky note and stick it on the monitor for all to see. How secure is that!

Solution:

However, there is a system for creating and remembering strong passwords, Start off with your favorite saying such as:

Gladly Pay You Tuesday For A Hamburger Today. To create a strong password from your favorite saying, take the first letter of each word and alternate between upper and lower case, IE GpYtFaHt Now you have something you can remember. To really spice it up, change the first t to a 2 and the a to an @, and put ! at the end, IE GpY2F@H!. Now add the year of your Grandfather’s birth, and you have GpY2F@H!1883. And that’s the easy way to create and remember a strong password with 12 characters, upper and lower case with numbers and symbols. Hack that one spammer!

1. Peter Piper Picked a Peck of Pickled Peppers just won’t get it!

2. Don’t use GpY2F@H!1883 – That’s my password! ☺

As for securing your existing email account, contact your email vendor, tell them that your email account has been hacked and ask them if simply changing the email address will be sufficient to secure the account. If not, you may need to get a new email account. However, if they will allow you to continue using your existing account, have them change the password. Then immediately change it again to your new strong password to secure your account.

Email Policy Template

Procedure ID Department Operation Controlled By: Effectively:

 

 

 

 

12/1/2011

 

 

Description:

The purpose of this policy is to ensure the proper use of  {Company} email system and make certain users are aware of what {COMPANY} deems as acceptable and unacceptable use of its email system. The {COMPANY} reserves the right to amend this policy at its discretion. In case of amendments, users will be informed appropriately.

Legal RISKS

Email is a business communication tool and users are obliged to use this tool in a responsible, effective and lawful manner. Although by its nature email seems to be less formal than other written communication, the same laws apply. Therefore, it is important that users are aware of the legal risks of email:

1. If you send emails with any libelous, defamatory, offensive, racist or obscene remarks, you and {COMPANY} can be held liable.

2. If you forward emails with any libelous, defamatory, offensive, racist or obscene remarks, you and {COMPANY} can be held liable.

3. If you unlawfully forward confidential information, you and {COMPANY} can be held liable.

4. If you unlawfully forward or copy messages without permission, you and {COMPANY} can be held liable for copyright infringement.

5. If you send an attachment that contains a virus, you and {COMPANY} can be held liable.

By following the guidelines in this policy, the email user can minimize the legal risks involved in the use of email. If any user disregards the rules set out in this Email Policy, the user shall be fully liable and {COMPANY} will disassociate itself from the user as far as legally possible.

Legal requirements

The following rules are required by law and are to be strictly adhered to:

1. It is strictly prohibited to send or forward emails containing libelous, defamatory, offensive, racist or obscene remarks. If you receive an email of this nature, you must promptly notify your supervisor.

2. Do not forward a message without acquiring permission from the sender first.

3. Do not send unsolicited email messages.

4. Do not forge or attempt to forge email messages.

5. Do not send email messages using another person’s email account.

6. Do not copy a message or attachment belonging to another user without permission of the originator.

7. Do not disguise or attempt to disguise your identity when sending mail.

 

Best practices

{COMPANY} considers email as an important means of communication and recognizes the importance of proper email content and speedy replies in conveying a professional image and delivering superior customer service. Therefore {COMPANY} wishes users to adhere to the following guidelines:

Writing emails:

1. Write well-structured emails and use short, descriptive subjects for retrieval, sorting, and archive purposes.

2. {Company} email style is informal. This means that sentences can be short and to the point. Use of “bullets” and “Outlines” to quickly convey main points is recommended. You may start your email with ‘Hi’, or ‘Dear’, and/or the name of the person. Messages can be ended with ‘Best Regards’. The use of Internet abbreviations and characters such as “smileys” however, is not encouraged and deemed unprofessional.

3. Emails must include a signatures containing your name, job title , company name, followed by {COMPANY} standard disclaimer (see Disclaimer)

4. Use the spell checker before sending out an email.

5. Do not send unnecessary attachments. Compress attachments larger than 200K before sending them.

6. Don't forward top-10 lists, chain letters, or jokes.

7. Do not write emails in capitals. Write emails as you would a letter.

8. Do not use cc: or bcc: fields unless the cc: or bcc: recipient is aware that you will be copying a mail to them and understands what action, if any, to take.

9. If you forward mails, state clearly what action you expect the recipient to take.

10 Only send emails of which the content could be displayed on a public notice board. If they cannot be displayed publicly in their current state, consider rephrasing the email, using other means of communication, or protecting information by using a password (see {COMPANY} Confidential Policy).

11. Only mark emails as “important” and/or “confidential” if they truly are such.

12. Never turn off your antivirus and anti-Adware software.

Receiving emails:

1. Email is the preferred method used by hackers to deliver Viruses, Zombies, Adware and Malware….

2. If you do not know the person sending the email – don’t open it

3. If you know the person but the email appears out of character for that person, call the sender before opening the email

4. If the attachment is not expected, call the sender before opening it.

5. Never open email and attachment with the following file extensions: exe, com, bat, html, htm, srn, pid, jas, jav, or active X.

6. We discourage the use of “Preview Panes” and “Auto Preview” as these may automatically start an email virus or Malware.

Replying to emails:

1. General emails should be answered the same day they are received, or within 8 working hours.

2. Priority emails should be acknowledged immediately and, if necessary, it should include a commitment time for detailed response.

3. Priority emails are emails from existing customers, perspective customers, and business partners.

4. If you don't have anything to say, don't reply. Example, if someone sends a note asking if anyone in the company has “the installation disk” and you don’t have it, don’t reply. To reply would be a waste of your time, the person to whom you are replying, and a waste of network/computer resources.

5. Don't automatically click Reply All. If someone sends a note addressed to a large group, stop and think before you click Reply All. Maybe you need to take your discussion with the original sender offline. If the whole group doesn't need your input, don't waste their time and inbox space.

6. Time used in checking and replying to emails should be managed and scheduled like any other activity. Don’t become a slave to your email system.

Newsgroups:

Users need to request permission from their supervisor before subscribing to a newsletter, news group, or Usenet.

Maintenance:

1. Delete any email messages that you do not need to have a copy of, and set your email client to automatically empty your ‘deleted items’ on closing.

2. Retained emails are subject to {COMPANY} document retention policy.

Personal Use

Although {Company} email system is meant for business use, {COMPANY} allows “occasional” use of email for personal use if certain guidelines are adhered to:

1. Personal use of email must not interfere with work.

2. Personal emails must also adhere to the guidelines in this policy.

3. Personal emails are kept in a separate folder, named ‘Private’. The emails in this folder must be deleted weekly so as not to clog up the system.

4. The forwarding of chain letters, junk mail, jokes and executables is strictly forbidden.

5. On average, users are not allowed to send more than 2 personal emails a day.

6. Do not send mass mailings.

7. All messages distributed via the company’s email system, even personal emails, are {Company} property meaning that you must have no expectation of privacy

Confidential information

Avoid sending confidential information by email. If you do, you must secure the information by including it in a Microsoft Word or Excel file and protecting it with a password. Then provide the recipient with the password by means of other communication, for instance by telephone.

Disclaimer

The following disclaimer must be added to each outgoing email:

‘This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Email administrator. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. Whilst taking reasonable precautions against such, company accepts no liability for any damage caused by any virus transmitted by this email.’

System Monitoring

You must have no expectation of privacy in anything you create, store, send or receive on the company’s computer system. Your emails can be monitored without prior notification if {COMPANY} deems this necessary. If there is evidence that you are not adhering to the guidelines set out in this policy, the {COMPANY} reserves the right to take disciplinary action, including termination and/or legal action.

Email accounts

All email accounts maintained on our email systems are property of {COMPANY}. Passwords must not be given to other people and must be changed according to {COMPANY} security policy. Email accounts not used for 60 days will be deactivated and possibly deleted.

 

 

End to computer viruses

An end to computer viruses? Start-up claims it can stop malware

That’s because viruses are copycats, said Liran Tancman, CEO and co-founder of the 10-person software firm Cyactive. Creating new code for each new piece of malware is expensive and impractical – and nearly impossible, he said.

"There has never been a documented attack that has not used at least one recycled component," Tancman, who headed cybersecurity at an elite military intelligence unit in Israel, told FoxNews.com in a phone call. "Hackers modify the original code and then, voilà! A new threat is born."

'We have the ability to see the future and prepare for it.'

- Cyactive CMO Danny Lev

But not everyone is ready to jump on the bandwagon. Claims of a cure for all computer viruses are made all the time, PC Magazine editor Neil Rubenking, a leading cybersecurity expert, told FoxNews.com.

"This claim gets made year after year, again and again," he wrote in an email. He said a similar product called Prevx “created a very nice behavior-analysis tool some years ago.” And Cyactive might even be simpler than that product, he said.

"[Cyactive is] just looking for re-used code from known malware. I'll be interested to see if it holds up in testing by the independent labs. But just looking at the claims, I see nothing new."

But Tancman insists his software is innovative and will hold up to industry standards.

Consider the recent hack of millions of Target customers' credit card numbers, where hackers used a remodeled version of an existing piece of malware called BlackPOS. Tancman claims the attack would have been thwarted before it caused serious damage if Target had been protected by Cyactive.

"When a threat is exposed, we predict that malware's evolution to protect an organization before the black-hat hackers even write it," said Danny Lev, Cyactive’s chief marketing officer. "We have the ability to see the future and prepare for it."

Added Tancman: "You have today a lot of security companies that are trying to build smarter detection systems. We also give you smart rules, but those rules are not learned on the past but they are learned on the future."

Another way that Cyactive is different from other virus-protection companies is that it also protects the "Internet of things,” a term coined by British technologist Kevin Ashton in the ’90s that refers to the growing trend of connecting all of our devices to the Internet. From lightbulbs to refrigerators and toothbrushes, everything is web-connected today -- and therefore at risk of being hacked.

"The detectors that we use are very lightweight," Tancman said, "meaning we are not restricted to one kind of device. Our security can be deployed on normal PCs as well as ... things like refrigerators to turbines and critical devices."

But even Cyactive is not completely safe from hackers, he admitted.

"It will be more difficult for hackers to overcome, but they will," Tancman said. "We continue to ask our smart algorithms to tell us ways in which hackers might fool our own detectors. This is how we maintain an advantage."

"We hope that with our solution crime doesn't pay anymore," Lev said.

Even if you power off your cell phone the U.S. government can turn it back on

government phone set The government can't really turn your phone back on. But it can keep the phone from actually turning off.

Even if you power off your cell phone, the U.S. government can turn it back on.

(Jose Pagliery  @ CNN) That's what ex-spy Edward Snowden revealed in last week's interview with NBC's Brian Williams. It sounds like sorcery. Can someone truly bring your phone back to life without touching it?

No. But government spies can get your phone to play dead.

It's a crafty hack. You press the button. The device buzzes. You see the usual power-off animation. The screen goes black. But it'll secretly stay on -- microphone listening and camera recording.

How did they get into your phone in the first place? Here's an explanation by former members of the CIA, Navy SEALs and consultants to the U.S. military's cyber warfare team. They've seen it firsthand.

Government spies can set up their own miniature cell network tower. Your phone automatically connects to it. Now, that tower's radio waves send a command to your phone's antennae: the baseband chip. That tells your phone to fake any shutdown and stay on.

A smart hack won't keep your phone running at 100%, though. Spies could keep your phone on standby and just use the microphone -- or send pings announcing your location.

John Pirc, who did cybersecurity research at the CIA, said these methods -- and others, like physically bugging devices -- let the U.S. hijack and reawaken terrorists' phones.

"The only way you can tell is if your phone feels warm when it's turned off. That means the baseband processor is still running," said Pirc, now chief technology officer of the NSS Labssecurity research firm.

Recovery mode. Put your phone on what's known as Device Firmware Upgrade (DFU) mode. This bypasses the phone's operating system. Every phone has a different approach for this.

It's fairly easy (albeit cumbersome) for iPhone users. Plug it into a computer with iTunes open. Hold down the Power and Home buttons for 10 seconds (no less) then let go of the Power button. Wait for an iTunes pop-up. That's it.

For Android users, recovery mode varies by model. Android Magazine has a great tutorial here.

Create a barrier. Use a signal-blocking phone case. You can buy them (Off Pocket,HideCell) or even make your own -- assuming you have the patience to do so.

Pull out the battery. Without a power source, the phone can't come back on. This is the best, most surefire option. It's also, annoyingly, no longer a choice on most top-of-the-line smartphones. The iPhone, HTC One and Nokia Lumia don't have removable batteries. Luckily, the Samsung Galaxy and LG G3 still do.

Silent Circle, a company that enables top-end private communication, kept these issues in mind when it co-created the Blackphone. It has a removable battery. It uses PrivatOS, a stripped-down version of Android that reduces tracking.

And because spoofed cell towers can target its antennae too, Blackphone's makers are working with chipmaker Nvidia (NVDATech30) to develop their own custom, more secure baseband chip.

Silent Circle CEO Mike Janke, a former Navy SEAL, said they designed the phone based on revelations that the NSA can find powered off phones and the FBI can tap their microphones.

You probably don't need to fear that the National Security Agency is using this strategy on your phone, Janke said. Those spies are focused on hunting down a specified list of terrorists and foreign fighters. But he noted that the FBI is using these kinds of surveillance tactics in the U.S. for all sorts of crimes. 

Expiring Windows XP support may mean many more Target-sized data breaches

Photo(Jim Hood @ ConsumerAffairs) There's a lot of sound and fury being generated over the Target data breach that may have exposed the credit and debit card data of more than 100 million Americans. But the list of potential villains includes not just the hackers who broke into Target's system but also the millions of consumers, businesses and institutions that are still running Windows XP.

 

Microsoft is officially ending support for the legendary operating system soon, meaning that it will no longer issue updates to fix security problems.

This is bad news for everyone. Even if you are running the very latest version of Windows, OS X or Linux, it's a near certainty that some of your most personal and valuable data is stored on or passes through systems still running XP.

That's because the relatively light, simple and reliable OS has for years been the first choice for point-of-sale terminals, medical devices and back-office systems of every size and description. These tend to be install-and-forget applications that are easily overlooked as IT people come and go.

Zombie recruits

PhotoGoogle Chromebook -- simple, inexpensive, secure

When Microsoft support ends, all these devices and systems will be even more vulnerable than they are now -- vulnerable not only to data theft but also to being taken over and used as zombie computers that send out malware, infecting other computers and smartphones, possibly including yours.

Don't believe it? Read any story about Windows 8 and scroll down to the comments. You'll find hordes of consumers proudly reporting that they would never think of upgrading their system because they continue to use XP with no problems.

It's sort of like Typhoid Mary. She lived a long and healthy life. Too bad about all those others.

Making matters worse is that the criminal underworld knows this is happening and has already written code to take advantage of it. After all, crime is big business and these days, the Internet is the path of least resistance for criminal enterprises, thanks in no small part to the individuals and businesses that don't take computer security seriously.

What to do

PhotoMacbook Pro -- svelte, secure, expensive

What can you do to make sure your computer is not part of the problem? The most obvious answer is, if you're still running Windows XP, it's time to bid it farewell. It is long past its prime and simply is not equipped to handle the security risks that today's Internet presents.

A perfectly acceptable replacement is Windows 7 -- a stable OS that is easy to set up and easy to manage. You can buy Windows 7 for as little as $65 and find instructions for upgrading on Microsoft.com.

Don't want a new version of Windows? Well, if your needs center mostly around email, web surfing and so forth, you can pick up a Google Chromebook for around $200. It's very secure and very easy to use but you can't install programs; you can only run apps through the Chrome browser.

Obviously you could buy a Mac but chances are anyone still running XP is not likely to shell out the bucks required for an Apple product. They are high-end, top-quality and quite secure but a bit on the pricey side.

You could also download a free copy of Linux Mint, an excellent lightweight OS that is secure and easy to use. It's very similar to Windows 7 in appearance and includes a complete package of office software, including word processing and spreadsheet programs.

We have all of these systems running in our office and try to use each of them daily, just to keep up with what's what. (Unfortunately, we also have Windows 8.1, a powerful OS with a horrible interface that is a source of endless frustration.) Any of them will be a perfectly adequate replacement for Windows XP and will upgrade your security to 21st Century levels.

It's not something to put off. Yes, Target and other retailers will be pilloried, sued, boycotted and generally reviled. But anyone using XP or any system that is not kept up to date is a big part of the problem as well.

EyePrints Provides Biometric Smartphone Security

(Mark Huffman Consumer Affairs) It sounds like something out of a James Bond movie but it could be available on your smartphone next year. It's a biometrics application that uses your "eye print" to access sensitive information with your mobile device.

EyeVerify has produced what it calls "the first eyeprint solution" for mobile users to verify their digital identity. It allows them to securely access highly personal information on the Web in the blink of an eye -- literally. The system uses the hardware that is already part of your smartphone, namely the built-in camera.

The camera scans the user's eye to image and pattern match the unique veins in users' whites of the eyes. If it's a match, the user gains access to the information. If it's not a match, he doesn't.

Just like fingerprints

"Similar to how fingerprints historically were the standard in identifying individuals, EyeVerify is the first and only mobile authentication solution leveraging the uniqueness of eye vein patterns to obtain a person's 'eyeprint,'" said Toby Rush, CEO EyeVerify. "This new method is redefining standards for simple, yet secure authentication for personal or business use leveraging existing mobile devices without requiring additional hardware."

Currently most mobile devices are protected by passwords but Rush says that's no longer effective. He maintains they're not secure, there are too many, and these types of passwords are no longer a viable method for digitally proving we are who we say we are.

Other authentication technologies, such as fingerprint, Iris and keyfob tokens may offer comparable accuracy, but they require additional hardware and expense.

Everything's going mobile

Rush says something else was needed. Mobile devices are increasingly becoming the standard for how we manage our work and personal lives, potentially exposing ourselves to identity theft and fraud.

According to Aberdeen Group, there were $221 billion in identity-related crimes reported in 2011. The average user today manages over 25 online accounts, plaguing consumers with the battle of "password sprawl."

Dr. Arun Ross, Associate Professor at West Virginia University and a leader in biometric research, says that the applications for eyeprint technology are limitless. Eye vein biometrics can potentially be used for applications such as mobile banking, enterprise security and healthcare. And almost everyone has a smartphone with a camera.

EyeVerify's eyeprint technology isn't available just yet. The company says it is currently in beta test on the Apple iOS and Android mobile platforms. It should be available for general release in early 2013.

FBI Drive-By Ransomware Virus Locks Computers Demands Payment Now

New Internet Scam
‘Ransomware’ Locks Computers, Demands Payment

There is a new “drive-by” virus on the Internet, and it often carries a fake message—and fine—purportedly from the FBI.

“We’re getting inundated with complaints,” said Donna Gregory of the Internet Crime Complaint Center (IC3), referring to the virus known as Reveton ransomware, which is designed to extort money from its victims.

Reveton is described as drive-by malware because unlike many viruses—which activate when users open a file or attachment—this one can install itself when users simply click on a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.

The bogus message goes on to say that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated with child pornography sites or other illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service.

“Some people have actually paid the so-called fine,” said the IC3’s Gregory, who oversees a team of cyber crime subject matter experts. (The IC3 was established in 2000 as a partnership between the FBI and the National White Collar Crime Center. It gives victims an easy way to report cyber crimes and provides law enforcement and regulatory agencies with a central referral system for complaints.)

  fbithisweek.jpg  
  Podcast: Reveton Ransomware  

“While browsing the Internet a window popped up with no way to close it,” one Reveton victim recently wrote to the IC3. “The window was labeled FBI and said I was in violation of one of the following: illegal use of downloaded media, under-age porn viewing, or computer-use negligence. It listed fines and penalties for each and directed me to pay $200 via a MoneyPak order. Instructions were given on how to load the card and make the payment. The page said if the demands were not met, criminal charges would be filed and my computer would remain locked on that screen.”

The Reveton virus, used by hackers in conjunction with Citadel malware—a software delivery platform that can disseminate various kinds of computer viruses—first came to the attention of the FBI in 2011. The IC3 issued a warning on its website in May 2012. Since that time, the virus has become more widespread in the United States and internationally. Some variants of Reveton can even turn on computer webcams and display the victim’s picture on the frozen screen.

“We are getting dozens of complaints every day,” Gregory said, noting that there is no easy fix if your computer becomes infected. “Unlike other viruses,” she explained, “Reveton freezes your computer and stops it in its tracks. And the average user will not be able to easily remove the malware.”

The IC3 suggests the following if you become a victim of the Reveton virus:

  • Do not pay any money or provide any personal information.
  • Contact a computer professional to remove Reveton and Citadel from your computer.
  • Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programs.
  • File a complaint and look for updates about the Reveton virus on the IC3 website.

Resources

- New e-scams and warnings
- Computer scams and safety webpage

- The IC3 website
- FBI Cyber Division

Read More - Click Here!

FBI Warns That Ransomware Attacks Are Getting More Dangerous And Expensive

In an alert published this week, the U.S. Federal Bureau of Investigation warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) and multiplying the number of infected servers and devices on a network. 

Powerful Ammo For Budget 

This FBI alert is powerful ammo for budget. It explains one more time what ransomware is, how fast it mutates, and that infections are skyrocketing. They explain what the potential losses are -- service disruptions, financial loss, and in some cases, permanent loss of valuable data -- and that it is challenging for the FBI to keep pace. I strongly suggest you send this link to the decision-making team that holds the infosec purse strings:
https://www.ic3.gov/media/2016/160915.aspx 

Knowing that the FBI only have about 800 cyber agents, including just 600 agents who conduct investigations, the agency doesn’t have the ability to address every attack, and must triage the most significant ones. You are on your own if the damage is less than a few hundred thousand dollars. 

FBI: "Tell Us How Much Ransom You Have Paid" 

The FBI is requesting victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at www.IC3.gov, with the following ransomware infection details (as applicable):

  • Date of Infection
  • Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  • Victim Company Information (industry type, business size, etc.)
  • How the Infection Occurred (e-mail, browsing websites, etc.)
  • Requested Ransom Amount
  • Bad Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  • Ransom Amount Paid (if any)
  • Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  • Victim Impact Statement

The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers. 

What To Do About It 

"The FBI recommends users consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack:

  • Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
  • Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
  • Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
  • Only download software – especially no charge software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
  • Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
  • Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
  • Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

The FBI suggests additional considerations for businesses and note their first bullet where we can help you:

  • Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
  • Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
  • Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
  • Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.
  • Use virtualized environments to execute operating system environments or specific programs.
  • Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization’s e-mail environment.
  • Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site.
  • Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy."

One thing missing from the FBI list is email server configuration. We all know that your users are the weak link in your IT security, and one of the very successful tactics the bad guys use is spoofed email addresses. When an email seems to come from a person they know, or has authority, the chance they fall for an attack increases dramatically.

FCC orders Internet providers to protect consumer privacy

 

Photo

Photo © hultimus

(Jennifer Abel @ ConsumerAffairs) Here's possible good news for Internet users: yesterday the Federal Communications Commission issued an Enforcement Advisory (available in .pdf form here) warning Internet service providers (ISPs) that “broadband providers should take reasonable, good faith steps to protect consumer privacy.”

 

Of course, the terms “reasonable” and “good-faith” are widely open to interpretation. What does the FCC mean? Basically, since ISPs are being reclassified as “common carriers” next month, similar to telephones in the pre-Internet era, they must respect similar types of privacy protections.

“The Commission has found that absent privacy protections, a broadband provider’s use of personal and proprietary information could be at odds with its customers’ interests,” as the FCC noted in an admirable example of understatement.

Not hypothetical

It's not just a hypothetical problem. In February, for example, AT&T introduced its high-speed GigaPower home Internet service to Kansas City residents (who already had the option of buying high-speed Internet through Google Fiber for $70 per month).

AT&T, by contrast, offered a two-tiered GigaPower price plan: $70 monthly for a standard GigaPower connection, or $99 per month to “opt out” of what AT&T called its “Internet Preferences” program — “Internet Preferences” basically being a euphemism for “tracking and monitoring your online activities”:

When you select AT&T Internet Preferences, we can offer you our best pricing on GigaPower because you let us use your individual Web browsing information, like the search terms you enter and the web pages you visit, to tailor ads and offers to your interests.

How thoughtful of them.

Not that AT&T deserves to be singled out; as early as 2013, Verizon was (among other things) offering select advertisers a then-new service called Precision Marketing that allowed sports clubs and athletic venues to track their smartphone-owning fan's activities before and after a game. When Pizza King, for examples, buys ads on the in-game scoreboards, are sports fans more likely to actually visit a Pizza King afterwards? Precision Marketing could let you know!

Vast potential

For modern Americans, the Internet (and any devices connected to it) arguably plays a much bigger role in everyday life than old-fashioned landline telephones ever did — and as a result, the potential privacy violations that arise from monitoring people's online activities is correspondingly greater than what applied to telephones.

For now, as the FCC explains in its Enforcement Advisory, the Commission has not gone so far as to take the specific telephone-based privacy regulations currently in existence and explicitly apply them to ISPs. The FCC does have the option of setting broadband-specific standards later, if necessary — but first, it's giving ISPs the benefit of the doubt and giving them the chance to take “reasonable, good faith steps” toward doing so on its own.

FTC End History Sniffing

(James Limbach ConsumerAffairs) An online advertising company has agreed to settle Federal Trade Commission (FTC) charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues.

Areas of interest ranged from fertility and incontinence to debt relief and personal bankruptcy.

The settlement order bars Epic Marketplace Inc., from continuing to use history sniffing technology, which allows online operators to “sniff” a browser to see what sites consumers have visited in the past. It also bars future misrepresentations by Epic and requires the company to destroy information that it gathered unlawfully.

“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” said FTC Chairman Jon Leibowitz. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”

Huge online presence

Epic Marketplace is a large advertising network that has a presence on 45,000 Websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed. The cookies allowed Epic to serve consumers ads targeted to their interests, a practice known as online behavioral advertising.

In its privacy policy, Epic claimed that it would collect information only about consumers’ visits to sites in its network. However, the FTC accuses Epic of employing history-sniffing technology that allowed it to collect data about sites outside its network that consumers had visited, including sites relating to personal health conditions and finances.

According to the FTC complaint, the history sniffing was deceptive and allowed Epic to determine whether a consumer had visited any of more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief and personal bankruptcy.

The FTC complaint alleges that depending on which domains a consumer had visited, Epic assigned the consumer an interest segment, including categories such as “Incontinence,” “Arthritis,” “Memory Improvement,” and “Pregnancy-Fertility Getting Pregnant.” Epic used these categories to send consumers targeted ads.

Destruction of data ordered

The consent order bars Epic Marketplace, Inc., and Epic Media Group, LLC from using history sniffing, and requires that they delete and destroy all data collected using it. It also bars misrepresentations about the extent to which they maintain the privacy or confidentiality of data from or about a particular consumer, computer or device, including misrepresenting how that data is collected, used, disclosed or shared.

It further prohibits misrepresentations about the extent to which software code on a Webpage determines whether a user has previously visited a Website.

Read More - Click Here!

FTC Says Aaron's stores spied on customers through webcams on rented computers

Photo(Truman Lewis @ ConsumerAffairs) The Aaron’s furniture rental chain has settled a federal complaint that it played a "direct and vital role" in its franchisees’ use of software on rental computers that secretly monitored consumers, taking webcam pictures of them in their homes.

 

The disclosures came in the settlement of a Federal Trade Commission (FTC) complaint that said Aaron's franchisees surreptitiously tracked consumers’ locations and captured images through the computers’ webcams – including those of adults engaged in intimate activities.

The software also functioned as a keylogger that captured users’ login credentials for email accounts and financial and social media sites, the FTC said.

The FTC charges echo those leveled in a 2011 class-action lawsuit. A similar suit was filed against Rent-A-Center in September 2013.   

“Consumers have a right to rent computers free of cyberspying and to know when and how they are being tracked by a company,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “By enabling their franchisees to use this invasive software, Aaron’s facilitated a violation of many consumers’ privacy.”

Who knew what

Aaron Rents Oct. 23, 2013, 5:29 p.m.Consumers rate Aaron Rents

The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent.

In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.

The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.

Under the terms of the proposed consent agreement with the FTC, Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

Must give notice

In addition, Aaron’s will be required to give clear notice and obtain express consent from consumers at the time of rental in order to install technology that allows location tracking of a rented product. For computer rentals, the company will have to give notice to consumers not only when it initially rents the product, but also at the time the tracking technology is activated, unless the product has been reported by the consumer as lost or stolen. The settlement also prohibits Aaron’s from deceptively gathering consumer information.

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Facebook 5 Essential Security Settings

(Kim Komando USA Today) Facebook is a fabulous way to connect with friends and family. Of course, Facebook is also a spectacular way to embarrass yourself. And it happens almost every day.

Users post personal photos and intimate status updates that they think only a few friends will see. Then the posts get broadcast to friends of friends or — worse — everyone.

Anyone can be surprised by an episode of oversharing if they're not paying attention — even Randi Zuckerberg, a former Facebook executive and sister of CEO Mark Zuckerberg. Last month, she posted a family photo intended for friends, but didn't choose the right privacy setting. A friend of another Zuckerberg sister grabbed it and posted it on Twitter.

And Facebook's announcement this week of a new tool call Graph Search – which will let you sift through photos, places and more that have been shared on Facebook – also makes this a really good time to check some of your privacy settings. For now, it's in a very limited beta trial as Facebook develops the product.

Fortunately, Facebook has a new tool to help simplify your privacy settings. In the hustle and bustle of the holidays, you probably also missed it. That's OK; it's easy to find.

When you're logged into Facebook, you'll notice a new lock icon in the top tool bar. Clicking on that brings up the new Privacy Shortcuts menu, where you can manage the Big Three privacy concerns: Who can see my stuff? Who can contact me? How do I stop someone from bothering me?

Without dropping what you're doing and navigating somewhere else, you can quickly block (unfriend) someone, verify that only friends are seeing your posts, filter how you receive messages and control who can send you friend requests.

This dropdown menu also provides a shortcut to your Activity Log, where you can review your past activity. And you can use the new Request and Removal tool to ask friends to take down pictures of you.

The Privacy Shortcuts area is an improvement, but there are other important settings buried away that still need attention. To access these, click on See More Settings in the Privacy Shortcuts menu. (This is the same as clicking on the gear icon next to it and choosing Privacy Settings.)

Under Privacy, check the answer to the all-important "Who can look me up?" You probably don't want that set to Everyone! I recommend Friends at least.

You probably don't want search engines finding your Facebook profile, either. I'd make sure that option is turned off.

If you regularly log in to websites with your Facebook account, you might be surprised by how many apps have access to your profile. Some apps may also have permission to make posts on your behalf. Modify these settings or remove apps you no longer use by going to Apps>>Apps You Use.

The "Apps others use" and "Instant personalization" subheadings also need attention.

You likely allow most of your friends to see your birthday, hometown and other personal data. "Apps others use" controls whether apps that your friends use can also grab that information. I recommend that you uncheck all the boxes.

"Instant personalization" allows information you've made public on Facebook to be used by partner sites, such as TripAdvisor and Yelp, to customize your experience. If your goal is to share less, disable it.

Finally, make a pit stop under the Ads setting. Change "Third Party Sites" and "Ads & Friends" to No One from the two dropdown menus.

If these options are set to "Only my friends," Facebook can pair your name and profile picture with a paid ad and show it to your friends. You don't want that.

Spend a few minutes covering these bases, and you should have a safe and secure 2013 on the No. 1 social network.

Read More - Click Here!

 

Facebook Briefly Killed the Internet

(For a few minutes this evening, Facebook was redirecting users visiting dozens of websites — including Mashable — to cryptic error pages.

The reaction online was pretty much what you'd expect, with — as the The Next Web noted — hashtags like "Facebookmageddon" and "Facebocalypse" common amongst Twitter users.

So what happened, exactly? There was an issue with the Facebook Connect API that caused users on sites that use that API to redirect users to Facebook error page.

For example, if you were visiting Mashable and logged into our site using your Facebook account (and you were also signed into Facebook), you were automatically redirected to a page that looked like this:

Exiting the page or attempting to re-access the original site would lead to another redirect. Back to this:

 

Sites such as The Huffington Post, Kayak, Hulu, The Daily Dot, Pinterest and hundreds of others were all impacted. The bug lasted less than 10 minutes.

In a statement, Facebook told Mashable: "For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites. The issue was quickly resolved and Login with Facebook is now working as usual."

The bug may have been brief, but it has highlighted just how many important websites use Facebook Connect for user authentication. Over the span of just a few years, Facebook logins have become so pervasive that they are nearly second nature. It also shows that if Facebook has an issue, it can affect more than just its site — it can also impact the hundreds of thousands (millions?) of sites that integrate with Facebook's APIs.

What's interesting is that a user didn't even need to be performing the action for the error — and hijacking — to occur. Instead, simply being logged into both places (and having the accounts linked) was enough to force users off of a third-party website and onto Facebook's error page.

Read More - Click Here!

Facebook Improves User Privacy Controls

PhotoBacking away from Zuckerberg's dream of a world without privacy—at least for now.

(Jennifer Abel @ ConsumerAffairs) A common complaint which Facebook users have had almost as long as there's been a Facebook is this: its confusing and oft-changing privacy policies make it extremely easy to overshare without realizing it — in other words, you post something you think will be visible only to a small select group of people, only to learn it's visible to anybody with an Internet connection.

That's because Facebook accounts used to default to a public setting — in other words, any post you made was visible to everybody unless you specifically changed your settings to make them private. And for years, Facebook mostly hand-waved away any complaints about its confusing privacy policies.

Indeed, a few years ago Mark Zuckerberg went so far as to call privacy an obsolete value. “When I got started in my dorm room at Harvard, the question a lot of people asked was 'Why would I want to put any information on the Internet at all? Why would I want to have a website?'”

Sharing is noble?

Of course, that idea didn't need long to change, and Zuckerberg seemed to feel that ending privacy altogether was a cause worth working toward:

“People have gotten really comfortable not only sharing more information and different kinds, but more openly and with more people …. That social norm is just something that evolved over time. We view it as our role in the system to constantly be innovating and updating what our system is to reflect what the current social norms are.”

If Facebook's privacy settings were any indication, Zuckerberg seemed to think those “current social norms” included “Sharing more and different information is synonymous with sharing all information” or “Sharing information with more people should entail sharing information with all people” or “When I tell my friends about my wild-n-crazy weekend, I always hope my boss and my super-strict grandmother hear about it, too” and other things which nobody actually believes, which is why pretty much everybody who's not Mark Zuckerberg always hated Facebook's public-default system.

But Facebook is finally paying attention to those complaints. On May 22, Facebook announced that it was changing its default settings, in part because of user complaints: “We've … received the feedback that [Facebook users] are sometimes worried about sharing something by accident, or sharing with the wrong audience.”

Set to "private"

As a result of these changes, new Facebook accounts will automatically be set to “private,” and you'll have to deliberately change the settings to make your posts public. For people already on Facebook, the company will start giving what it calls “privacy checkups” over the next few weeks, especially for people with “public” settings: try making a post and first, a pop-up window will remind you that this post will be publicly visible, and ask if you want to change that.

Regular Facebook users should also expect to see occasional pop-ups offering tutorials about other aspects of Facebook settings.

Facebook users risk identity theft, says famous ex-conman

(Mark Sweney @ guardian) Frank Abagnale explains the dangers of identity theft for Facebook users at Advertising Week Europe Link to video: Ex-conman Frank Abagnale warns how Facebook users risk identity theft

Frank Abagnale, the man dubbed the world's greatest conman, has issued a stark warning about the dangers of identity theft and children using Facebook.

Abagnale, portrayed by Leonardo DiCaprio in Steven Spielberg's film Catch Me If You Can, said that children in particular need to be made aware of the serious risks of unwittingly revealing information on social networking sites.

He has nearly 40 years experience as a security expert for US law enforcement agencies, having switched sides when he was eventually caught by the FBI after spending half his teenage years on the run as a confidence trickster, imposter, cheque forger and escape artist in the 1960s.

"I'm not on it [Facebook, but] I have no problem with it," he said, addressing the Advertising Week Europe conference in London on Wednesday. "I have three sons on it. I totally understand why people like it. But like every technology you have to teach children, it is an obligation of society to teach them how to use it carefully."

He said having accrued 37 years' work with the FBI he has also become aware of many widely available techniques to gather dangerous amounts of personal data from Facebook.

He gave the example of a creeper virus that allows the tracking of a Facebook user even if their phone is not transmitting.

Another readily available programme, which Abagnale said is owned by Google, uses facial recognition that can match an individual with their personal information on the social networking website "in just seven seconds".

"If you tell me your date of birth and where you're born [on Facebook] I'm 98% [of the way] to stealing your identity," he said. "Never state your date of birth and where you were born [on personal profiles], otherwise you are saying 'come and steal my identity'."

He also advised Facebook users to never choose a passport-style photograph as a profile picture, and instead use group photographs.

Abagnale, who uses a document shredder so he knows that even the FBI cannot reassemble the paper, also warned about the dangers of the seemingly innocuous details given away by users who "like" Facebook postings.

Leonardo DiCaprio as Frank Abagnale Jr in Steven Spielberg's Catch Me If You Can. Con air … Leonardo DiCaprio as Frank Abagnale Jr in Steven Spielberg's Catch Me If You Can. Photograph: Moviestore Collection/Rex Features

"What [people] say on a Facebook page stays with them," he said. "Every time you say you 'like' or 'don't like' you are telling someone [things like] your sexual orientation, ethnic background, voting record."

He said he has a "tremendous amount of respect" for the UK's privacy laws, which are "way ahead" of the US.

Abagnale said that while it was common to see companies such as Facebook being criticised for privacy issues in the media, it is up to people to take action to keep their data private.

"Your privacy is the only thing you have left," he said. "Don't blame all the other companies – Google, Facebook – you control it. You have to keep control of your own information."

Between the ages of 16 and 21 Abagnale claims to have impersonated airline pilots, a doctor and a lawyer while forging and cashing $2.5m in cheques and employing other confidence scams. However, he has admitted in the past that his co-writer on the book Catch Me If You Can, on which the DiCaprio film was based, "over dramatised and exaggerated" some of his exploits.

The 64-year-old, who said he has voluntarily paid back every penny he gained illegally, added that airline Pan Am estimates he flew more than a million miles for free on 250 aircraft to 26 countries during his teenage crime spree.

He said that counter-intuitively the rise of technology has made it harder, not easier, for law enforcement. "What I did 40 years ago as a teenage boy is 4,000 times easier now," he said. "Technology breeds crime."

He gave the example of creating a fake British Airways cheque which in his time required finding a $1m printing press the size of an auditorium and three operators. He managed this himself with scaffolding.

"Today one simply opens a laptop," he said. "Each time we add technology it makes it a little easier for criminals. I would have thought technology would have made it harder to do what I did."

He also lamented the rise of an iPhone generation of children who have come to rely on technology and have lost the ability to be resourceful in a more traditional way.

"It is unfortunate today that many young children are not resourceful," he said. "If you took a child in London and took their iPhone and took them somewhere else in the country they'd probably not be able to find their way back. That's a shame."

He added that he avoids the trappings of fame – books, a current TV series, a broadway musical and dozens of offers to front shows and make guest appearances – and has perhaps surprisingly not benefited from royalties or fees due to restrictions of his FBI contract.

Abagnale said he had "nothing to do with the film Catch Me If You Can but was happy Steven Spielberg recreated a relatively realistic version of his life, despite some factual errors. His father, portrayed in the film by Christopher Walken, in fact died while Abagnale was in jail in France aged 21. He did not see him again after he ran away from home after his parents divorced when he was 16.

Despite the glamorous image built up around his past, the 64-year old admitted remorse for his actions.

"I always knew I would get caught. Only a fool would think otherwise. The law sometimes sleeps, it never dies. Some say you were brilliant, a genius, I was neither, I was a child. If I had been brilliant or a genius I wouldn't have needed to break the law just to survive. I've had to live with it the rest of my life".

Abagnale said he has turned down three pardons from three different US presidents.

"I do not believe, nor will ever believe a piece of paper will excuse my actions. Only my actions will."

Facial Recognition Allows Merchants To Watch You While You Shop

Image

NEC has unveiled facial recognition technology for merchants to help them analyze who visits their stores, how often.

When you next shop for that perfect pair of jeans, know that retailers may be harnessing facial recognition technology to determine your age, gender and how regularly you shop at their stores. The data collected will help retailers fine tune their marketing pitches and in-store displays.

Such a service is already being rolled in out Japan via NEC. It runs via the company’s cloud computing technology, which means all a retailer needs is a web-connected computer, a video camera and about $880 a month to pay for it, according to video news website Diginfo TV

While facial recognition technology is hardly new, the service highlights the transition of the technology from the land of high security and casinos to the shopping mall – and is one more data point showing that all anyone needs is your picture to know everything about you

 – via Diginfo TV

John Roach is a contributing writer for NBC News Digital. To learn more about him, check out his website. For more of our Future of Technology series, watch the featured video below.

 

Read More - Click Here!

Fake Virus - Alert Let Us Fix Your Computer - Scam

Photo(Mark Huffman @ ConsumerAffairs) You could be completing a purchase, browsing the the latest news or checking out your Facebook page when suddenly a message pops up on your computer, warning you've just been infected with a virus.

Yikes! But never fear, the helpful pop-up offers a “c.

Great! But wait a minute, how did they know you've downloaded something nasty?

They don't know, because you haven't. At least, not yet. You might if you fall for their gambit, which is to get you to either buy something you don't need or download a file that will really mess you up for real.

Scareware

It's called “scareware,” for the obvious reason that the people behind the pop-ups are trying to scare you into taking action without thinking it through. According to the Federal Trade Commission (FTC), which has devoted more time wrestling with this issue in recent months, the “free scan” will invariably find all sorts of problems on your computer that it says can be fixed by paying $40 for a special software.

Once you run the software you are told that all your problems have been fixed. Of course, there weren't any to begin with. But in some cases, that software you paid for could be loading all sorts of unwanted files on your computer.

According to Symantec, maker of Norton anti-virus products, the typical scareware pitch will always try to produce panic as a first response. The scammers will take great pains to produce very legitimate looking pop-up “alert” or “update” windows, the kind you might see from a legitimate anti-virus provider. But the tone will be a lot more alarming.

It can go from bad to worse

PhotoBesides spending $40 needlessly you've just handed over your credit or debit card information to a criminal enterprise. If the scammers choose to, they can hit your card for bogus charges or clean out your bank account.

In an emerging threat, they may even resort to extortion. The software you download might take over your PC and hold all your files hostage until you make a ransom payment to get control of your computer again.

Microsoft warns that it has seen cases where scareware, once downloaded to a victim's PC, has disabled Windows security updates and even disabled legitimate antivirus software. The company says the rogue software might also attempt to spoof the Microsoft security update process.

Be careful when searching for antivirus software

Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to be selective about what software you choose. It should be a brand you are familiar with. If you haven't heard of it, look for online reviews from several different sources.

Who are the scammers behind scareware? Many are offshore, operating in Russia, China or other countries safely outside the jurisdiction of U.S. law enforcement. But every once in a while consumer authorities find domestic scareware operations.

Late last month a federal appeals court handed the FTC a victory when it upheld the $163 million judgment a lower court imposed against Kristy Ross for her role in a scareware operation. In 2008 the FTC charged Ross and six other defendants with running a scareware scheme that defrauded consumers. The other defendants either settled the charges or had default judgments entered against them.

If you have fallen victim to this scam, you may be able to undo the damage to your computer without professional help. Computer experts at Indiana University (IU) say scareware files can piggy-back with browser add-ons, custom social networking media or chat platforms, games, or online advertisements. Fortunately, they tend to be few in number, install themselves in one of a few possible hidden locations, and can be deleted easily once you're able to access and modify the file system.

Favorite Hacked Passwords 123456 AND Your Birthday

Recently a niche programming-oriented website called phpbb.com had its user database hacked into and the passwords for 20,000 members stolen. The hacker who broke in then posted the account info and passwords online for the world to see. And while this is really bad news for those 20,000 unlucky souls, it offers an instructive lesson on password security for the rest of us.

InformationWeek analyzed the hacked password list and found a number of interesting trends in the data, primarily revolving around the fact that most people do exactly what they've been told not to do since passwords were first invented.

Author/analyst Robert Graham has tons of analysis on offer. I'm ordering my favorite/most enlightening data points from the piece here, starting with the most interesting. On thing to remember: These passwords are from a group of people interested in computer programming, so if anyone should know better, it's these guys.

> The most popular password (3.03% of the 20,000) was \"123456.\" It's also generally considered the most common password used today.

> 4 percent used some variant of the word \"password.\" Seriously, people, there's no excuse for this one. \"password\" was the 2nd most popular password used, also in keeping with historical trends.

> 16 percent of passwords were a person's first name. No word on if it was their first name, but someone's. Joshua is the most commonly used first-name password, a likely reference to the movie WarGames.

> Patterns abound. In addition to \"123456,\" other pattens like \"12345, "qwerty,\" and \"abc123\" were common, comprising 14 percent of the passwords used.

> 35 percent of passwords were six characters long. 0.34 percent were only one character long.

> For reasons no one can explain, \"dragon,\" \"master,\" and \"killer\" all crack the top 20 passwords. (On the top 500 password list linked above, \"dragon\" is #7.)

> One thing Graham doesn't discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account). In other words, they may very well have intentionally chosen something simplistic here to avoid re-using a password they save for an important login, just in case this site got hacked. Which, it turns out, it did.

I could go on, but Graham's post has way more detail than I can digest here and it's easy-reading too. Worth a close look for any citizen of the web.

Federal Law To Protect Children Unwittingly Exposes Them On Facebook

(SOMINI SENGUPTA NY Times) A federal law intended to protect children’s privacy may unwittingly lead them to reveal too much on Facebook, a provocative new academic study shows, in the latest example of how difficult it is to regulate the digital lives of minors.

Facebook prohibits children under 13 from signing up for an account, because of the Children’s Online Privacy Protection Act, or Coppa, which requires Web companies to obtain parental consent before collecting personal data on children under 13. To get around the ban, children often lie about their ages. Parents sometimes help them lie, and to keep an eye on what they post, they become their Facebook friends.  This year, Consumer Reports estimated that Facebook had more than five million children under age 13.

That relatively innocuous family secret that allows a preteen to get on Facebook can have potentially serious consequences, including some for the child’s peers who do not lie. The study, conducted by computer scientists at the Polytechnic Institute of New York University, finds that in a given high school, a small portion of students who lie about their age to get a Facebook account can help a complete stranger collect sensitive information about a majority of their fellow students.

In other words, children who deceive can endanger the privacy of those who don’t.

The latest research is part of a growing body of work that highlights the paradox of enforcing children’s privacy by law. For instance, a study jointly written  this year by academics at three universities and Microsoft Research found that even though parents were concerned about their children’s digital footprints, they had helped them circumvent Facebook’s terms of service by entering a false date of birth. Many parents seemed to be unaware of Facebook’s minimum age requirement; they thought it was a recommendation, akin to a PG-13 movie rating.

“Our findings show that parents are indeed concerned about privacy and online safety issues, but they also show that they may not understand the risks that children face or how their data are used,” that paper concluded.

Facebook has long said that it is difficult to ferret out every deceptive teenager and points to its extra precautions for minors. For children ages 13 to 18, only their Facebook friends can see their posts, including photos.

That system, though, is compromised if a child lies about her age when she signs up for Facebook – and thus becomes an adult much sooner on the social network than in real life, according to the experiment by N.Y.U. researchers.

The key to the experiment, explained Keith W. Ross, a computer science professor at N.Y.U. and one of the authors of the study, was to first find known current students at a particular high school. A child could be found, for instance, if she was 10 years old and said she was 13 to sign up for Facebook. Five years later, that same child would show up as 18 years old – an adult, in the eyes of Facebook — when in fact she was only 15. At that point, a stranger could also see a list of her friends.

The researchers conducted their experiment at three high schools. They were able to construct the Facebook identities of most of the schools’ current students, including their names, genders and profile pictures.

The researchers identified neither the schools nor any of the students. Their paper is awaiting publication.

Using a publicly available database of registered voters, someone could also match the children’s last names with their parents’ — and potentially, their home addresses, Professor Ross pointed out.

The Coppa law, he argued, seemed to serve as an incentive for children to lie, but made it no less difficult to verify their real age.

“In a Coppa-less world, most kids would be honest about their age when creating accounts. They would then be treated as minors until they’re actually 18,” he said. “We show that in a Coppa-less world, the attacker finds far fewer students, and for the students he finds, the profiles have very little information.”

How children behave online is one of the most vexing issues for parents, to say nothing of regulators and lawmakers who say they wish to protect children from the data they scatter online.

Independent surveys suggest that parents are worried about how their children’s social network posts can harm them in the future. A Pew Internet Center study released this month showed that most parents were not just concerned, but many were actively trying to help their children manage the privacy of their digital data. Over half of all parents said they had talked to their children about something they posted.

Teenagers seem to be vigilant, in their own way, about controlling who sees what on the pages of Facebook.

A separate study by the Family Online Safety Institute that was released in November found that four out of five teenagers had adjusted privacy settings on their social networking accounts, including Facebook, while two-thirds had placed restrictions on who could see which of their posts.

Read More - Click Here!

Federal Trade Commission Asked To Shut Down $70 Million Cramming Operation

PhotoThe Federal Trade Commission (FTC) wants to shut down an operation that allegedly placed more than $70 million in bogus charges on consumers’ phone bills -- charges for services the consumers never ordered, did not authorize and often did not know they had.

In addition, the agency has asked a U.S. district court to freeze the operation's assets while the case moves forward.

Cramming crackdown

As part of a continuing crackdown on fraud and deception, the FTC filed a complaint against American eVoice, Ltd., eight other companies, Steven Sann, and three other people for "cramming" unauthorized charges onto consumers’ phone bills.

The complaint also alleges that the Missoula, Montana-area defendants transferred the proceeds from their illegal cramming operation to a purported non-profit, Bibliologic, Ltd., controlled by Steven Sann.

Hundreds of consumers complained that charges from $9.95 to $24.95 per month suddenly appeared on their phone bills without their authorization. The FTC claims defendants told phone companies and third party “billing aggregators” that the consumers had authorized the charges by filling out forms on the internet. Since January 2008, according to the complaint, the defendants have billed consumers for more than $70 million.

Additional charges

The FTC alleged that the defendants violated the Federal Trade Commission Act by:

  • unfairly billing consumers for services they did not authorize; and
  • deceptively representing that consumers were obligated to pay for the services.

The FTC also alleged that defendants channeled their illegal proceeds to Bibliologic, and that the purported non-profit organization has no right to the funds and must disgorge them to the FTC.

The complaint names as defendants Steven Sann; Terry Lane (aka Terry Sann); Nathan Sann; Robert Braach; American eVoice, Ltd.; Emerica Media Corp.; FoneRight, Inc.; Global Voice Mail, Ltd.; HearYou2, Inc.; Network Assurance, Inc.; SecuratDat, Inc.; Techmax Solutions, Inc.; and Voice Mail Professionals, Inc. The complaint also names Bibliologic, Ltd. as a relief defendant.

Read More - Click Here!

Feds mobilize industry for war on robocalls

(Mark Huffman @ ConsumerAffairs) The Federal Communications Commission (FCC) is preparing to wage war on robocalls and is trying to mobilize the technology industry to join the cause.

The FCC held a meeting with 30 of the industry's major players to talk about ways to hang up on these machine-generated calls, which are closely associated with scams, or products and services of dubious value.

You may be familiar with these calls. A recorded voice might congratulate you on winning a free cruise or tell you your business qualifies for a $250,000 loan. Or, the voice may claim to be calling from the IRS, warning you of impending jail time if you don't pay back taxes immediately – as in right now, over the phone, with a prepaid money card.

Biggest source of consumer complaints

The meeting was intended as a brainstorming session in hopes that Google, Apple, AT&T, and Verizon could find ways to limit or prevent these calls, which FCC Chairman Tom Wheeler calls “a scourge” and the biggest source of consumer complaints.

“They are an invasion of privacy, and this scourge is rife with fraud and identity theft,” Wheeler told the group. “The problem is that the bad guys are beating the good guys with technology right now.”

Wheeler says scammers outside the U.S. can use Voice over Internet Protocol (VoIP) to mislead voice networks. The bad guys have the ability to spoof a legitimate phone number that easily fools most caller ID programs.

FCC Commissioner Ajit Pai pointed out that there has already been some productive accomplishments in this area. He points to a 2013 competition among developers that resulted in Nomorobo, an app that he says has already stopped more than 126 million robocalls.

“We know there is a problem,” said FCC Commissioner Mignon Clyburn. “We know how much consumers dislike these calls. We know the public is frustrated, because they assumed that after they registered for the Do Not Call list, this would stop. It did not, so now it is time to take some real action.”

Previous action

The FCC has already taken some action. A year ago it adopted a proposal making clear that consumers have the right to control the calls they receive on both landline and wireless phones. That move also gave providers permission to implement robocall-blocking technologies.

Wheeler says the government needs tech firms to take it from here, noting that scammers are using technology to stay well ahead of regulators.

“It’s not as if good guys [are] standing idly by,” Wheeler said. “But we need more urgency.”

The tech firms attending the meeting apparently got the message. Reuters reports most have signed on to become part of a robocall strike force that will report back to the FCC in October on what it has come up with.

Feds outline new privacy rules for internet providers

(Mark Huffman @ ConsumerAffairs) Federal Communications Commission (FCC) Chairman Tom Wheeler has issued a proposal for new privacy rules governing broadband internet service providers (ISP), the companies that connect you to the internet.

Wheeler says the rules give consumers the tools they need to control how ISPs use their data, such as what sites they visit online.

Under the proposal, for example, ISPs would have to notify customers about what types of information it collects about them. It would have to specify how and for what purposes it uses and shares the data, including identifying the types of entities with whom it is sharing the information.

Positive reaction

Consumer Watchdog welcomed the proposal, saying it would give consumers much-needed control over how their personal information is used.

"Internet Service Providers like Comcast, Time Warner Cable, Verizon and Frontier Communications have a unique window into our online lives because they connect us to the Internet,” said John Simpson, Consumer Watchdog's Privacy Project Director. “ISPs must not be able to use the vast amount of information that they can get about our online lives simply because they provide the connection for any other purpose without our explicit permission."

Free Press Policy Counsel Gaurav Laroia also praised Wheeler's proposal, calling it a signal that the FCC is on track towards restoring consumers' privacy rights.

“The FCC’s proposal follows the law, and stems from the agency’s rightful decision to treat broadband as a common-carrier service,” she said. “The companies that carry all of our speech online and bring us to every destination on the internet have no business profiting from all the information they gather without our consent.”

But there are limitations

But Laroia said it is important to remember that the proposed rule would not ban marketing, it just gives internet users the ability to control how their information is used.

The Electronic Privacy Information Center (EPIC) says the rule should have gone farther. In a statement, the group said an earlier proposal would have provided more safeguards.

“The original proposal offered privacy protections for all consumer data,” the group said. “ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review.”

The full Commission will take up the proposal at its meeting later this month.

Find Out Who is Tracking You On The Web

Ghostery is a browser add-on available for Chrome, Firefox, IE, Opera, and Safari. With it, you can detect when your browsing is being tracked. It will then show you who's tracking you, along with information about the company. You can then choose to block the service or choose other options moving forward.

Detect: Ghostery™ sees the invisible web - tags, web bugs, pixels and beacons. Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.

Learn: After showing you who's tracking you, Ghostery™ also gives you a chance to learn more about each company it identifies. How they describe themselves, a link to their privacy policies, and a sampling of pages where we've found them are just a click away.

Cotrol: Ghostery™ allows you to block scripts from companies that you don't trust, delete local shared objects, and even block images and iframes. Ghostery puts your web privacy back in your hands.

Find out who's searching for you On The Internet?

If you've spent more than five minutes online, you've probably seen an ad that promises "find out who's searching for you." It sounds like a scam, but is it possible? Can someone find out if you've been looking at their Facebook or LinkedIn profile? Can you tell if someone's unfriended you? And can you see what searches have been performed with your name?

First the warning: there are scams aplenty promising to show you who is "stalking" your Facebook page. I put in a call to Facebook and spoke with their technical folks, the truth is, NO ONE can see who's been on your Facebook page. There are no features buried in the Facebook settings with that data. There are no apps that can unearth that info. Facebook says it is one of the most common scam come-ons on the site. Don't fall for it; you cannot see who's looking at your profile (and no one can see if you've been looking at theirs).

BUT there are apps and tools to see who's unfriended you. Facebook tries to squelch these apps, but I found a couple — one that you download to your computer called UnFriend Finder and one for Android called Friends Checker. Sign in, and they store a list of your friends.  Then every time you check back, it tells you who's no longer on the list.  UnFriend Finder also reminds you of friend requests you've made that haven't been answered. For Twitter, Qwitter does the same thing, telling you who's unfollowed you each week.

Read More - Click Here!

Five Disturbing Lessons Learned From Social Media

(Kim Komando) From Facebook's never-ending privacy changes to a whole new crop of troubling social media sites and apps, there was no shortage of controversy in 2013.

Here are some hard lessons social media taught us this year - and what you can do to protect yourself in 2014 and beyond.

1. Don't count on Facebook for privacy
Social media is great when it helps keep you connected to friends and family. But it's not so great when it invades your privacy or makes you the target of advertisers.

This year, Facebook made it clear that when you post something on the site, you are giving Facebook permission to use your name and image in ads. There's no opt-out option, either. Click here to stop Facebook from using you in ads anyway.

Facebook also changed its privacy settings for teens. It now allows minors to post public status updates, pictures and videos. Previously, only friends and friends-of-friends could see content posted by minors.

And let's not forget about Facebook's powerful new Graph Search feature. It lets friends pull up old posts you might wish you hadn't shared. I show you how to use this feature and still protect your privacy in this tip.

2. Google can use your face and name in ads
Facebook wasn't the only one making money with your information this year. Earlier this year, Google announced it would be including users' faces, names and comments in ads.

So, if you've ever left a comment or review on Google+, or other Google services like YouTube or Google Play, your face and name could end up in an ad. Click here to stop Google from using you in ads.

3. Twitter is tracking you
Twitter jumped on the ad-tracking bandwagon this year, too. It can follow users from site to site in order to sell their information to advertisers.

The worst part is that the service can track you even when you're not using Twitter. Find out how to stop Twitter from tracking your surfing in this tip.

4. Teens are using troubling new social media
Kids are always looking for the next big thing in social media. But with new social networks cropping up all the time, it can be hard for adults to keep up with what's popular. Even worse, these new social sites aren't always safe.

Messaging apps like Snapchat and Kik, for example, became wildly popular with teens this year. Unfortunately for parents, these apps have been associated with sexting and cyberbullying. Click here for 10 social networks you didn't know kids are using - and how to keep them safe.

5. What you post matters
A Florida high school teacher lost her job earlier this year after racy photos of her were discovered online. It's just one example of how social media can make or break your reputation - and even cost you your job.

A new Jobvite survey found that recruiters are placing increasing emphasis on candidates' social media profiles. A whopping 93 percent of recruiters acknowledged reviewing social profiles as part of the screening process!

And a Kaplan Test Prep survey found that colleges are increasingly using Facebook and Twitter to recruit - and sometimes screen out - new students.

It only takes one careless post to do serious damage to your reputation. Locking down your Facebook profile and learning how to manage your online reputation can help. Even better, don't post anything that can come back to haunt you!

Five Phishing Attacks Targeting Executives

Twice a year, KnowBe4 publishes the Top 5 spear-phishing attacks that are used to lure executives into clicking on links or open infected attachments. We recommend sending this list to your executives and give them a heads-up.

The bad guys do not discriminate, they attack businesses but also non-profits like governments and even churches. They are using increasingly sophisticated spear-phishing scams on executives with access to corporate financial accounts and other high-level proprietary information. Some organizations are under constant, 24-hour attack by foreign hackers that are after their intellectual property, this is known as an Advanced Persistent Threat (APT).

These hackers do their research and spend time customizing their spear-phishing emails; as a result, many recipients are fooled by the level of detail and authentic-looking messages and websites.

Here are the most recent spear-phishing attacks that are currently making the rounds nationwide, and which pose a significant threat to your data- and financial security. Note that some of these attacks are used for years, because they continue to work on uninformed people.

Number 5
The Better Business Bureau Complaint – In this scam, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.

Number 4
The Smartphone 'Security App' – This is a 2-step attack. With minimal research cybercriminals can find the name and email addresses of a company’s CFO and social engineer them to click a link. That link infects the PC of the CFO with a keylogger. This way the hacker obtains bank account data and passwords. In case the bank uses two-factor authentication, the attacker spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually malware giving them access to the phone. And with that, the cybercriminals have full access to the CFO’s bank account login credentials and at the same time control any two-factor text messages sent to or from the CFO authorizing money transfers.

Number 3
The Watering Hole Attack – Hackers do their research on a targeted executive, and find out which websites the executive frequents, sometimes to discuss industry related topics with their peers, or perhaps a hobby site the hackers learned about through the exec's social media postings. Next, the bad guys compromise that website, and inject a zero-day exploit onto public pages of the website that they hope will be visited by their targeted executive. Once the exec does, their PC is infected with a keylogger and the network penetrated.

Number 2
Free Dinner in Return for Feedback – By reviewing an executive’s social media profiles, cybercriminals are able to determine what charities that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of that charity, asking the exec to download a Word Doc that supposedly contains details on an upcoming campaign or event, and promises free dinner at their favorite restaurant as an incentive for providing feedback. When the Word doc is downloaded the user's password is stolen – and gives hackers direct access to the network. Here is a short video of Kevin Mitnick showing how this type of exploit works. Take these two minutes, it's worth seeing: http://www.knowbe4.com/video-mitnick/

Number 1
'We're Being Sued' – In this scenario, attackers dig up the email addresses of a company’s executives and also their legal counsel (in-house or external). They will then spoof an email from the legal counsel to the executive team, and attach a PDF that claims to contain information about new or pending litigation. When the recipients download and open the attachment, their system becomes infected and the entire network is compromised.

While savvy Internet users realize they should not click links or download attachments from unknown senders, spoofed emails and official-looking websites trick recipients into letting their guard down. When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.

Stepping execs through high-quality security awareness training is a must these days:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

Five signs your identity may have been stolen

Photo(Mark Huffman @ ConsumerAffairs) Reacting quickly may lessen the damage! In a recent report the U.S. Federal Trade Commission (FTC) noted that identity theft continues to be the top generator of consumer complaints. In 2012, the agency received more than 369,000 reports of stolen identity.  

 

 

Of those, more than 43 percent were related to tax or wage fraud. Unlike in a burglary or armed robbery, the victim isn't usually aware of the crime right away. The longer it goes undetected, the harder it is to recover.

Here are the top five signs that your identity has been hijacked:

Unexplained bank withdrawals

Sometimes identity theft takes the form of someone stealing your bank account information. If you fall for an Internet scam and provide your bank account information to what you believe to be a legitimate business, the person with that information can gain access to your bank account and take all the money in it.

Sometimes they make a very small withdrawal at first, just to make sure the account is still active. That's why it's important to look at monthly statements. Even better, if you have online account access, look at your account every day or two.

Missing tax refund

The Internal Revenue Service (IRS) in recent years has wrestled with the growing problem of identity theft. In these cases, a scammer gets access to someone's Social Security number.

They create a phony W-2 form and then file a federal income tax return showing a large tax refund. They use your name but a different address, so that the refund check comes to them.

When you get around filing your real income tax return, the IRS kicks it back since it has already processed a return linked to your Social Security Number. That's why you should file your return as quickly as possible, before a scammer has a chance to use your identity for a phony return.

Your phone starts ringing

In the most dangerous form of identity theft, the scammer uses your name and social security number to open charge accounts, get credit cards, even buy cars or take out mortgages. They naturally have no intention of paying.

Once the accounts go into default, debt collectors will finally track you down and start calling. You, of course, won't know what they're talking about. It can take years to straighten out. That's why it is very important to safeguard your personal information.

Mysterious health conditions

You might be the picture of good health but suddenly you find medical providers are billing your for a variety of services you've never used. Your health plan might reject your legitimate claim because their records show you've reached your benefits limit.

You might even find that a a new health plan you're applying for won't accept you because they show you with a condition you don't have. All of this could mean that someone has assumed your identity, using your Social Security number, to receive health benefits.

Strange chapters in your credit history

You may be in the process of buying a car or applying for a mortgage and are surprised to learn that your credit history contains a number of accounts, with large balances, that you've never heard of. That can only mean that someone has hacked your identity and has been merrily spending borrowed money in your name.

That's why you should carefully read your credit reports from the three credit reporting agencies every year. Thanks to federal law, you are entitled to a free report from each of the firms by going to www.annualcreditreport.com.

Florida leads

In a state by state comparison, Florida still ranks first in government benefit and tax-related identity theft, with 72% of the reported complaints involving tax or benefits fraud. In terms of overall identity theft, Alaska saw the largest year-over-year increase, with the crime up 30 percent.

“These types of cases very often involve the use of Social Security numbers making them more complex than other types of identity theft, said Eva Casey Velasquez, CEO of the Identity Theft Resource Center (ITRC). “As we are fully into tax season, we anticipate that there will continue to be increases in the reporting of this crime. Government related identity theft has averaged approximately 25% of total cases handled by the ITRC for the last two years and was 25% of our total cases in January 2013 as well.”

As with any type of identity theft, consumers need to have a better understanding of what has occurred, in order to further understand how they should react. At a minimum, if you think you have been victimized you should report the incident to police and the appropriate financial institution, such as your bank or credit card company.

Free Identity Protection

Free credit reports

Keeping an eye on your credit report is your first step to protecting yourself.

Federal law grants you a free credit report each year, and each of the three major credit reporting agencies must provide one.

I recommend staggering your credit report requests. For example, request a report from Experian. Four months later, request one from Equifax. After four more months, request it from TransUnion.

Credit activity should appear on all reports. However, there may be discrepancies among reports from the three bureaus. Also, be aware that a credit report doesn't include your credit score.

You can request your free reports at AnnualCreditReport. Be sure you go to the correct site! Many sites use the word Free in their names, but for free reports mandated by Congress, you want AnnualCreditReport, period.

Freezing your credit

If you want another level of security, you can freeze your credit report. This prevents new creditors from accessing your credit report.

That means they're less likely to issue credit to an identity thief. Of course, that assumes that the creditor consults a reporting agency.

Companies that already have your business can still access your report for fraud investigation, collection, account review and the like.

Plan carefully if you freeze your credit because you can’t apply for new credit with a freeze in place, and credit limits cannot be increased on existing accounts.

You can lift a credit freeze; however, it may take three days or longer to take effect.

A freeze can be lifted temporarily for a particular creditor. You just need to call the credit agencies, verify your identification, provide a special PIN and then you name the creditor. You may need to provide a second PIN to the creditor as well.

If you plan in advance, you can lift a freeze for a set amount of time ranging from 1 to 30 days. This is helpful if you are comparing credit card or mortgage rates.

You must freeze your credit with each of the three major agencies. In most cases, you will pay $10 to freeze your credit. The amount depends upon your state of residence, and some states limit freezes to seven years.

There is also a charge for lifting a freeze permanently. Again, this is usually $10.

Things are different if you can prove that your identity was stolen. Fees for credit freezes and removals are generally waived.

Credit reporting agencies do not always make freeze information easy to find. I have direct links to the required steps at EquifaxExperian and TransUnion.

Monitoring your credit

For more security, you can sign up for credit monitoring. You’ll be able to spot the first signs of identity theft. You’re alerted to any changes in your credit reports

All three reporting agencies offer monitoring services for $15 monthly. And the benefits outshine those offered by third-party services.

Unlike credit freezes, you only need to sign up with one agency.

You’ll also receive insurance against identity theft (the insurance is not applicable to New York residents). Start at the home pages of Equifax, Experian and TransUnion and search for credit monitoring.

Copyright 2012, WestStar Multimedia Entertainment. All rights reserved.

Free Tool Guards Against Identity Theft

Photo

(Mark Huffman @ ConsumerAffairs) Placing a fraud alert on your credit file makes it harder for a thief to access it

With data breaches occurring with more frequency and hackers devising more clever ways to access your personal information, identity theft now affects more people.

The results are devastating. Armed with your Social Security number and other bits of information about you, an identity thief can open credit card accounts and take out loans in your name.

Your credit will be ruined and you will spend months – maybe years – untangling the mess. Fortunately there is a simple and free way to reduce your chances of becoming a victim.

Work with credit agencies

Contact each of the three credit reporting agencies – ExperianEquifax and Transunion and request a fraud alert – or even an extended fraud alert -- on your credit file. This simply means that no one can access your credit file without verifying your identity first.

For example, if someone steals your Social Security number and tries to get a bank loan, the bank would first have to take steps to make sure the person sitting in front of them is who they say they are. That might mean placing a call to you to ask if you are, indeed, trying to take out a loan.

According to the Federal Trade Commission (FTC), an extended fraud alert is free but primarily intended for victims of identity theft and those who believe they are at risk. Today, however, that covers just about everyone.

If you have reason to believe that any of your personal data has been compromised – if your credit card was one of the 40 million exposed in the Target breach, for example – you may be justified in asking for an extended fraud alert on your account. Anyone is eligible for a 90-day fraud alert, which can be renewed.

Where to start

Request fraud alerts here:

The FTC advises that you contact each of the credit reporting agencies to place an extended fraud alert, with lasts 7 years instead of 90-days, on your credit file. The company may have you fill out a request form and provide other documentation.

Equifax cautions that a fraud alert, while a powerful tool, will not guarantee a cunning identity thief can't open an account in your name. In particular for an initial fraud alert, a creditor is not required by law to contact you.

“You should also pay close attention to your credit file to make sure that the only credit inquiries or new credit accounts in your file are yours,” the company says on its website. “Other measures may also be warranted depending on your particular situation.”

Credit freeze

A fraud alert is different from a “credit freeze” in one important respect. With a credit freeze, your existing creditors can still get access to your file without your knowledge. It will also not stop misuse of your existing accounts or some other types of identity theft.

To place either a fraud alert or a credit freeze, you will need to provide appropriate proof of your identity, which may include your Social Security Number. If you ask for an extended alert, you may have to provide an identity theft report.

An identity theft report includes a copy of a report you have filed with a federal, state or local law enforcement agency, plus any additional information requested. For more detailed information about the identity theft report.  

Free Tool Guards Against Identity Theft

Photo

(Mark Huffman @ ConsumerAffairs) Placing a fraud alert on your credit file makes it harder for a thief to access it

With data breaches occurring with more frequency and hackers devising more clever ways to access your personal information, identity theft now affects more people.

The results are devastating. Armed with your Social Security number and other bits of information about you, an identity thief can open credit card accounts and take out loans in your name.

Your credit will be ruined and you will spend months – maybe years – untangling the mess. Fortunately there is a simple and free way to reduce your chances of becoming a victim.

Work with credit agencies

Contact each of the three credit reporting agencies – ExperianEquifax and Transunion and request a fraud alert – or even an extended fraud alert -- on your credit file. This simply means that no one can access your credit file without verifying your identity first.

For example, if someone steals your Social Security number and tries to get a bank loan, the bank would first have to take steps to make sure the person sitting in front of them is who they say they are. That might mean placing a call to you to ask if you are, indeed, trying to take out a loan.

According to the Federal Trade Commission (FTC), an extended fraud alert is free but primarily intended for victims of identity theft and those who believe they are at risk. Today, however, that covers just about everyone.

If you have reason to believe that any of your personal data has been compromised – if your credit card was one of the 40 million exposed in the Target breach, for example – you may be justified in asking for an extended fraud alert on your account. Anyone is eligible for a 90-day fraud alert, which can be renewed.

Where to start

Request fraud alerts here:

The FTC advises that you contact each of the credit reporting agencies to place an extended fraud alert, with lasts 7 years instead of 90-days, on your credit file. The company may have you fill out a request form and provide other documentation.

Equifax cautions that a fraud alert, while a powerful tool, will not guarantee a cunning identity thief can't open an account in your name. In particular for an initial fraud alert, a creditor is not required by law to contact you.

“You should also pay close attention to your credit file to make sure that the only credit inquiries or new credit accounts in your file are yours,” the company says on its website. “Other measures may also be warranted depending on your particular situation.”

Credit freeze

A fraud alert is different from a “credit freeze” in one important respect. With a credit freeze, your existing creditors can still get access to your file without your knowledge. It will also not stop misuse of your existing accounts or some other types of identity theft.

To place either a fraud alert or a credit freeze, you will need to provide appropriate proof of your identity, which may include your Social Security Number. If you ask for an extended alert, you may have to provide an identity theft report.

An identity theft report includes a copy of a report you have filed with a federal, state or local law enforcement agency, plus any additional information requested. For more detailed information about the identity theft report.  

Free online background check

(Kim Komando) Have you done an online background check of yourself lately? There are several reasons you should.

There might be erroneous information about you floating around the Internet or in your credit report. Maybe you'll find a picture of yourself or a comment you made years ago somewhere that's a little embarrassing.

These things will pop up and hurt your chances the next time you apply for a loan or a job. Fortunately, you can take steps to correct or remove this damaging information.

It's also a very good idea to do a background check before taking on a roommate or going out on a date with that new crush you met online. You never know what sort of worrying or dangerous details could be lurking in someone's past.

Because checking people's background is such a pressing need, there are dozens of ways to go about this. Fortunately, several ways won't cost you a thing.

Before I continue, I should point out a tricky fact about background checks. If you are performing a background check as a landlord or employer - or for credit, medical or insurance reasons -- you can't use just any service.

Under the Fair Credit Reporting Act, you have to use a Consumer Reporting Agency. A CRA has to maintain certain standards for data protection and offer dispute resolution.

If you do reject a potential tenant or employee (even semi-informal employees like domestic workers) based on a background check from a company that isn't a CRA, you could wind up in trouble.

You can find a fairly complete list of CRAs here on my website. The list is helpfully divided into categories such as credit reporting, employment history, insurance, renting and so on. Note that you can request and dispute the information that these CRAs have on file for you.

For checking on potential roommates or romantic partners, you can use just about any service or (legal) method.

The simplest option for a background check is to hire a professional service. You can find dozens of background check agencies online.

You will need to watch out for scam companies. Look around at several companies to find the average price for a background check and avoid any companies that are too low or too high.

If you want to save some money and you have some time, you can do many of the same checks yourself. You might also dig up information on a person's habits or character that a professional might not consider.  Click here for four sites that can really help you learn about someone. They comb Google, Facebook and other information websites to find out details that the person has willingly shared.

A Google search could turn up other things about the person that might make you think twice, too. However, you probably won't see important details about whether they've been arrested or evicted in the past.

Luckily, most court information is public record. To find it, go to your state's official government website or find the information you need at the National Center for State Courts. Make sure you search every state that the person you're checking has lived in.

After that, you might want to drill down to discover any felony and misdemeanor convictions on the county and city level. Keep an eye out for civil judgments, too, such as a bankruptcies and court orders to pay debts.

In most cases, a credit report can't be pulled without a legitimate business purpose and written permission. A good strategy for screening a roommate would be to ask him or her to volunteer a report.

All consumers are entitled to get a free copy of their credit report once a year from the three reporting agencies - Equifax, Experian and Trans Union.

The more information you have about a person, the better your searches will be. Knowing a middle name and date of birth will help you weed out people with similar names.

If you aren't completely sure you've found the right person, don't act on the information until you've verified it is actually them. Being penalized for something that isn't your fault isn't fun.

Copyright 2013, WestStar Multimedia Entertainment. All rights reserved.

Google Change Brings Major Pivacy Concerns

Google used to say its mission was to organize all the world's information. Now its mission, judging from its new privacy policy, is to organize all the information it has about you. The new policy means that anything you do on almost any of Google's 60 or so services will affect what you see on other Google services. This raises any number of questions, including:

  • How does it do that? By following you and keeping track of what you do.
  • How do you opt out? You don't.
  • Is it anonymous? Not exactly. 

Basically, Google will now be combining all the personal data you share with any of its products or sites, except for Google Chrome, Google Books and Google Wallet, hoping to create a more comprehensive picture of you. This means that anytime you’re signed into your Google account, whether on a computer, tablet, or Android phone, Google collects information about your activities and adds it to its growing profile of who you are, what you do and so forth...

Read More - Click Here!

Google Cleared in Justice Department Wi-Fi Sniffing Scandal

The Justice Department has cleared Google of wiretapping violations in connection to the company secretly intercepting Americans’ data on unencrypted Wi-Fi routers for two years ending in 2010, Google said.

“The DOJ had access to Google employees, reviewed the key documents, and concluded that it would not pursue a case for violation of the Wiretap Act,” Google wrote in a Thursday filing (.pdf) with the Federal Communications Commission.

The Justice Department declined comment.

If true, the development means that at least three government agencies — the FCC, Federal Trade Commission and the Justice Department — found Google committed no wrongdoing in the so-called Street View debacle.

Those outcomes, however, contradict a federal judge who last year ruled the search-and-advertising giant could be held liable for violating federal wiretapping law. The decision by U.S. District Judge James Ware of California green-lighted about a dozen lawsuits seeking damages — a decision that has been stayed pending Google’s appeal.

Google has said it didn’t realize it was sniffing packets of data on unsecured Wi-Fi networks in about a dozen countries between 2008 and 2010 until German privacy authorities began questioning what data Google’s Street View mapping cars were collecting. Google, along with other companies, use databases of Wi-Fi networks and their locations to augment or replace GPS when attempting to figure out the location of a computer or mobile device.

In Google’s letter to the FCC, it said it would pay a $25,000 FCC fine, levied two weeks ago, to settle the agency’s claims that Google stonewalled the commission’s Streetview investigation. Google denied wrongdoing, but agreed to pay “in order to put this investigation behind it.”

Read More - Click Here!

Google Docs phishing scam

Photo(Jennifer Abel @ ConsumerAffairs) There's a dangerous new phishing scam, first discovered by security experts at Symantec, that seeks to steal the passwords and other confidential information of any Google account holder.

It's quite sophisticated compared to most phishing attempts, but even so: you should be able to protect yourself provided you pay extra-close attention to details, and also remember the phishing-protection rule “Don't call us; we'll call you.”

Here's how the newest scam works: you, the would-be victim, get an email with the subject heading “Documents”; the body of the email includes a link to an “important” Google Docs document.

Hopefully, if you'd received such an email you'd already know to ignore it, since it's neither personally addressed to you nor from any sender you actually know and recognize. But suppose you decided to click on this unknown link from an unknown sender anyway — what would you have found?

Looks convincing

Here's where the sophistication of this new scam comes in. In most phishing attempts, if you clicked on such a link (and did not immediately infect your computer with all sorts of malware as a result), you'd usually be taken to a page whose address, visible in your browser bar, is obviously not that of the company the scamsters are pretending to be – as in, you get a fake email allegedly from Google, but the link leads to a page with an unfamiliar (and distinctly not Google) web address.

However, as the official Symantec security blogger warned on March 13, if you click on this new Google-based phishing link:

“[T]he link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown. The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages.”

In other words, you think you're logging in to your actual Google account, so you type your email address and password as usual, not realizing that your password is not being read by the real Google to verify your identity, but by phishing scammers to steal your identity.

Still not too late

However, even if you were caught off-guard enough to click on the unsolicited Google Docs link that some unknown sender e-mailed you, it's still not too late to detect certain details indicating a scam. Remember two sentences ago, when we said “you type your email address and password as usual”? That's the detail which sharp-eyed Google account holders should recognize as scammy: usually, when logging into legitimate Google accounts from your own computer, you don't have to type your email address at all, only your password.

As Gizmodo writer Adam Clark Estes pointed out: “if you show up at the log-in screen, you should notice that it doesn't recognize you as a Google user (if you are a Google user).”

Note to non-Google users who don't understand what Estes is talking about here: if you have a Google account, or more than one, anytime you visit a genuine Google page it will recognize you, and you'll see your name, avatar and other personal features as applicable — although you still won't be allowed access to your Gmail or any other personalized, password-protected Google things until you actually type in your password and only your password — your actual you@gmail.com email address is already there.

But with this fake Google phishing scam, you only get a generic login page requiring you to type not just your password, but your email address itself; the genuine Google login pages only require this if you're accessing your account from a public computer, or a brand-new one you've never used to sign in to Google before.

 

Google Street View Continues to Raise Privacy Concerns By Brian Cooper

Google Street View, a Google Maps feature that lets users see images of streets and the surrounding areas, continues to generate controversy. Since its launch in May 2007, the feature has prompted questions about whether it constitutes an invasion of privacy, complaints about inappropriate images, and even a lawsuit.

Aaron and Christine Boring vs. Google

The lawsuit came from a Pittsburgh couple in April 2008. The couple lives on a private road. However, Google's Street View team travelled down the road and continued taking images all the way up to the couple's home. The images were then posted to Google Maps and included close-ups of the couple's home, swimming pool, and outbuildings.

Google's response? \"Complete privacy does not exist in this world except in a desert, and anyone who is not a hermit must expect and endure the ordinary incidents of the community life of which he (or she) is a part.\"(1)

While Google's assertion that its Street View imaging team is an \"ordinary incident of community life\" is far-fetched, Google does make some good points in its response. Namely, that the plaintiffs could have simply requested that Google delete the offending images from Street View via a form available on Google Maps. Instead, the couple filed suit and in doing so have made the matter public record and ensured that the images will be viewed by even more people.

Since the lawsuit, Google has removed the images in question, but the suit remains open.

The Borings' Neighbors

On Goldenbrook Lane, a nearby street, some of the Borings' neighbors also had an incident with the Street View team. In this incident, the Street View team drove up Goldenbrook Lane and into the driveway of the McKee residence. They continued to drive, snapping Street View images the whole way, up to the garages of the McKees.(2) While it appears that the McKees didn't resort to a lawsuit, Google has removed the images of the home that were taken from private property from Street View.

Street View in California

In California, the antics of the Street View drivers continued. Drivers reportedly went on over 100 private roads in Sonoma County according to an analysis done by PressDemocrat.com. In another instance, Street View drivers went past two no trespassing signs as they photographed the 1,200 foot private road leading up to Betty Webb's house in Humboldt County. In another incident reported by PressDemocrat.com, Street View drivers ignored a no trespassing sign, passed through a gate, and drove through someone's yard on a dirt road near Freestone.

Street View and U.S. Military Bases

In March 2008, the Pentagon requested that Google erase some images of military bases taken from public streets due to the potential threat those images posed to national security. \"It actually shows where all the guards are. It shows how the barriers go up and down. It shows how to get in and out of buildings,\" said General Gene Renuart, commander of U.S. Northern Command.(3) According to Google spokesman Larry Yu, Google has honored the Pentagon's requests.(4) However, the Pentagon was still reviewing the many images of military facilities that were included in Street View.(5)

Street View Goes Global

After the complaints in the U.S., other countries warned Google that Street View would have to be modified to comply with their stricter privacy laws. To this end, Google has improved facial recognition technology so that it can find faces in images and blur them so that they are unrecognizable. This technology has also been applied to license plates. The blurring feature has since been applied to U.S. Street View imagery in addition to images in other countries where Street View is now available.

Accountability

While Google has removed some of the aforementioned locations from Street View, the burden to monitor Google's actions, be it Street View or other Google services, continues to fall on people like you and me. With regard to Street View, Google argues that \"many people — visitors pulling in the driveway, neighbors turning around at the end of the road, deliverymen delivering packages — can all plainly see the exterior of the (Borings) home.\"(6) While these examples are likely accurate for the Borings and the population in general, they involve people that we know or strangers that we requested to come to our homes. Private residents didn't request that Google visit these neighborhoods nor would residents reasonably expect that someone would be driving down their streets taking photographs of everything. In fact, I suspect that if you or I were to do the same thing, someone would call the police and we'd have some difficult questions to answer down at the station.

Potential Consequences

So, what could the consequences of Street View be? Well, while the feature has been used to aid police in a kidnapping investigation (7), I think the feature could be far more useful to criminals. For example, a criminal could use Street View to case a neighborhood - checking Street View for cars that are parked in garages or driveways so they could know when someone isn't at home, scan the yards and windows for any signs indicating that homes have security systems, check the proximity of neighboring houses using Street View and Google's satellite imagery, look for signs of pets that could pose problems for a thief, see if the homes have newspapers delivered (which might help the thief determine if the residents were on vacatíon) and, assuming the criminal found a good candidate, select a few potential access points (like open windows) for breaking into the home. If the Street View car happened to pass through your neighborhood on garbage day, the camera might even capture the box of that new HDTV you got. Scary, huh?

Protecting Your Privacy

So how can you protect yourself? First, check your address using Street View. To report a concern with Street View imagery, enter the address you desire and click \"Search Maps.\" Then, click \"Street View\" in the thought bubble that appears on the map. Once the \"Street View\" image appears, click \"Report a Concern\" in the bottom left corner of the Street View image and enter the details of your complaint.

Second, be mindful of how your information is used and act when you feel your privacy is being threatened. Google's Street View can be a helpful tool, but it is meant to help Google sell ads and make revenue, not protect your privacy. You can write your local, state and federal representatives and even the local paper to voice your opinion.

Oh, and if you believe as Google does that \"complete privacy does not exist,\" then you should check out the house where Google CEO Eric Schmidt reportedly lives using satellite imagery from Google Maps. It looks like he has had some construction done in the past few years. A simple Google search of the address (366 Walsh Road, Atherton, CA) will tell you that Schmidt merged two adjacent lots in 20018 to create the new lot and then added a new fence, retaining wall, and drainage in 2004. (9) Eric, that creepiness that you're feeling is probably approaching the level of the people who had Street View vehicles in their driveways. So, while it is Google's mission to \"organize the world's information and make it accessible and useful,\" the company should thoroughly consider how that information can adversely impact the same people it is meant to help.

References:

(1) \"Preliminary Statement.\" Boring vs. Google, Allegheny County, PA
(2) TheSmokingGun.com \"Google is in Your Driveway!\"
(3) Reuters. \"Google pulls some map images at Pentagon's request.\" Mar. 6, 2008.
(4) Ibid
(5) Ibid
(6) \"Preliminary Statement.\" Boring vs. Google, Allegheny County, PA
(7) Telegraph.co.uk. \"US police use Google Street View to find missing child.\" Jan. 9, 2009
(8) Town of Atherton City Council Minutes, May 16, 2001.
(9) Palo Alto Online, September 24, 2001.

Google Wants To Replace Cookies with AdID

(Victoria WoollastonIs @ mailonline) Google about to kill off the cookie? Web giant rumoured to working on a new way to make it easier for customers to control how they are tracked online (by everyone but them!)

Google believed to be working on an advertising system called AdID
It could be an alternative to cookies currently used by advertisers
Cookies are used to monitor what people like and what sites they visit
This makes it easier to only show relevant, personalized adverts

Google is believed to be working on a new, anonymous way for advertisers to track what people like based on what sites they visit.

The anonymous identifier for advertising, being referred to as AdID, would be an alternative to third-party cookies currently used by advertisers to serve relevant, personalised adverts.

Reports in USA Today also state that Google's new system could make it simpler for customers to monitor how they are tracked.

Google accounts for around a third of worldwide online ad revenue and is rumoured to be looking into new methods of working with advertisers according to someone 'familiar with the plans.'

Under the plans, when a person visits a site, an anonymous AdID would be sent to advertisers and advertising networks that have signed up to the system

These advertisers would have to adhere to a set of basic guidelines about what they can and can't track, and how they can and can't use the information they are sent.

This could potentially make the process easier for consumers to understand and make sure there isn't any confusion about their anonymity.

At the moment, first-party cookies that are used to identify basic details about a person are put on the site by the site's owner.

Third-party cookies are added to sites by advertisers and can track what products they like based on what they click on.

As they move around websites, these cookies can create a profile of interests and make sure the adverts shown are relevant to that individual. This can be disabled through a browser.

he AdID system would still track people for the same reasons and ultimate outcomes, but would simplify the process and could create an industry standard that all advertisers who want to use Google would adhere to.

This could prevent rogue third-party cookies being added to sites, as an example, or different advertisers each taking and using different data in different ways.

Only advertisers who stick to the guidelines would be given the IDs and if they break the terms and conditions, they would lose access to them.

USA Today continued that the AdID could be automatically reset by the browser each year.

Users may also be able to create 'secondary AdID' for when they want to keep their browsing history private.

It is also thought that the system will be opt-in, similar to the current way cookies are handled, and people can disable the tracking at any time.

The Interactive Advertising Bureau, which represents the industry, told USA Today that it 'at least wants some type of tracking technology available for advertisers, whether third-party cookies or something else'.

Google detects fake website ID certificate threat

Web browser makers have rushed to fix a security lapse that could have allowed cyber thieves to impersonate Google+

The loophole involved an exploit of ID credentials that browsers use to ensure a website is who it claims to be.

By using fake credentials, criminals could have created a website that purported to be part of the Google+ social media network.

The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them.

TurkTrust said there was no evidence the data had been used for dishonest purposes.

Secure code

An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate.

Instead of issuing low level certificates it mistakenly gave out what amounted to "master keys" which could have allowed a bogus site to pretend it was the legitimate version without triggering a warning.

"An intermediate certificate is essentially a master key that can create certificates for any domain name," explained security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse.

"These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong."

The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the "master keys" and the lower level security credentials.

The lapse was spotted when automatic checks built into Google's Chrome browser noticed someone was using the program with an unauthorised certificate for the "*.google.com" domain.

Had this not been detected the person could have gone onto to impersonate Google+, Gmail and other services run by the US firm.

The danger would have been that they could then have staged a man-in-the middle attack. This would have involved them relaying targeted users' communications to the real Google services and passing on the responses. By doing this they could have eavesdropped on potentially sensitive messages.

Google said it alerted other browser-makers to the threat after its discovery.

Microsoft and Firefox developer Mozilla subsequently issued updates which revoke the two wrongly issued intermediate certificates.

The identity of the person using the unauthorised certificate has not been reported, and their intentions are unknown.

This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords.

"It is really time we move on from this 20-year-old, poorly implemented system," wrote Mr Wisniewski. "It doesn't need to be perfect to beat what we have."

Read More - Click Here!

Google raises the security bar for websites

Google ratcheted up the importance it places on security today. The company announced that it will begin marking all non-HTTPS sites as “not secure” in its Chrome browser starting in July 2018 with the release of Chrome 68.

In layman’s language, HTTPS is the protocol over which data between your computer and the website you’re connected to is sent. The “S” means the connection is “secure” and that any communication between you and the website is encrypted and less prone to attack.

The most common uses of HTTPS have been for sites who deal in the exchange of money with services such as online shopping or online banking.

Google’s makes good on its promise

Starting in 2015, Google began its watchdog campaign to make security a key component of its Chrome browser. At that time, the company’s audit found that 79 of the worldwide web’s non-Google sites did not use HTTPS as its default protocol. Many of those sites had no encryption at all or used outdated versions. Some of the biggest offenders at the time included Wired.com, IMDB.com, and the New York Times, which has since moved to secure its site.

Google’s evangelism and tenacity have paid off. Its latest scorecard shows reports that 81 of the top 100 sites used HTTPS by default, with 68 percent of Chrome traffic on both Windows and Android protected and 78 percent of Chrome traffic on Chrome OS and Mac protected.

“Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default,” said Emily Schechter, Chrome Security Product Manager.

Does this affect you?

If you’re one of the 56 percent of users who prefer the Chrome browser over other options, then it’s likely that you’ll be seeing notifications for websites not using the HTTPS protocol starting in July.

However, Schecter says that other groups may be more affected by the change. At a 2016 developer summit, she pointed out that business owners who run their own website can benefit from converting to the HTTPS protocol.

“HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP,” she said.

Most hosting companies offer site security for $15 or less a year. There’s even an organization -- LetsEncrypt.org -- funded by the likes of Chrome, Facebook, Shopify, and Cisco, that offers trusted certificates for free.

Googles Scary New Terms of Service and Privacy Policies

The bottom line here is that you should start perusing Google’s terms of service and privacy policies pronto! Google will know more about you than your wife does. Everything across your screens will be integrated and tracked. Google noted that it collects information you provide, data from your usage, device information and location. Unique applications are also noted. Sure you can use Google’s dashboard and ad manager to cut things out, but this policy feels Big Brother-ish. Google is watching you as long as you are logged in. It’s also unclear whether this privacy policy move will be considered bundling in some way by regulators. This unified experience hook appears to be at least partially aimed at juicing Google+. Google responded with clarification: Google noted that it already has all that data, but it’s now integrating that information across products. It’s a change in how Google will use the data not what it collects. In other words, Google already knows more about you than your wife.

Read More - Click Here!

Government Snooping Up 29% in 2011 - Who's Looking At You!

A new report from Google shows a rise in government requests for user account data and content removal, including a request by one unnamed law enforcement agency to remove YouTube videos of police brutality--which the company refused. Read More – Click Here!

HIPAA VS SAS 70

HIPAA and SAS 70

Recently there has been a marked increase in the demand for SAS 70 audits. This is primarily being driven by the surge of regulatory compliance legislation, coupled with the growing corporate governance initiatives that have been unleashed in the last decade. While many people point to the Sarbanes-Oxley Act of 2002 (SOX) as the prime reason for the rise in SAS 70 audits, other federal legislation, such as HIPAA and Gramm Leach Bliley Act (GLBA) have had a considerable impact also.

Ask ten people what a good definition of HIPAA is and you are likely to get ten different answers. To be fair to these people, HIPAA is a long, vague and cumbersome piece of legislation with many disjointed moving parts. It's hard to really get a good grasp on it, but this is what you need to know as it's related to SAS 70 audits. The HIPAA security guidelines and many other ancillary initiatives within this piece of federal legislation advocate protection of private consumer medical records along with industry accepted technology protocols for transmitting, protecting, and storing consumer medical information. That's where SAS 70 audits come in. Long used as the default audit for examining an organization's internal controls, SAS 70 audits have become a favorite go to audit for ensuring compliance with HIPAA legislation as it pertains to the privacy and confidentiality issue of consumer medical records. As technology has changed dramatically over the years, its very use has created a need for ensuring confidential medical information is just that-kept confidential and protected. SAS 70 audits, when performed properly, can examine an organization's internal controls, which can also include the safeguard controls that are to be in place for adhering to HIPAA standards. No, SAS 70 is not a technology audit, nor is it an operational audit-rather, it can be considered a little bit of everything as it touches many areas within an organization that use technology as part of their internal control structure.

HP Issues Fix For LaserJet Flaw

Last month, Researchers from Columbia University's Computer Science Department said they'd found a way to reverse engineer the Remote Firmware Update function in HP LaserJet printers and trick the printers into accepting and installing malware-filled updates. From there, researchers said, an attacker could compromise PCs on corporate networks and use them to send a barrage of instructions to a LaserJet printer, thereby causing its ink-drying element to heat up -- and potentially ignite printer paper.

Read More - Click Here!

Hacked Companies Fight Back

Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action.

Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems.

In the past, companies that have been attacked have mostly focused on repairing the damage to their computer networks and shoring them up to prevent future breaches.

But as prevention is increasingly difficult in an era when malicious software is widely available on the Internet for anyone wanting to cause mischief, security experts say companies are growing more aggressive in going after cyber criminals.

"Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new cyber security company CrowdStrike, which aims to provide clients with a menu of active responses.

Once a company detects a network breach, rather than expel the intruder immediately, it can waste the hacker's time and resources by appearing to grant access to tempting material that proves impossible to extract. Companies can also allow intruders to make off with bogus files or "beacons" that reveal information about the thieves' own machines, experts say.

Henry and CrowdStrike co-founder Dmitri Alperovich do not recommend that companies try to breach their opponent's computers, but they say the private sector does need to fight back more boldly against cyber espionage.

It is commonplace for law firms to have their emails read during negotiations for ventures in China, Alperovich told the Reuters Global Media and Technology Summit. That has given the other side tremendous leverage because they know the Western client company's strategy, including the most they would be willing to pay for a certain stake.

But if a company knows its lawyers will be hacked, it can plant false information and get the upper hand.

"Deception plays an enormous role," Alperovich said.

Read More - Click Here!

Hacker Shows Windows XP Users How To Get Updates

Word of Caution - Try this AT YOUR OWN RISK. THIS IS A NEWS ITEM, AND NOT A RECOMMENDATION OR INSTRUCTIONS

(Julie Bort ​@ Business Insider) A Hacker Found An Easy Trick To Get Security Fixes For Windows XP, And Microsoft Is Not Amused​

That didn't take long. Someone found a simple trick that forces Microsoft into sending security updates to Windows XP machines.

It's not a perfect fix, but it's easy enough that anyone could do it, if they dare.

Microsoft and many security vendors were treating the end of support as if it were some kind of PC Armageddon. But people and companies (particularly small businesses) have been reluctant to give up their perfectly functioning XP PCs and upgrade to new Windows machines running Windows 8 or even Windows 7. Even now, XP runs more than a quarter of the PCs on the Internet, 26%, according to Net Marketshare.

The hacker, Wayne Williams at Betanews, showed people how to write a few lines of code and make Windows XP install updates anyway. This trick makes Windows Update think that the device is running a version of Windows XP that is still supported by Microsoft and will be for another five years. That's a version known as Windows Embedded POSReady.

All you have to do is following Williams' instructions below:

  1. Create a text document, and call it XP.reg. You’ll need to make sure .reg is the proper extension -- so not "XP.reg.txt". If it’s not showing up as a registry file, open any folder, go to Tools > Folder Options, select View and uncheck 'Show hidden files and folders'. That should fix the problem.
  2. Right-click the file, and select Edit. Paste in the following:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
    "Installed"=dword:00000001
  3. Save it, and then double-click the file. That will make that change to the registry. 

CAUTION - ANYTIME YOU HACK THE REGISTRY YOU RUN THE RISK OF CATASTROPHIC FAILURE!

That’s all you need to do. Windows will now automatically fetch updates designed for POSReady 2009, ensuring XP remains protected for the foreseeable future.

If you try this, whenever Microsoft fixes a security problem in XP embedded, your PC will get that update.

Of course, Microsoft is now aware of this hack so we'll see how long it lasts. The company isn't happy. It wants you to upgrade your Windows machine or buy a new one.

When ZDNet's Larry Seltzer verified that the hack worked, Microsoft sent him this statement, warning people not to try it.

We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.

And Microsoft has a point. The PC world has changed a lot in 12 years and newer versions of Windows are faster and more secure. But those who want to brave the risk of holding onto their Windows XP machines may be daring enough to give this hack a go, too.

Personal Note: Linux and Apple ARE viable alternatives!

 

 

Hacker warning: change your passwords - all of them

Photo(Jennifer Abel @ ConsumerAffairs) Bad news: if you're reading this, there's a very good chance you need to change your password because a 20-something computer hacker in Russia already knows it.

Of course, you've already read countless variations of that story: “Hackers break into database. If your information was on it, you must protect yourself.”

So when you hear about the hack attack du jour, you immediately want to know the specifics: which one of my passwords am I supposed to change this time? Which company or organization got its database hacked? What was the time frame?

And you expect an answer along these lines: “If you made any credit- or debit-card purchases at an XYZ store, or online at XYZstore.com, between January 13 and February 10, your information is at risk.” That also implies a comforting corollary: “If you've never shopped at XYZ, or at least didn't shop there between those two listed dates, you have nothing to worry about.”

Unfortunately, such information is not available for this latest hacking. Even if it were available, it would be too much to summarize here in a single news article, because it's not just one company or website that's been attacked; it's at least 420,000 different websites ranging from obscure little sites to major household-name companies.

Largest known collection

The New York Times reported yesterday that researchers from Hold Security discovered a Russian cyber-criminal gang had “the largest known collection of stolen Internet credentials, including 1.2 billion [unique] user name and password combinations and more than 500 million email addresses …. [and] confidential material gathered from 420,000 websites, including household names, and small Internet sites.”

Hold Security wouldn't release the names of any affected companies or sites, due to non-disclosure agreements and also a desire to avoid identifying companies whose sites remain vulnerable. Therefore, there's no way for ordinary computer-users like you to know which of your passwords were compromised, if any.

Thus far there's no evidence that the Russian hackers have been using stolen passwords to open false credit card accounts or commit other forms of identity theft; the hackers are primarily using this information to send spam to various social media accounts.

Whether you need to change your passwords or not, this latest hacker discovery serves as another reminder of this important online-security rule: don't use the same password across multiple sites.

Last month, for example, the online ticket-seller StubHub had over 1,000 customer accounts hacked into, yet the hackers never actually managed to breach the StubHub database.

Instead, they hacked into various other databases, or even installed malware on individual computers, in order to steal people's passwords from one account – email, online banking, social media sites, even small online discussion forums – and then test those stolen passwords to see if they'd work in customers' other accounts. And in the case of over 1,000 StubHub customers, it did.

Still: a thousand customers of a ticket-resale site is extremely small potatoes compared to 1.2 billion people. Consider: it's estimated that, as of 2014, there are 2.9 billion Internet users on the entire planet Earth. And of those 2.9 billion Earthling web-surfers, over 40% have their passwords in the hands of a small Russian hacker-ring.

Hackers Franchising their Malware

(Mark Huffman @ ConsumerAffairs) Hackers may be forgiven if they think they have hit the jackpot. Their ransomware attacks, which began a few years ago, have proven to be money in the bank.

Victims who are unfortunate enough to click on a link in an email download a program that encrypts every file on their computer or network. They can access nothing until they pay a Bitcoin ransom – usually a few hundred dollars, and receive a key to unlock their files.

Besides individual consumers, attackers also target corporations and organizations that might not have the most sophisticated protocols in place. It's a scam that pays off just about every time.

New and dangerous wrinkle

Now, there's a new and dangerous wrinkle that has law enforcement officials even more worried. Symantec reportssome clever ransomware developers have created a Trojan called Shark. The software is being provided to hackers who want to get into the ransomware game.

It's a turnkey product, meaning the novice hacker doesn't have to possess a lot of special skills to launch the attacks. The developers of Shark get 20% of any ransoms collected.

In other words, the ransomware enterprise appears to be evolving into a franchise. Shark is essentially the McDonald's of ransomware.

Exploding threat

That means this growing cyber threat could explode in the coming months. To try and counter it, the Federal Trade Commission (FTC) is convening a technology seminar September 7 to explore ways to deal with the growing threat.

In the meantime, the FTC says businesses and consumers need to exercise extreme caution with email, even messages that appear to be from familiar sources. Clicking on links in these messages can lead to paying a ransom to free the files.

Beyond using care in handling emails, the FTC says a good defense against ransomware is backing up everything on a system. However, if you back up to an external hard drive, disconnect it from your system when you aren't in the process of backing up files. That's because ransomware encrypts every file in your system, including those on other connected drives.

Hackers may have breached the federal government’s personnel office

(Fred Barbash @ WashingtonPost) Hackers may have breached the Office of Personnel Management’s network, a Department of Homeland Security official confirmed Thursday.

According to the DHS official, who asked not to be identified, the agency’s National Cybersecurity and Communications Integration Center became aware of a “potential intrusion” of the network, and has been working with OPM and other agencies to assess and mitigate risks. So far, they have not found “any loss of personally identifiable information,” the official said.

The New York Times first reported Wednesday night that Chinese hackers penetrated the databases of the federal government’s personnel office, which contains files on all federal employees, including thousands who have applied for top-secret clearances.

The paper said the attack on the Office of Personnel Management occurred in March before it was detected and blocked. It quoted a “senior Department of Homeland Security official” confirming the attack, and saying that “at this time” the government had not “identified any loss of personally identifiable information.”

The Times also quoted an “unnamed senior American official” saying the attack had been traced to China, though not necessarily to the government of China.

According to the Times:

The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.

 

The agencies and the contractors use the information from e-QIP to investigate the employees and ultimately determine whether they should be granted security clearances, or have them updated.

Cyber espionage — the United States against China and China against the United States — has become a source of constant tension between the U.S. and Chinese governments. Reports based on documents leaked by Edward J. Snowden revealed that the National Security Agency penetrated the computer systems of Huawei, the Chinese firm that makes computer network equipment, and operated programs to intercept conversations of Chinese officials.

In May, Attorney General Eric H. Holder Jr. announced the indictments of five Chinese Peoples Liberation Army members on charges of hacking to benefit Chinese industry. They were accused of hacking into computers and stealing valuable trade secrets from leading steel, nuclear plant and solar power firms. It marked the first time that the United States has leveled such criminal charges against a foreign country.

Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared last year for the Pentagon and officials from government and the defense industry.

Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to the confidential report prepared for Pentagon leaders by the Defense Science Board.

Experts said recently that Chinese cyber-spies have been systematically targeting major Washington institutions, including think tanks and law firms. Middle East experts at major U.S. think tanks were hacked by Chinese cyberspies in recent weeks as events in Iraq began to escalate, according to a cybersecurity firm that works with the institutions.

The hacking goes back years. In 2006, hackers in China broke into the State Department’s computer system in Washington and overseas in search of information, passwords and other data. The bureau that deals with China and North Korea was hit particularly hard, although the system penetrated contained unclassified information, U.S. officials said.

The Times said the attack on OPM was “notable because while hackers try to breach United States government servers nearly every day, they rarely succeed.”

Ellen Nakashima contributed to this story.

Heartbleed Virus Update

Another excellent comic by xkcd (a site that publishes dev/op/web-related comics, usually nailing things right to the head): This time explaining one of the worst bugs in IT history, the OpenSSL “Hearthbleed Bug” (links to official bug page). For everybody who lived under a rock in the last days: Several weeks ago a bug in the open source OpenSSL library (that is used in, well, nearly everything that uses SSL, from major websites to NAS systems, from Android to routers) was discovered and major websites were informed secretly (to prevent criminals getting notice on that). The bug is basically a broken parameter check that allows the user/attacker to request a “full” memory dump. A full memory dump. With passwords, SSH keys, etc. in it.

A few days ago, TheVerge wrote an article about the bug, reaching mass attention, opening heaven for cyber-criminals. Side-fact: It’s interesting to see the extreme mass of news coverage created by bugs in (open source) software these days: Hearthbleed and Apple’s OpenSSL bug (test site) have made it to the #1 article in quality newspapers, tv news and for sure online newspapers all over Europe. Somebody ran a mass test against the top1000/top10.000 pages in the world, checking major websites for vulnerability – and listed the results here on GitHub. This list is unproven, but the names are awesome. Note that this list has been created after the bug went viral, so we don’t talk about a theoretical bug here.

You can make a basic check for the bug on this Hearthbleed test site.

 

heartbleed ssl bug explanation

Many of you may have been asked to update a security certificate from your email server. If you that message, please answer "Confirm Security Exception", "YES" or "Submit" to update the certificate.

 

Here are the test results from our two mail servers:

 

 

 

 

 

 

 

 












Greg Allen
Active Technologies
active-technologies.com
gallen@active-technologies.com
Web Design Hosting Internet Search
"We Drive Customers to Your Business"
Summerville - Charleston, SC
843-225-5648

 

Hide Your Home From Google Maps

 

 

If you don't want your house to appear on Google Maps... Google Maps is a feature provided by Google that allows you to find locations on a virtual map. When you search for a specific address you can use the Street View feature to view an aerial picture of the specific location and surrounding area. If you find your house on the Google Maps Street View, there is a simple process to remove it so it will no longer be visible to the public, and this is how we do it:

Instructions

    • 1

      Go to the Google Maps website (See Resources). Enter your street or address into the top search field.

    • 2

      Click on the "Search Maps" button. The area where your house is located will appear on the map.

    • 3

      Click the plus sign on the vertical bar located on the left hand side of the map. This will help you enter Street View.

    • 4

      Locate your house on the map and then click on the red marker for your house. Click on the "Street View" option.

    • 5

      Click on the "Report a problem" option from the bottom of the Street View image. Click "Privacy Concerns," then click "My House."

    • 6

      Click on the radio button next to "I have found a picture of my house and would like to remove it."

    • 7

      Enter your email address into the "Email address" field. Click on the "Submit" button. You will receive an email when a Google representative has removed your house from Google Maps.

 

Hosting Providers Should do More to Stop Piracy

(CHRIS BURT @ WHIR) The Motion Picture Association of America (MPAA) has included Cloudflare and several foreign hosting companies among parties it says are helping pirates violate copyright law by failing to play an active role in reducing support for “notoriously infringing sites.”

In an effort to identify the world’s most notorious markets for intellectual property infringment, the Office of the U.S. Trade Representative (USTR) requests a letter (PDF) from the MPAA each year. The response this year includes a broader scope of the “notorious markets” where piracy happens.

According to the MPAA, “[a]ll stakeholders in the internet ecosystem – including hosting providers, cloud (and anonymizing) services, advertising networks, payment processors, social networks, and search engines – should be actively seeking to reduce support for notoriously infringing sites such as those we have nominated in these comments, including through voluntary initiatives aimed at combating online content theft in a balanced and
responsible manner.”

The MPAA has long been critical of Cloudflare, a security and CDN provider based in San Francisco. Last October, in statement on a joint strategic plan on Intellectual Property enforcement, the MPAA said that while Cloudflare provides “many valuable services to legitimate websites, they also provide them to sites dedicated to copyright theft.” The MPAA isn’t the only organization that has called out Cloudflare on similar grounds; in August, Cloudflare told a court that it shouldn’t be forced to block sites without proper legal procedure after a group of record labels demanded it stop providing services to various websites connected with the music streaming site MP3Skull.

Private Layer, Altushost, and Netbrella, which the MPAA associates with Panama, the Netherlands, Sweden, and Switzerland, are named as “notorious markets” under the new “hosting providers” category.  CloudFlare is not included as a notorious market because it is a domestic  company, but is named in the body text as an example of a CDN which hides the IP of web servers used in illegal activity. CloudFlare’s reverse proxy function is identified as a popular tool used by pirate sites and services to render them anonymous.

“Given the central role of hosting providers in the online ecosystem, it is very concerning that many refuse to take action upon being notified that their hosting services are being used in clear violation of their own terms of service prohibiting intellectual property infringement and, with regard to notorious markets such as those cited in this filing, in blatant violation of the law,” the MPAA argues.

Other categories of notorious markets include websites, cyberlockers, peer-to-peer networks and torrent portals, and portals for piracy apps, as well as physical markets.

The MPAA also says registrars like the Indian Public Domain Registry (PDR) are enabling piracy by refusing to take action or investigate reports.

Hotmail Password Bug Quick Fix

Microsoft has rushed out a fix for a serious bug in its Hotmail webmail services.

The bug allowed a hacker to reset the password for a Hotmail account, locking out its owner and giving the attacker access to the inbox.

The fix was put together because the bug was starting to be actively exploited online.

One security news site reported that some hackers were offering to hack Hotmail accounts for $20 (£12).

Computer security researchers discovered the vulnerability in early April and told Microsoft about it soon afterwards. The bug revolved around the way Hotmail handles the data that must pass back and forth when a user wants to reset their password.

Read More - Click Here!

How Many Viruses In Circulation Today

How many distinct strains of malware are in circulation today? If you said hundreds of thousands or millions, you’re way off. A close look at numbers from one leading security company helps explain why some big numbers don’t tell the whole story.

How many strains of malware are in circulation right now, for Windows PCs, Android devices, and Macs?

That seems like a straightforward question, but the answer is far from simple. And the number might be a lot lower than you think.

If you check with the leading security companies, you might be tempted to pick an answer in the millions. After all, that’s how many listings you’ll find in the definition files for common antivirus programs. At day’s end on April 12, for example, Symantec published the summary shown below, noting that its latest Virus Definitions file contained 17,702,868 separate signatures.

Read More - Click Here!

How To Clear Your Google Web History

Google's latest privacy move has some questioning their mantra, "Do no Evil." Photo by Jonathan McIntosh/flickr/CC

Google's latest privacy move has some questioning their mantra, "Do no Evil." Photo by Jonathan McIntosh/flickr/CC

If you've been to Google's homepage lately — and the chances you have are astronomical — you may have noticed a little announcement mentioning something about changes in Google's privacy policy. You then probably ignored it — but you shouldn't.

On March 1st, 2012, Google will implement a new, unified privacy policy. The new policy is retroactive, meaning it will affect any data Google has collected on you prior to that date, as well as any data it gathers afterward. The official Google Blog has more details on what the new privacy policy means. But what does all of this legal jargon mean practically? Basically, under the new policy, your Google Web History (all of your searches and the sites you clicked through to) can be combined with other data Google has gathered about you from other services — Gmail, Google+, etc.

Previously Google kept your search history separate, which means that its profile of you was less complete. If you'd like to keep your personal data a good distance away from Google, you'll need to delete your existing search history and prevent Google from using that history in the future.

The Electronic Frontier Foundation (EFF) has more details on why you might want to turn off Google's Web History feature.

Privacy policies are ubiquitous, yet often highly irrelevant to the typical user; in this case, however, a little time spent changing your settings can provide invaluable peace of mind knowing that Google can't exploit your personal tendencies for its own purposes. Convinced yet? Read on for our guide to locking down your web history.

This how-to was written by Scott Gilbertson, a writer and web developer living in Athens, Georgia.

Read More - Click Here!

How To Avoid 17 Common Email Scams

We’ve all heard the horror stories: credit card fraud, pyramid schemes, phishing, identity theft — the list of scams goes on and on.

“Oh, that won’t happen to me,” you think. “I know the signs.” No one wants to think he’ll be counted among the fooled. But the truth is, you can never be too cautious about scams on the web.

After all, according to the Internet Crime Complaint Center, yearly dollars lost grew by about $500 million from 2004 to 2009, and the trend isn’t showing signs of slowing.

Read More = Click Here!

How To Avoiding Text Message Scams

Be suspicious of a text that says you've won a gift card. Why? Viruses and phishing scams are quickly moving to smartphones, meaning consumers have to exercise the same caution when they're mobile that they do at their desk.

When you get a text from a source that appears suspicious, the prudent thing to do is assume that it's a scam. These messages usually contain malware and viruses designed to infect your phone and steal personal information.

Photo

And because everyone likes something “free,” common examples include messages claiming you have "won" a gift card for Wal-Mart, Best Buy, Apple and other national retailers.

Fortunately, there are ways to protect yourself:

Read More - Click Here!

How To Keep Free From Internet stalking bullying and harassment

(Daryl Nelson ConsumerAffairs) Sooner or later, we all get that email that we don’t want, or receive something posted on our social network page that we wish we never got, and whether the message is from a company, an overzealous salesperson or from a personal acquaintance, they can be annoying and even upsetting at times.

But at what point do these unwanted messages go from being just annoying to becoming full-on harassment?

The month of January is Annual Stalking Awareness Month, and according to the Stalking Resource Center of the National Center for Victims of Crime, stalking someone online has a lot to do with repeated attempts of harassment and a certain level of deliberateness, which isn’t always the case with someone occasionally sending you a message that you don’t want.

Michael Kaiser who is the executive director of the National Cyber Security Alliance (NCSA) says cyber-stalking is nothing that consumers should take lightly, and as soon as you notice a pattern or receive just one threatening message, you should contact your local police department as soon as possible.

“In order to effectively combat unwanted contact, it is important to know the signs of stalking and how to deal with such related incidents,” said Kaiser in a statement.

“Aggressive outreach such as persistent emails, harassing posts or text messages are not acceptable forms of online communication and NCSA encourages affected individuals to contact local law enforcement or victim service agencies to report such activities and get help.”

Take action

Experts say if you ever find yourself a victim of cyber-stalking you should immediately suspend your account whether it’s your email or social network page, and consumers should always make sure all of their contact pages have the correct privacy settings, so it’s difficult for cyber-stalkers to locate you in the first place.

PhotoExperts also say that Internet stalkers and other online criminals will more than likely pass up the person who makes it more difficult for them to commit their wrongdoings, and even though it can be tempting at times, people should keep the sharing of their personal information to a minimum, like announcing you’ll be out of town for the next two weeks.

Safety experts also stress for people to create usernames that aren’t gender specific, and be sure not to publicize any information that may give a cyber-stalker an idea where you live.

So posting that photo of you standing next to your new car in the driveway, that also happens to show a street sign or a familiar landmark in the background is a great big no-no, say experts.

Go Google yourself

Anupama Srinivasan, who is a program director for a non-profit organization that deals with violence against women, says that people should Google themselves just to get an idea of what personal information is already out there.

And just because you may see your name and address online, doesn’t mean that you have to accept it being there, because obviously the more personal information you’re able to remove from cyber space, the harder it will be for someone to stalk or harass you.

“If you locate personal information like address, phone numbers or pictures or information you don’t want to be out there, speak to the people involved and get it deleted,” said Srinivasan in a published interview.

“Write to the website that lists your phone number without your permission and get it removed. Use your full name and/or the name you go by generally to Google yourself, and be sure to add ‘plus photographs’ in your Google search.”

According to the NCSA one in five people in the U.S. have experienced cyber based crimes that include the stealing of personal information, stealing of identities, bullying and of course cyber-stalking, and over 29 percent of consumers said they know someone who was a victim of an Internet crime.

In all 50 states in the U.S. cyber-stalking is a crime, but some say it doesn’t get the same amount of attention that other Internet crimes do, like identity theft or pilfering money, and for this very reason experts say that consumers need to be even more vigilante when it comes to sharing too much information online and “friending” people they may not know.

The NCSA also says that removing old Internet posts or entries is a smart idea, and just like any other kind of stalker, cyber-stalkers will look under every stone until they can piece together your whereabouts or the necessary information to harass you or even locate where you are.

Be discreet

Also, consumers should not be posting their whereabouts online, as it’s now commonplace for people to let everyone know which restaurant they’re eating at or which movie they're attending, and for someone willing to sit by a computer to learn all of your daily movements, you’ll just be making it that much more easier for them to accomplish whatever bad deed they’re intending to commit.

Experts also say as parents use some of these safety measures in their own Internet use, they should also continually remind their children of what to do in order to diminish the chances of them getting stalked or bullied online.

“Adults are not the only ones at risk when it comes to cyber-stalkers,” said Gary Davis in a statement, who is the vice president of global consumer marketing at the software security company McAfee.

“Parents need to communicate with their children about such Internet dangers and promote Internet safety. Be sure to secure your devices with strong passwords and frequent updates, connect only with people you know, and be careful not to share contact information or your location,” he said.

Read More - Click Here!

How To Know Your Are Infected (Kim Komando)

Pop-up ads
Running into pop-up ads while surfing the Web used to be par for the course. Thanks to pop-up blocking now standard in modern browsers, these annoyances aren't common.

Still seeing pop-ups online from multiple sites? It could be a badly-configured browser.

Seeing pop-ups when your browser isn't even open? It's usually adware, spyware or scareware.

You can usually tell it's the last one if the pop up says "a virus was detected." It will offer you a paid program to remove the virus. Of course, you'll just be downloading even more malware.

Keep an eye on your email "sent" folder and on your social network posts. If you see items you didn't send or post, change your account passwords immediately. This will lock out a virus that's stolen your passwords.

Then go to work with your security software. After you've removed the virus, I'd change your passwords again, just in case.

Be sure to let your friends and family know you were hacked. That way they can take precautions for their accounts as well.

Having trouble taking back your account from a virus or hacker? Click here for detailed instructions to clean up your computer.

Locked computer
You're surfing the Web minding your own business. Suddenly a scary message appears. It says law enforcement has detected illegal material on your computer. You've been locked out until you pay a fine!

Of course it's a lie. A virus has taken over and is holding your computer ransom. That's why it's commonly called "ransomware."

Some ransomware doesn't even try to be sneaky. It tells you up front that hackers took over your system. You have to pay to get it back.

I don't recommend paying. You won't get your computer back.

Unfortunately, you probably won't be able to run your normal anti-virus program. You'll need a rescue CD. Click the links for the free AVG Rescue CD or Windows Defender Online to take care of the problem.

In some cases, the ransomware actually encrypts your files. If that happens, you better have a recent backup. Even if you get rid of the virus, your files might be lost.

Essential tools and programs stop working
If a computer is misbehaving, most computer users hit Ctrl + Alt + Del. The "three-finger salute" lets you open up Task Manager. This can show you what programs are causing trouble.

Sometimes, you'll hit this keyboard shortcut and nothing happens. Your Start Menu won't open. Nothing happens when you right-click on the desktop. Your security software won't run.

This is often a clue that a virus is messing with your computer. It's doing what it can to keep you from identifying it and removing it.

This is where deep-cleaning anti-malware software like MalwareBytes will shine. If that fails, you'll need to use a rescue CD like I mentioned earlier.

If nothing you do works, it could also be a hardware problem. Most likely it's bad RAM or a failing power supply.

Everything is running fine
I run into many people who don't install security software. The excuse is always the same: "But my computer runs just fine without it. If I had a virus, I'd know."

The simple fact is that you don't know. Modern malware can hide deep in your computer without raising red flags. It will just quietly go about its business.

Read More - Click Here!

 

How To Make Sure Microsoft Updates Your Computer On Patch Tuesday

The second Tuesday of every month is called Patch Tuesday and it's the day Microsoft releases updates for Windows, Office, Internet Explorer and other Microsoft products.

It's vital that you protect your computers and servers from the latest threats, and that is why you need to make sure these security updates install properly.

If Windows automatic updates is turned on, your computer will download the updates automatically and install them the next time you shut down or restart. If the updates still need to be installed, you will see a yellow security badge or shield on the shutdown button in your Start menu, and/or on your taskbar to the right of the screen..

Click the button to turn off your computer and install the security updates. This could take a little bit of time, so make sure you don't need to use your computer anytime soon.

If you don't see the notification, go to Start>>Control Panel>>All Programs>>Windows Update. This is the place to checkand see if there are updates that need to be installed on your computer. If there are updates available, click the Install Updates button.

Make sure you doublecheck the "most recent check for updates" date and time to see if the computer checked in the last day or so. If your computer hasn't checked for udpates recently, click the Check for Updates link.

Best Practice: Have automatic updates check for new updates nightly at about 3:00am, and leave your computer/server on at night for updates and virus scans. In that way, your computer is not trying to do updates while you are trying to do work on your computer.

Remember also to restart your computer every morning first thing before use. In that way, all updates requiring a restart will be complete, cashe will be cleared, memory refreshed, and all items will be written properly to disk.

The second Tuesday of every month is sort of a holiday for tech junkies. It's called Patch Tuesday and it's the day Microsoft releases updates for Windows, Office, Internet Explorer and other Microsoft products.

It's vital that you protect yourself from the latest threats. That's why you need to make sure these security updates installed properly.

 

If you have Windows' automatic updates turned on, your computer will download the updates automatically and install them the next time you shut down or restart. If the updates still need to be installed, you should see a yellow security badge on the shutdown button in your Start menu.

Click the button to turn off your computer and install the security updates. This could take a little bit of time, so make sure you don't need to use your computer anytime soon.

If you don't see the notification, go to Start>>Control Panel>>All Programs>>Windows Update. Here you can see if there are updates that need to be installed on your computer. If there are click the Install Updates button.

Make sure you doublecheck the "most recent check for updates" date and time to see if the computer checked in the last day or so. If your computer hasn't checked for udpates recently, click the Check for Updates link.

- See more at: http://www.komando.com/tips/index.aspx?id=13744#sthash.iLNHUOsS.dpuf

The second Tuesday of every month is sort of a holiday for tech junkies. It's called Patch Tuesday and it's the day Microsoft releases updates for Windows, Office, Internet Explorer and other Microsoft products.

It's vital that you protect yourself from the latest threats. That's why you need to make sure these security updates installed properly.

 

If you have Windows' automatic updates turned on, your computer will download the updates automatically and install them the next time you shut down or restart. If the updates still need to be installed, you should see a yellow security badge on the shutdown button in your Start menu.

Click the button to turn off your computer and install the security updates. This could take a little bit of time, so make sure you don't need to use your computer anytime soon.

If you don't see the notification, go to Start>>Control Panel>>All Programs>>Windows Update. Here you can see if there are updates that need to be installed on your computer. If there are click the Install Updates button.

Make sure you doublecheck the "most recent check for updates" date and time to see if the computer checked in the last day or so. If your computer hasn't checked for udpates recently, click the Check for Updates link.

- See more at: http://www.komando.com/tips/index.aspx?id=13744#sthash.iLNHUOsS.dpuf

How To Prevent USB Data Breaches

(Josh Davis @ Business2Community) In today’s National Cybersecurity Awareness Month post, SolarWinds‘ VP of Product Management, Chris LaPoint, takes us behind the scenes of USB drive security awareness and ways to ensure mobile data remains secure. Chris has spent the last decade building IT management software, first as a software engineer, then as a technical evangelist and product manager at SolarWinds.

In the movies, USB drives are the tools spies use to easily tote around a secret list of global CIA operatives, or nuclear launch codes. All of it highly secure, of course.

The problem is that USB drives are not necessarily secure, and life is not a Jason Bourne film. In fact, USB drives are highly susceptible to malware and data loss due to, among other things, simple human error.

According to the Ponemon Institute:

  • 800,000 data-sensitive devices are lost or stolen each year
  • 74% of missing USB drives result from employee negligence
  • 65% of missing USB drives are not reported by the employee

Of course, public sector organizations need to be particularly careful that data stored on USB drives is kept safe. There is no margin for error here; even the smallest breach can cause catastrophic results. That’s why organizations such as the Department of Homeland Security are actively endorsing particular types of encrypted USB drives and auditing all mobile devices.

Beyond a full-scale audit, however, there are some simple steps that federal agencies can take to ensure USB security, including:

  1. Active monitoring and tracking of network activity. Breaches exhibit certain patterns. For example, you may detect unusual after hours activity on your network, or higher than average login attempts to reach highly secure information. Tracking LAN traffic can help IT teams pinpoint USB-introduced malware based on how it tries to access other ports or network hosts, allowing IT teams to contain the threat. Simultaneously, the teams can prevent data from leaving the organization through the USB drive.
  2. Deploy a secure managed file transfer system. USB drives are popular, but they’re certainly not the only easy-to-use storage solution. Remember FTP? It generally gets a bad rap for potentially being unsecure, but it doesn’t have to be. Managed file transfer (MFT) systems provide FTP with a high level of security while allowing employees to access files wherever they may be. These web-based systems control access via virtual folders, and allow IT managers to actively monitor and control the data being accessed. Also, MFT systems eliminate the need to store data on physical media, so information will no longer be literally out the door. In fact, you can shut off access to USB drives altogether, yet still provide employees with a simple and secure way of accessing information.
  3. Use a USB defender tool. If you’re still set on allowing USB devices on your network, a USB defender tool is a must. USB defenders can provide IT with a real-time alert whenever a USB drive is being used. The usage can then be matched to network logs to correlate malicious attacks with USB use. Defender tools can automatically block USB usage, disable user accounts, quarantine workstations and automatically eject drives. This takes a massive load off the security-minded IT manager.

USB drives may not exactly be the end-all storage solution that Hollywood would like us to believe – but they could certainly end all of the hard work that organizations have done to keep their information safe. Organizations need to do everything they can to monitor, protect and defend that information, or risk having data corrupted or compromised.

How To Remove Tagged Photos From Instagram Profile

(Emily Price @ Mashable) Instagram added the ability to tag photos this week. Similar to photo tagging on Facebook, your friends can now tag you in their Instagram photos so that the image shows up on your profile as well.

It’s a fantastic feature if you want to share those photos with the world, but what if your friend adds a picture of you that you’d rather people not see? Luckily, there's a quick and easy way to remove a tag, as well as a way to make sure no photos make it to your profile without your permission.

Much like how it’s handled on Facebook, when you’re tagged in a photo on Instagram the app sends you a notification. Tagged images are added to a “Photos of You” tab on your profile page.

Tap on the tag in an offending photo to bring up a dialogue box of options. From there you can choose to hide the photo from your profile, remove the tag, or report the photo in general as inappropriate.

If you’d rather not be tagged in any photos you can set things up that way as well. Simply select the Settings menu from the Photos of You section, and then change the selection from “Add Automatically” to “Add Manually.” Now, you’ll have to approve any photos that get added to your profile page.

How To Remove Your Online Info

The Paranoid's Bible: An anti-dox effort.

The Paranoid’s Bible (PB) is a repository of knowledge meant to help people remove their information (Dox) from the web and people search engines.

How to Protect Yourself From Email Fraud

(Kelly and the Kids at enrichingkids.com AND SpecialDatabases) Email has very quickly become one of the most effective methods for people to communicate with each other. This has dramatically changed the way we communicated either through personal or business purposes. Now with the advent of electronic communications, we no longer have to rely on communicating via the mail or by telephone. With email, communication has been revolutionized with quick, inexpensive and efficient communication with others. However, while email has quickly become the preferred method of communication for businesses as well as individuals, it is not without potential risks.

Email can be a great vehicle for instantly communicating information, ideas, thoughts and much more for individuals and companies. However, one of the concerns that people have is whether the email you receive is a valid email. While the vast majority of the communication we receive by email is legitimate, it's the small amount of questionable email that we receive that you need to be concerned with.

One of the biggest problems we face is that of email and Internet fraud. Basically email fraud is when an email is sent by someone who makes a false claim. The purpose of this type of email would be to con the recipient into acting in a way that can result in a loss of money. Email fraud is becoming one of the biggest problems that people currently face online. While laws are in place protecting people from becoming victims of the scam, the key is being aware of potential dangers and to avoid being a victim.

To help learn more about the dangers of email fraud and how to prevent being a victim, we have gathered a number of helpful links. Be safe!

  • What is email Fraud? – Informative page which outlines what email fraud is and why it is dangerous.

  • Email Fraud – Article from the New York Times which provides information on what makes email fraud work.

  • Definitions – Useful article which lists a number of common definitions related to online fraud.

  • Internet Fraud – Helpful definition of what is commonly referred to as Internet fraud.

  • Internet Hoaxes - Information and definition of the legal description of an Internet hoax.

  • What is an email Hoax? – Web page which outlines the different kinds of email hoaxes.

  • Email Phishing Scams – Information on Phishing including examples and how to prevent being a victim.

  • Common Fraud Scams – Informative site from the FBI which gives an overview of typical fraud schemes.

  • Email Frauds – Article which lists several common varieties of email fraud attempts.

  • Email and Text Fraud – Helpful page with information on what to look for in possible fraudulent emails and texts.

  • Fraud and Phishing Resources – Useful page with information for consumers about email fraud.

  • Frauds and Scams - Overview of the various types of online and email frauds and scams that consumers need to be aware of.

  • Email Frauds - Useful page which provides information on email frauds and other online dangers.

  • Danger of Email Scams – Helpful article which contains an overview of possible email scam dangers.

  • Email Dangers – Article providing tips and suggestions on how to avoid email dangers.

  • Potential Risks – Information on potential risks associated with email and the Internet and how to avoid them.

  • Email Risks – Kid-friendly information for children informing them of email risks.

  • Email Risks – Page of legal information from an employers point of view about the potential risks with email.

  • CAN-SPAM Act – Informative page from the FTC about laws that businesses should follow regarding emails.

  • Email Privacy Laws – Overview of some of the laws pertaining to protecting consumers through email.

  • Email Privacy Act – Useful page which looks at a 2013 law for email privacy.

  • Email Privacy – Web page which looks at the legal issues involved with email privacy.

  • Privacy in the Workplace – Overview of the issues of email in the workplace.

  • Spam Messages – Informative page from the FCC about how to stop unwanted text and email messages.

  • Preventing Fraudulent Communication – Useful page with information about how consumers can prevent being a victim.

  • Fraud Protection Tips - Information and suggestions for consumers on how to be protected from fraud.

  • Fight Fraud – Overview of several fraud activities and how to prevent being a victim.

  • Fraud Prevention - Informative web site with information about fraud, how to prevent being a victim and how to file a complaint if you are a victim.

  • Prevent Internet Fraud – Article with ten suggestions on how to prevent fraud.

  • Preventing Fraud – Helpful tips for consumers on how to prevent Internet fraud.

How to Read and Delete What Google Search Knows About You

Here’s How to Download and Delete What Google Search Knows About You

( @Technology Reporter) Have you ever what Google Search really knows about you? Well, now you can check, as Google has added a new feature that lets you view and download your entire search history.

Yep. Everything.

The feature, which was spotted by the unofficial Google Operating System Blog — though VentureBeat points out that the function was made available in January — gives you access to everything from what you searched for to the links you clicked on from those searches. It also shows you the addresses you’ve searched for.

I was even able to see the list of images I clicked on while searching for pictures of cats eating spaghetti. Now imagine what you’ve looked for. Oh, and clearing your browser history won’t delete this data.

But there’s no reason to panic, because in addition to being able to download your search history, you can clear it.

First, here’s how to download your history:

1. Navigate to Google’s Web and App Activity page.

image

2. Next, click the gear icon in the top-right corner of the screen.

image

3. Then select Download from the drop-down menu.

image

You’ll then receive a pop-up window warning you not to download your search history to a public computer, as it contains a large amount of sensitive information.

4. If you want to continue, click Create Archive

image

Once your history is downloaded, you’ll receive a link in a few seconds that lets you view your data.

If you don’t want to download your data, and would rather get rid of it, you can do that as well. Of course, there are some reasons to let Google keep your search data. For one thing, it guarantees faster search results. It also ensures that Google Now has all of the latest relevant information about you. If you delete your data, your searches won’t be as tailored to your habits.

Still want to get rid of your search history? Here’s how:

Before we get started, it’s worth pointing out that if you want to keep your information hidden, you can use your browser’s privacy option, which keeps Google from saving your data — though it can still be seen by your service provider or employer.

Simply deleting you browser history won’t clear the data saved by Google, as you’re only deleting the information stored by your browser and not what’s on Google’s servers. To do that, you’ll have to:

1. Navigate to the Web and App Activity Page and click the gear iconin the top-right corner.

image

2. Select Remove Items and choose the beginning of time from the drop-down menu.

image

3.Click Remove and kiss your data goodbye.

image

That’s it. All of your search history will be deleted, and you’ll never have to worry about Google knowing about the time you looked for tickets to a Justin Bieber concert.

How to detect malware on your PC

(Mark Huffman @ ConsumerAffairs) There is growing concern about cyber security, especially among businesses and organizations that maintain vast networks. But consumers have to be aware of any threats to their personal computers and mobile devices. These threats are usually in the form of malware.

Malware is a general term to describe software you did not knowingly install and that disrupts the normal operation of your machine. It can simply be annoying or a serious threat. Your anti-virus software is supposed to detect and deflect these programs but, for a number of reasons, some can slip by.

Here are some signs that your PC might be compromised:

The machine runs at a slower than usual speed. We're not talking about your Internet speed, necessarily, but the speed in which your computer operates software programs and performs tasks.

If you find that your browser is taking you to a different site than the one you selected from your bookmarks, or a search engine gives you odd, unpredictable results, it's a sure sign your computer is infected with malware. After all, the main purpose of malware is to give someone else control over your machine.

Use care in downloading fixes

There are a number of free programs that will scan your system in search of malware, but be very careful, checking out any program before you download it. Michael, of Plano, Tex., downloaded MyCleanPC, which is advertised on TV, and now wishes he had not.

“Almost immediately I began noticing an unbelievable number of advertisements of all kinds on my laptop, making my laptop run even slower,” Michael wrote in a ConsumerAffairs post. “I have so far uninstalled all traces of MyCleanPC from my laptop, and the effect is spectacular. No more silly and annoying ads and my laptop is a bit faster.”

Malware is sometimes enabled by a rootkit, which is a type of software that can disguise what your computer is doing. Sometimes, it can even fool your anti-virus software. Once an attacker gains access to a compromised computer, it can perform just about any tasks you can, including changing settings.

Some may recall the 2005 scandal involving Sony BMG Music, which was accused of secretly including a rootkit in music player software that came with music CDs. The rootkit was designed to protect the copyright by limiting the consumers' access to the CD but it also amounted to a major security breach.

A nasty threat

While a rootkit is very hard to detect, it may be even harder to remove. In some cases it requires the replacement of hardware. Fortunately, rootkits are not as common as run-of-the-mill malware. In most cases, malware is used to direct your attention from what you are looking for and toward something that the attacker wants to sell.

To do this malware often attacks and changes your DNS server settings. Internet addresses are not words, like ConsumerAffairs.com, but a series of numbers, punctuated by periods. DNS servers provide the translation from the name you typed into your browser's address line to the numbers, which identify the site's real address.

Hackers have learned that if they can control a user’s DNS servers, they can control what sites the user connects to on the Internet. A malware called DNSChanger performs that task. By using malware to change the user’s DNS server settings, the criminal can force the user to go to a different site than the one the user actually wants.

Last July the FBI found and disabled a number of rogue DNS servers operated by malware hackers. As a result, the consumers whose machines were infected with DNSChanger found their machines would no longer connect to the Internet.

What to do

If you suspect your machine is infected with malware, you could troubleshoot the problem yourself, but you are probably better off seeking professional help. Seek an independent computer repair shop that has a good reputation. That will usually yield better results that using repair services operated by big box retailers.

Once your machine is cleaned and repaired, make sure you keep your anti-virus software and computer operating system updated. It's probably not a bad idea to take your computer to a repair shop for a diagnostic tune-up once a year anyway, just as you would get regular service for your car.

All this assumes you are running Windows. If you are using an Apple machine or a Chromebook or running Linux on your computer, you're most likely home free. 

Huge attack on WordPress sites could spawn never-before-seen super botnet

(Dan Goodin @ arstechnica) Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a "botnet" of infected computers that's vastly stronger and more destructive than those available today. That's because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.

"These larger machines can cause much more damage in DDoS [distributed denial-of-service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic," Matthew Prince, CEO of content delivery network CloudFlare, wrote in a blog post describing the attacks.

It's not the first time researchers have raised the specter of a super botnet with potentially dire consequences for the Internet. In October, they revealed that highly debilitating DDoS attacks on six of the biggest US banks used compromised Web servers to flood their targets with above-average amounts of Internet traffic. The botnet came to be known as the itsoknoproblembro or Brobot, names that came from a relatively new attack tool kit some of the infected machines ran. If typical botnets used in DDoS attacks were the network equivalent of tens of thousands of garden hoses trained on a target, the Brobot machines were akin to hundreds of fire hoses. Despite their smaller number, they were nonetheless able to inflict more damage because of their bigger capacity.

There's already evidence that some of the commandeered WordPress websites are being abused in a similar fashion. A blog post published Friday by someone from Web host ResellerClub said the company's systems running that platform are also under an "ongoing and highly distributed global attack."

"To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers," the blog post reported. "We did a detailed analysis of the attack pattern and found out that most of the attack was originating from [content management systems] (mostly WordPress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories."

The blog post continued:

"Today, this attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IPs used are spoofed), it is making it difficult for us to block all malicious data."

According to CloudFlare's Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.

"At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website the company's Sean Valant wrote. "These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including 'special' characters (^%$#@*)."

Operators of WordPress sites can take other measures too, including installing plugins such as this one and this one, which close some of the holes most frequently exploited in these types of attacks. Beyond that, operators can sign up for a free plan from CloudFlare that automatically blocks login attempts that bear the signature of the brute-force attack.

Already, HostGator has indicated that the strain of this mass attack is causing huge strains on websites, which come to a crawl or go down altogether. There are also indications that once a WordPress installation is infected it's equipped with a backdoor so that attackers can maintain control even after the compromised administrative credentials have been changed. In some respects, the WordPress attacks resemble the mass compromise of machines running the Apache Web server, which Ars chronicled 10 days ago.

With so much at stake, readers who run WordPress sites are strongly advised to lock down their servers immediately. The effort may not only protect the security of the individual site. It could help safeguard the Internet as a whole.

I want to be paid for giving up their data - How About You

Photo(Jim Hood @ ConsumerAffairs) Rick Chavez: It used to be that publishers, broadcasters and websites captured audiences, then conducted research to get a rough picture of who was in that audience so they could go sell ads to the most suitable brands.

That still happens, of course, but the brands increasingly have access to even more data than the publishers, thanks to Big Data, the databases in the cloud that sift, winnow and stir the billions of bits that fly their way from all kinds of sources -- including retail purchases, loyalty club data, web browsing info and the information that we all willingly provide every time we fill out a form.

Everybody makes a lot of money on this, so everything is just ducky, right?

Well, actually, not everybody is making money on it. Consumers, the fount from which all blessings flow, are lucky to get a "Hey thanks" for giving up all this actionable data about themselves.

But that's changing. Consumers understand the value of their data and they damned well expect to be paid for providing it, a Microsoft executive cautioned at a recent New York conference.

In fact, 59% of people say they are more likely to buy from a brand that rewards them for their information, according to Microsoft’s latest Digital Trends study, which relied on a global survey of some 8,000 consumers, said Rick Chavez, general manager of the Online Services Division at Microsoft.

In addition, Chavez said consumers want a more "intelligent" relationship with technology. Simply put, they want the stuff to work without calling a lot of attention to itself.

“We want technology that disappears, but that doesn’t disconnect … In short, we want technology that’s on in the right way, and by ‘right’ we mean responsive to our needs in the moment … Not hyper-responsive, not intrusive and not constraining, but in the right way and at the right time,” Chavez said, according to MediaPost.

Age of serendipity

But at the same time, Chavez said consumers want to have a little excitement in their lives, maybe even a delightful surprise, something other than the Blue Screen of Death presumably.

“The Age of Serendipity is about receiving something at the right time and place, and in the right frame of mind,” Chavez added. “Give consumers a pleasant surprise, and they’re more likely to build a long-term relationship with [brands].”

"The challenge for marketers is in capturing that interplay and feeding back information — whether it’s logical, informational or more emotive and inspirational in nature — to the consumer at the right time and place in order to facilitate her decision-making process," Chavez said on his blog

OK, fine, but what happened to paying consumer for their data?

IT security issues shift as data moves to cloud

The Internet "cloud" has become the hottest topic in computing, and a gold mine for cyber criminals, but the trend has created a new range of security issues that need to be addressed.

The cloud is associated with things like personal emails and music which can be accessed on computers and a range of mobile devices.

But the US military and government agencies from the CIA to the Federal Aviation Administration also use cloud systems to allow data to be accessed anywhere in the world and save money -- and, ostensibly, to enhance security.

Microsoft, Google, Amazon and others are major players in the cloud, which seeks to transfer some of the data storage issues to more sophisticated data centers. Firms like Oracle, SAP and Salesforce.com offer cloud services for business.

Strategy Analytics forecasts US spending on cloud services to grow from $31 billion in 2011 to $82 billion by 2016.

But some experts say security implications of the cloud have not been fully analyzed, and that the cloud may open up new vulnerabilities and problems.

"If past is prologue I don't think any system is absolutely secure," said Stelios Sidiroglou-Douskos, a research scientist at the Massachusetts Institute of Technology's Computer Science and Artificial Intelligence Laboratory.

"The analogy most people give is having a lock on your door. It's not a guarantee no one will break in, but it's a question of how much time it will take, and if your lock is better than your neighbor's."

In a cloud environment, "this makes the job of the attacker so much harder, which means the amateur hacker might be obsolete," said Sidiroglou-Douskos, who is working on a US government-funded research project to develop "self-healing" clouds.

 

Identity Theft Farcing overtakes Phishing

Photo

(Rob hyrons @ Fotolia.com) It was only a matter of time before scammers discovered social media. To them, email phishing scams are so 2009. Really aggressive identity thieves are now using social media sites like FacebookTwitter and LinkedIn to ensnare victims. It turns out it's easier and a lot more lucrative.

Social media uses are always getting friend requests. Most often it's someone from the user's circle of friends. But getting a friend request from a friend-of-a-friend is not uncommon.

Assuming that person is who they say they are, without confirming it, is dangerous, says Arun Vishwanath, associate professor of communication at the University of Buffalo. You could fall victim to what's being called “farcing,” exposing dozens of your friends and contacts for good measure.

“Farcing takes place on popular social media platforms like Facebook, Twitter, LinkedIn and Google Plus and has been used for online bullying, identity theft, organizational espionage, child pornography and even burglary,” said Vishwanath.

Wealth of information

Consider all the information that is available to a “friend.” It's enough to make a scammer hyperventilate. Once accepted as a friend, the scammer would have access to your name, your nicknames and the names of friends and relatives.

Chances are he would learn what schools you attended and where you have worked. He might even learn your address, pet’s name, favorite vacation sites plus when you’re leaving and how long you’ll be gone. The list is almost endless and all of it is valuable to someone trying to steal your identity.

Vishwanath got the idea for a study of the phenomenon from a local crime story in the Buffalo area. He says a substitute teacher created a false identity and fake Facebook profile in which he pretended to be a female student. He allegedly used that identity to entice minors — some of whom were his students — to send him explicit sexual photographs. He is now serving 30 years in prison.

But people who want more than mere sexual titillation have grabbed onto social media as a means to pry sensitive information from unsuspecting victims – information that can be used to take out loans and clean out bank accounts.

Testing his theory

PhotoTo prove his point Vishwanath set up a simulated farcing experiment on Facebook and watched it unfurl. He created 4 fake profiles, each with different levels of information attached to them. For example, some had photos and other friends, some didn't.

He next recruited 150 Facebook users and contacted them with friend requests. One in 5 agreed with the initial friend request. Another 13% of that group agreed to provide the new “friend” with additional information about themselves when he asked. That's what he calls Stage 2 of a farcing attack.

“A motivated farcer can go on to the second stage, requesting more information directly from the victim by using messaging functions within the social media platform,” Vishwanath said. “Messages can be crafted to take advantage of the asymmetries between the information mined from the victim’s page and the deceptive intent of the phisher.”

Protecting yourself

One obvious way to protect yourself, he says, is to be much more careful when you make friending decisions — phony, even felonious, characters will present themselves as great new friend possibilities. Only friend people you actually know. Another way is to limit the amount and types of personal information you share on social media sites.

“These scams are on the rise and will continue to increase with the popularity of social media, exponentially increasing the number of farcing victims worldwide,” Vishwanath said.

The Identity Theft Resource Center (ITRC) has conducted a study of Facebook users, assessing their awareness of the farcing threat. The results were not encouraging.

The ITRC study found that more users tended to be concerned and aware of identity theft related to Facebook, they did not always act in accordance with such concerns. Consumers still tend to believe that financial harm cannot be caused by Facebook usage, the report concluded.

“As our world transforms more and more into a cyber environment, social networking becomes a larger part of our lives,” said Nikki Junker, Social Media Coordinator for the ITRC. “Because of this, it is important to understand how social networking users comprehend the safety risks while engaging on such sites.”

Identity Theft Seven Common Mistakes

Identity theft is on the rise. Is your organization part of the solution or part of the problem?
PII (Personally identifiable information) is pouring through the security floodgates and ending up in the wrong hands at an alarming rate.

To protect your organization's employees and clients, you need to evaluate how well your company protects its PII. Here are seven common mistakes to avoid.

Keep users in the dark

Users will always be the weakest link in any enterprise network -- and all of the gadgets and controls in the world won't change that. If your users don't know how to identify and handle PII, it's only a matter of time before one of them discloses this data to the wrong source.

The solution is simple: Educate your users on your company's policies and mechanisms to process PII. And don't forget to include regularly scheduled refresher courses.

Partner with the wrong businesses

You've made sure your security is rock solid, and you've trained your users. But can your business partners say the same? Do you collect or share information with businesses that have little or no security?

If your company collects and shares PII with insecure partners, who do you think will end up in the paper and explaining to law enforcement about how a breach occurred? Your company will.

The solution is just as simple as the last dilemma: Educate and train your business partners on how to protect this sensitive information. Charge them for your expertise if you want, but get the job done.

Keep data around past its prime

What do you do with data once it's served its purpose? If you aren't destroying PII when it's no longer required, then you're not doing your job. A document retention policy is a must!!! That doesn't mean throwing it away either -- that means destroying it.

Dumpster divers make a living off of old bank statements and credit card receipts. That's why you need to wipe out PII when it's no longer necessary. If your organization doesn't have a shredder, you need to get one today.

Don't worry about physical security

It's imperative that you implement physical access controls to prevent unauthorized people -- including employees -- from gaining access to PII. Get a door lock and a badge reader, and start controlling access.

Don't lock up your records

If you don't have specific storage areas on your network (as well as file cabinets) for PII, then how can your properly protect it? Take inventory of your network -- and your paper copies -- and develop a plan to protect that data. This would be a good time to research encrypting data-at-rest and locking some file cabinets.

Ignore activity on your network

I've said this before in columns, but it's worth repeating: If you're not going to actively monitor your network for suspicious activity or incidents, then stop collecting the data. Develop a method that's within your capabilities and budget to monitor your network for suspicious activity or incidents. And while you're at it, develop a response and mitigation strategy for security incidents.

Audits? Who needs audits?

A lot of businesses either don't know what security events to audit or don't read their security logs -- or both. If you're not sure which events to audit, find out. Set up security auditing, and start reviewing your logs today.

Final thoughts

Identity theft may be on the rise, but you don't have to make it easy for thieves. You can help prevent identity theft both at home and at the office -- you just need to take a few extra steps.

Identity Theft What To Do

 

(ConsumerAffairs) It's a sick feeling. You check your bank balance and find it at $0. Or you apply for a charge card at a retail store and are turned down because of bad debt – debt that you don't owe.

Just two of the signs that your identity has been stolen.

Identity theft is one of the fastest growing crimes, yet most consumers don't think about it very much, assuming it won't happen to them. But when it does happen, the consequences are often severe and expensive to rectify.

The fi...

More

Protecting your personal info while on vacation

Experts say when you leave town, your guard is very low

There's nothing like taking a trip.

Whether folks are traveling for business or pleasure in 2013, leaving town could end up being the most excitement they'll see all year. 

So a lot of people are making their travel plans, buying their tickets and requesting time off from work. But one thing a lot of people won't do is take the necessary steps to ensure their personal information is secure while they travel.

Adam Levin, chairman and co-founder of Identity Theft 9...

More

Sort By

Is identity theft unavoidable?

An identity theft expert says it's not a matter of if but when

“Identity theft cannot be prevented. It can’t.”

Those were the words uttered by identity theft expert Adam Levin, who’s the chairman and co-founder of Identity Theft 911, a company that provides data protection services for businesses.

This could make a consumer feel pretty helpless.  After all, there are things you can do to prevent home burglaries and auto theft, but identity theft? That's another matter.

By now, you’ve probably heard t...

More

Identity Theft Tops FTC Complaint List Again

Consumers report more than $1 billion in fraud losses

February 14, 2008    Spanish date body For the seventh year in a row, identity theft was the number one source of consumer fraud complaints submitted to the Federal Trade Commission (FTC). According to the agency's yearly report on fraud complaints for 2007, of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

According to the FTC, total consumer fraud losses totaled $1.2 billion, with the average ...

More

The 2005 Javelin Identity Fraud Survey Report -- released by the Better Business Bureau and Javelin Strategy & Research -- shows that Internet-related fraud problems are actually less severe, less costly and not as widespread as previously thought.

Further, the study concludes that those who access accounts online can provide earlier detection of crime than those who rely only upon mailed monthly paper statements. By managing their financial activities online, consumers...

More

Are Identity Theft Services Worth the Cost?

"Protection" often does little that consumers can't do for selves

Capitalizing on the anxiety surrounding identity theft, dozens of services have sprung up claiming to protect consumers' identity for fees that can add up to hundreds of dollars a year. But when CFA studied the websites of 16 for-profit identity theft services, it found that the descriptions of how they help consumers are often confusing, unclear, and ambiguous.

Furthermore, these services may not always offer the protection that consumers are led to believe they will get...

More

Report: Data Breach Disclosure Laws Don't Affect Identity Theft

Results of recent legislation called 'statistically insignificant'

But a new research report claims that data breach disclosure laws have no measurable effect on cases of identity theft, due to the many factors that hinder accurate reporting of cases of identity theft and connecting them to known breaches.

A research team at Carnegie Mellon University used data on identity theft supplied by the Federal Trade Commission (FTC) and performed analyses of states that had passed legislation governing data breaches from 2002 to 2006.

According ...

More

Consumers want easy access to their credit information, accurate reports, and the ability to freeze or protect their credit against identity theft. The financial services industry wants all these things as well -- but not as much as they want to make credit instantly obtainable, and thus profitable.

This inherent conflict leads to things like grossly inaccurate credit reports, credit cards issued to identity thieves, and paying for expensive "credit monitoring" after the...

More

September 28, 2004 It's bad enough when you are a victim of identify theft. It's downright insulting when you're sold fake protection from identity theft. Oklahoma Attorney General Drew Edmondson has filed suit against an Arizona telemarketing company after the company allegedly offered Oklahoma consumers a bogus identity theft protection service.

The lawsuit accuses Consumer Benefits Group, Inc. (CBG) of violating the Oklahoma Consumer Protection Act, the Commercial...

More

Gonzales Issues New Identity Theft Plan

Feds' Plan Would Pre-Empt Stronger State Laws

With the "prosecutor purge" scandal hanging over him, Attorney General Alberto Gonzales and Federal Trade Commission (FTC) chairman Deborah Platt Majoras released the latest federal strategy for fighting identity theft Monday.

Consumer advocates and privacy specialists were generally underwhelmed by the plan.

Gonzales and Majoras are co-chairs of the President's Identity Theft Task Force, comprised of heads of multiple government agencies, commissioned to come up with comprehensive strategies for fighting identity theft, fraud, and cybercrime.

Although Gonzales was bombarded with questions related to his role in the firing of multiple U.S. attorneys from their jobs, he attempted to focus his statements on the identity theft plan.

"Much has been accomplished, and there are more protections in place now than ever before," Gonzales said. "But the president and the task force recognize that we need to do more."

"Identity thieves steal consumers' time, money, and security, just as sure as they steal their identifying information, and they cost businesses enormous sums," Majoras said. "The Strategic Plan submitted to the President provides a blueprint for increased federal prevention and protection."

Gonzales' role in the prosecutor firings has cost him considerable standing on Capitol Hill and led many to call for his resignation.

"Several senators have raised the question of whether you can be credible and whether or not you can be an effective attorney general," one reported asked at today's news conference. "Do you still believe you can, and have you offered your resignation to the president?"

"No," Gonzales replied curtly. "I'm focused on making sure our kids are safe, making sure our neighborhoods are safe, making sure consumers are safe, and that's one of the reasons I'm here today."

One Step Forward ...

The plan came in two volumes, totaling 190 pages. The first volume contained the Task Force recommendations, while the second contained information and resources relating to identity theft. Among the recommendations:

• The formation of a National Identity Theft Law Enforcement Center as a clearinghouse to collect, analyze, and share identity theft information among the various private and public sector agencies. The Center would be headed by the Justice Department, and would include the FTC, the Social Security Administration, the U.S. Postal Service, and the FBI, among others.

• Decrease the usage and collection of Social Security numbers on the state, local, and federal levels. The Task Force recommended that the federal Office of Personnel Management (OPM) complete its review of how various agencies utilize SSNs, and to help develop guidance on limiting their collection to absolutely necessary functions.

• Establishing federal standards for data breaches, including risk evaluations to determine the severity of the breach, consumer and media disclosures, and enforcing the standards in the public and private sector.

• Developing a "Universal Identity Theft Report Form" to be used as the standard for all complaints across the board

• Extensive education of the public, private, and consumer sector on how to protect oneself from identity theft.

... One Step Back

Several aspects of the report may actually hinder stronger prosecution and enforcement against identity theft. The report recommends that its federal laws pre-empt existing state laws on identity theft and fraud, many of which are stronger and more favorable to the consumer than legislation currently proposed at the federal level.

If the new recommendations become law, California's data breach disclosure laws -- acknowledged to be the strongest in the nation -- would be superseded.

Were it not for those rules, the public might never have known about the ChoicePoint data breach that vaulted the issue to the national stage, cost the embattled data broker $15 million in an FTC settlement, and turned it into a model of privacy protection.

Federal legislation proposed in the Senate, by contrast, would give law enforcement carte blanche to delay consumer notification of data breaches while they investigate, and would enable businesses to handle their own "risk assessments," rather than opening their records to neutral third parties.

The report is also lukewarm on endorsing "credit freezes," which enable consumers to lock out access to their credit unless they give specific permission. Although many states already have credit freeze laws on the books, the report only recommends further study of the legislation.

Indeed, the report's strongest words about credit freezes are these: "Because most companies obtain a credit report from a consumer before extending credit, a credit freeze will likely prevent the extension of credit in a consumer's name without the consumer's express permission."

Both volumes of the report are available as free PDF downloads from the government's identity theft "resource" page, IDTheft.gov.

More

Two Credit Bureaus Offer Consumers Credit Freeze in 50 States

Trans Union, Equifax reverse policy; Experian undecided

In a surprise reversal and a major win for consumers, the Trans Union credit bureau announced that it would offer consumers the ability to "freeze" their credit files in all 50 states in order to protect themselves against identity theft and fraud.

The service will be available in the 11 states that do not already have credit-freeze laws, costing consumers $10 to set the freeze and $10 to unlock it, and will "meet or exceed the requirements" of states with existing freeze laws.

The freeze service will be free to victims of identity theft, and is scheduled to roll out Oct. 15. TransUnion is also offering a more expensive package that combines credit monitoring with the ability to lock and unlock credit freezes online, for $14.95 monthly.

"TransUnion understands that many consumers are concerned about identity theft and want access to tools that provide them with a personal level of comfort," said Trans Union's Mark Marinko.

"We're pleased to be in a position to empower all consumers with the extra measure of security and peace of mind that a file freeze can deliver under the right circumstances."

Consumer advocates hailed Trans Union's decision and urged the remaining bureaus to follow suit. For a security freeze to be effective to stop new account identity theft, it must be placed at each of the three major credit reporting agencies, said Consumers' Union's Gail Hillebrand. Thats why it is so essential for Experian and Equifax to offer the freeze nationwide.

Equifax followed suit, announcing yesterday that it too would offer credit freezes for customers in all 50 states, and would roll out its own plan sometime in October.

Experian undecided

The last of the "Big Three" credit bureaus, Experian, is still "studying the process," said spokesperson Don Girard. "We expect to make an announcement on our decision in the near term."

Credit freezes prevent new credit accounts or loans from being made in someone's name without their explicit authorization, such as a password or PIN code.

The freeze can reduce or prevent the most common form of identity theft, where someone's personal information is used to open new credit cards and take out loans in their name, without their knowledge.

Thirty-nine states and the District of Columbia already have laws in place enabling consumers to freeze their credit, with varying rules and costs for usage. The credit and financial industries have aggressively lobbied against credit freeze laws, claiming they would reduce the availability of credit and discourage shoppers from making big-ticket purchases due to the time spent unlocking a credit account.

Efforts by the credit industry to push weaker national credit protection laws that would preempt state law stalled out in Congress. States such as Utah have passed laws enabling citizens to freeze and unfreeze their credit accounts in as little as 15 minutes.

Consumer advocates and identity theft protection companies such as TrustedID have also heavily advocated the passage of credit freeze laws in all 50 states, claiming that the availability of personal information combined with easy access to credit makes consumers too vulnerable to identity theft and fraud.

Just as the major credit bureaus began offering comprehensive -- and expensive -- identity theft protection services to customers in the wake of the explosion in high-profile data breaches, credit freezes and associated protection plans represent a potentially lucrative new revenue stream for the bureaus to make use of.

But as Consumers Union's Hillebrand notes, if the bureaus have the technical means to enable instant locking and unlocking of credit, they should not be charging high fees to use a service that can be turned on and off in minutes.

TransUnion and the rest of the credit bureaus should follow the lead of the states with the best security freeze laws and provide this protection to all consumers for no more than $5, Hillebrand said. All three credit bureaus should make it fast, affordable, and easy for consumers nationwide to take advantage of this important identity theft safeguard.

 

 

More

States Want Congress to Act on Identity Theft, Data Security

 

November 1, 2005
Forty-six state Attorneys General are calling on Congress to help protect consumers from identity theft by enacting national security breach and credit freeze legislation.

The proposed laws would require businesses entrusted with personal financial data to notify consumers if their company's data files are breached and allow consumers to put a credit freeze on their accounts.

In the letter, the AGs point out that millions of consumers over the past year have been exposed to potential ID theft because of security breaches suffered by large financial and retail establishments.

California adopted the nation's first security breach notification law in 2003, and 21 states enacted similar statutes in the past year.

"Personal information" acquired or accessed by an unauthorized person which would trigger notification includes: • Social Security number. • Driver's license number or government-issued ID number. • Unique electronic ID number. • Unique biometric data such as fingerprint, voice print or retina image. • Home address or telephone number. • Mother's maiden name. • Month and year of birth.

The Attorneys General also called for a strong federal security freeze law that would give consumers the right to place a "fraud alert" on their credit reports for at least 90 days, with extended alerts when an ID theft occurs.

Provisions recommended by the Attorneys General include: • Making the security freeze available to all consumers at no or low cost. • Banning fees for victims of ID theft who have a police report or FTC affidavit, seniors, veterans and persons who receive notice of a security breach. • Allowing consumers to selectively or temporarily lift the freeze. • Permitting consumers to contact one consumer reporting agency and have the freeze apply to all three major credit agencies.

More

New York Eyes Identity Theft Prevention

 

April 19, 2005
New York Attorney General Eliot Spitzer and representatives of consumer advocacy and crime victims organizations are urging the State Legislature to protect consumers from identity theft and the unauthorized use of personal data.

Spitzer has submitted a package of bills aimed at providing consumers better control over the dissemination of their personal information, strengthening government's ability to prosecute crimes leading to identity theft and increasing penalties for such crimes.

"It has been said that the theft of one's identity and personal information is not a matter of 'if' but a matter of 'when'," Spitzer said. "New York State must enact reforms to strengthen consumers' ability to control personal information and to facilitate the prosecution of identity theft crimes."

In February, the Federal Identity Theft Data Clearinghouse reported that 38 percent of all fraud claims in 2004 related to identity theft, and New York State ranked seventh in the nation in per-capita identity theft reports. Moreover, a national survey conducted by the Federal Trade Commission estimated that the number of victims in 2002 approached 10 million, including 663,300 New Yorkers.

Spitzer noted that in the last nine weeks alone, numerous incidents have highlighted the issue including:

• Two major information brokerage companies, ChoicePoint, Inc. and LexisNexis have admitted that data files of over 455,000 consumers were breached;
• One of the world's largest financial institutions, Bank of America, confirmed that backup tapes containing personal data on 1.2 million accounts were missing;
• Federal authorities confirmed an investigation into the electronic hacking theft of eight million credit card accounts from the processor of credit transactions for MasterCard, Visa, Discover and American Express;
• A popular shoe store chain, DSW Shoe Warehouse admitted that customer credit information was stolen from over 100 of its stores; and
• Approximately 180,000 GM Mastercard holders will soon receive notification that someone might have stolen their personal information in a data breach at Polo Ralph Lauren Inc.

Spitzer's legislative proposals would address many of these incidents by:

• Providing identity theft victims better control over their personal identifying information, including: allowing for "security freezes" on credit files; and providing significantly increased protections against a private company's disclosure of a customers' social security numbers;

• Requiring companies to provide notice to individual consumers involved in instances in which a security breach has exposed personal information concerning 500 or more New Yorkers;

• Facilitating the ability of victims to file criminal complaints with law enforcement agencies;

• Requiring that information brokers notify consumers whenever a report containing personal information - such as telephone numbers, bank account information, income, medical information, driving record, and purchasing preferences - has been issued and mandating the disclosure include contact information of the entity that requested the report. The bill also would provide consumers access to their profiles compiled by information brokers;

• Establishing statewide personal information "opt-out" lists, similar to the Telemarketing Do Not Call program, for consumers who want to ensure their confidential personal information is not disclosed;

• Facilitating prosecutions against computer hackers by creating specific criminal penalties for the use of encryption to conceal a crime, to conceal the identity of another person who commits a crime, or to disrupt the normal operation of a computer;

• Increasing criminal penalties for gaining unauthorized access through a computer to data about employment, salary, credit or other financial or personal information;

• Facilitating prosecutions against hackers and others who surreptitiously gain access to computers, but do not steal or destroy computer material.

 

More

The Amphetamine Connection: How Meth is Driving the Identity Theft Pandemic

How Meth is Driving the Identity Theft Pandemic

How does a driver's license stolen from a St. Louis, Missouri, man end up in a cheap motel room hundreds of miles away?

That's a question that initially baffled investigators when they found the ID in the Merriam, Kansas, flophouse.

But it didn't take long for police to solve the mystery once they learned the motel room doubled as an identity theft laboratory -- filled with computers, scanners, printers, and dozens of stolen ID's -- and the masterminds behind the operation were methamphetamine addicts.

"There's a close link between methamphetamine use and identity theft," says Prosecutor Vanessa Riebli, head of the Johnson County, Kansas, District Attorney's Economic Crime Unit. "ID's are traded or sold for drugs across the country, and drug users are supporting their habit with identity theft."

And they're making good money. The husband-wife team involved in the Merriam, Kansas case netted $60,000-$100,000 in their scheme, Riebli says.

"Identity theft is so much more profitable than other crimes," she says, adding the husband made the phony checks and the wife passed them using the fake ID's. "And if the defendants get caught, they know the penalties for identity theft are less severe than other crimes."

Riebli charged the couple involved in this 2003 case with identity theft, but neither served much time behind bars. Thirty-seven-year-old Owen Samuel Barlow, a former computer programmer at Sprint, received a two-year sentence. His wife -- 41-year-old accountant Teresa A. Barlow -- received an 18-month sentence.

Story continues below video

Riebli says this case illustrates why methamphetamine addicts have turned to identity theft -- the fastest growing crime in the country -- to support their habits.

"Why would you rob a bank when you can walk inside a bank, commit check fraud, get more money, and -- if you get caught -- receive a much less severe penalty?"

100% Free Financing

Owen & Theresa Barlow
Source: Kansas Department of Corrections

Detective Byron Pierce of the Overland Park, Kansas, Police Department has investigated scores of identity theft cases.

And he's noticed a sharp increase in the number of methamphetamine users stealing or assuming someone else's identity to finance their addictions, which can cost hundreds of dollars a day.

"When our officers bust meth labs, they're seeing stolen personal information like credit cards, driver's licenses, Social Security cards, checkbooks, employee ID's," says the veteran detective with the department's Financial Crime Unit.

"There's a direct correlation between drugs and fraud. When drugs are involved, fraud is involved. When fraud is involved, drugs are involved. The two are almost synonymous. And there's no question that there's a correlation between methamphetamine use and identity theft," he said.

What's the driving force behind this criminal phenomenon?

"Identity theft is 100 percent free financing for their drugs," Pierce says. "When you finance your drugs with other peoples' personal information, there's no risk associated with buying any amount of drugs because it's not affecting your bottom line.

"Identity theft is also an easy crime to commit, and if you get caught the penalties are less severe than those associated with other crimes," he adds. "The people involved in these crimes know that. Everyone talks ... there's a lot of collaboration and they'll say 'that's a good idea, let's try it.'"

"Time to plot out a plan to get money"

Methamphetamine addicts are also excellent candidates to commit identity theft because of the effects the drug has on their systems, medical experts say.

A meth user, for example, can stay awake for days and do such repetitive tasks as piecing together shredded documents or testing credit card numbers to buy merchandise online.

"These users can be up for days and that gives them time to plot out a plan to get money," says Jim Philipps with the National Association of Counties. His organization studied the criminal effects methamphetamine has on communities. "They'll come up with ways to get money ... usually by stealing mail or credit cards."

Twin Scourges Intertwine

Law enforcement officials say the connection between methamphetamines and identity theft has become a nationwide problem -- one that started in the West and is rapidly moving across the country.

Consider:

• Two Oxford, Georgia, women who ran an identity theft scheme pleaded guilty in November 2006, to possession of stolen mail. The women confessed they dealt methamphetamines and their customers paid them with stolen mail. The women would then use the financial information in the stolen mail -- including paychecks, credit cards, and bank statements -- to commit identity theft. "This case demonstrates that the twin scourges of meth and identity theft often intertwine -- multiplying their damaging effects on the public, since one crime is used to fuel the other," said United States Attorney David E. Nahmias.

• Postal inspections in 2005 tracked down an Arizona woman -- who had eluded them for than a year -- in a Phoenix apartment. Investigators found personal information belonging to 400 potential identity theft victims, a stash of methamphetamine in the kitchen, and merchandise purchased with stolen credit cards.

• The San Diego, California, District Attorney's Office reported that cases involving methamphetamine and identity theft jumped 35 percent from 2002-2005. Law enforcement officials in San Diego also noted that 75 percent of the suspects in local identity theft cases showed evidence of methamphetamine abuse. San Diego officials called the connection between meth and identity theft "a clear danger to both the public and business community."

• In 2006, The National Association of Counties examined the criminal effect of methamphetamine on communities. Of the 500 sheriffs who responded to the survey, 31 percent reported an increase in identity theft-methamphetamine related crimes.

One of the sheriffs who participated in that study is Patrick Hedges of San Luis Obispo, California.

"Our experience with meth users is that they often steal mail," he says. "There are people who go around almost every night and look for mailboxes that have the flags up. They take the mail and if they find checks, they'll doctor them and make the checks payable to themselves. Or they'll apply for a credit card using the stolen information."

He adds: "These meth users are usually people on the street who have to support their habit. They're the ones who lift mail, get involved in stolen checks and credit cards, or copy down someone's personal information at a restaurant or gas station. They're involved in less risky types than someone on heroin."

"A Wave of Identity Theft

This growing methamphetamine-identity theft problem has captured the attention of U.S. Senator Maria Cantwell, (D-Wash.).

In 2005, Cantwell introduced a bill that asked the Justice Department to investigate the link between ID theft and methamphetamine use. The measure was referred to the Judiciary Committee, but never came up. Cantwell's office says the senator plans to reintroduce the bill this year.

When she introduced the measure in 2005, Cantwell said: "The meth epidemic is creating a wave of identity theft."

Her bill has the support of U.S. Senator Dianne Feinstein (D-Calif.).

"In recent years, we've seen the number of meth labs seized and reports of identity theft shoot up," Feinstein said in 2005. "Law enforcement officials are reporting that this is not just a coincidence. These two crimes can turn people's lives upside down and threaten entire communities. It's time to take a closer look at the connection between meth use and identity theft."

Identity Theft Capital

One of the hotbeds of identity theft in the country -- and a state where methamphetamine is widespread -- is Arizona.

The Federal Trade Commission in 2006 even named the Grand Canyon State the identity theft capital of the United States. The FTC reported Arizona had 156.9 identity theft victims per 100,000 people.

U.S. Postal Inspector Bob Maes says there's a good chance the criminals who stole those victims' identities were hooked on meth.

"In the West it seems like methamphetamine abuse runs hand-in-hand with identity theft," says Maes, who worked in Phoenix until 2004 and then transferred to Utah. "These meth addicts all know someone who will trade drugs for Social Security numbers. One meth addict will know someone who does dumpster diving, one knows someone who steals mail, and another knows someone who is into home burglaries.

"The issue is not the ID, it's the date of birth, Social Security, or identification number on that ID," he adds. "That's what they want. And when you talk to these meth users, they'll know the going rate for a checkbook or a credit card."

Detective Pierce with the Overland Park Police Department says a good ID in Kansas has a street value of $100-$500.

But some ID's go for much more.

"I've learned through interviews with people I've arrested that these guys love checkbooks with Ph.D, CEO, or doctor on the checks. The ID's of a Ph.D. or doctor is much higher and worth a lot more on the street."

Pierce and other law enforcement officials say methamphetamine users will stop at nothing to get someone's ID and other personal information.

"What we're finding is these meth users are committing burglaries themselves and looking for personal data and information they can turn into something usable," Pierce says.

But there are other unsuspecting ways methamphetamine users can obtain your personal information to support their drug habits:

• A clerk at a bank, retail store, or dry cleaner can write down your personal information or credit card number. "We've had cases where a clerk at a convenience store wrote down information from checks and then turned around and sold that information," says Postal Inspector Maes.

• A waiter or waitress can scan your credit card -- or write down the numbers -- and sell the information. "When you give your credit card to waiter you don't know what happens to it," says Sheriff Hedges of San Luis Obispo.

• Files can be stolen from your investment company. "Many times this happens by an insider who works for a financial institution and is a drug addict," Maes says.

• Employees of painting or cleaning companies -- working after the businesses close -- can steal client information. "They can steal a few files and no one will know they're missing until the information is compromised," Maes says.

Consumers are also "asking for trouble" if they leave birth certificates, checkbooks, saving accounts information, Social Security cards, and other personal information in an unlocked car or home, Maes says.

The Underground Market

If your identity is stolen, law enforcement officials say, you're likely to be victimized again -- in many cases by another methamphetamine user.

"There's an underground market where your information is traded and bartered all over streets and maybe all over the country," says detective Pierce. "Remember, this is 100 percent free financing for these methamphetamine users. The drugs are free when they buy them and they're free when they sell them."

Prosecutor Riebli of Johnson County, Kansas, agrees.

"If you've had your identity compromised, it can happen again and again," she says. "There's nothing to prevent these individuals from trading ID's for their drugs."

That means your stolen identity could wind up in some cheap motel room and be used to finance another meth-head's addiction.

Next: Types of Identity Theft

More

Should You Place A Freeze On Your Credit Report?

Credit freezes provide new protection against identity theft

Identity theft is a growing problem because it is so easy for a criminal, with just some of your personal information, to open lines of credit in your name. A way to make it harder for identity thieves is freezing your credit report, but should you take that step?

A growing number of states have passed laws allowing consumers to tell the three major credit reporting agencies - Equifax, Experian and TransUnion - to place a "freeze" or block on sharing their credit reports. A credit freeze prevents potential creditors and other third parties from accessing credit reports without your approval.

Even if the thief has your Social Security number, he may not be able to steal your identity if your have a freeze on your credit report. Most businesses will not open credit card or other accounts without checking your credit history at the reporting agencies. If your credit files are frozen, an identity thief probably would not be able to get credit in your name.

While the credit agencies will freeze your account, there is a charge for that service. A credit report freeze costs $10 each to place a freeze with the credit bureaus, or $30 total for the three reporting agencies. The fee is waived in most states if the consumer has already been a victim of identity theft.

But what happens when you want to get a bank loan or apply for a credit card? A freeze on your credit report means you won't be able to do it. The freeze remains in place until you ask to remove it. To lift a credit freeze, consumers must contact each credit reporting agency and pay the required fee. By law, the maximum each company may charge is $12.

Consumer advocacy organizations have been petitioning the credit bureaus to make setting up a credit freeze easier and quicker. They claim that consumers have been slow to sign up for them because the procedure is time-consuming and costly.

While freezing your credit report provides a measure of protection, it's not bulletproof. Identity thieves could still use your existing credit card or other accounts, and some new accounts may not require a credit check such as telephone, wireless, and bank accounts. But a freeze can prevent the vast majority of identity theft that involves opening a new line of credit.

 

More

Five signs your identity may have been stolen

Reacting quickly may lessen the damage

In a recent report the U.S. Federal Trade Commission (FTC) noted that identity theft continues to be the top generator of consumer complaints. In 2012, the agency received more than 369,000 reports of stolen identity.

Of those, more than 43 percent were related to tax or wage fraud. Unlike in a burglary or armed robbery, the victim isn't usually aware of the crime right away. The longer it goes undetected, the harder it is to recover.

Here are the top five signs that your...

More

Is Hollywood helping or hurting in the battle against identity theft?

The new movie Identity Thief might bring welcome exposure to a serious issue

Identity theft is serious business. But that hasn't stopped Hollywood from turning out a comedy with that as its central theme. In fact, it's the title of the movie.

Identity Thief opened in theaters Feb. 8 and was No. 1 at the box office its first weekend. It stars Jason Bateman as a businessman whose identity is stolen by a woman, played by Melissa McCarthy, who opens credit cards in his name and starts living it up. Unfortunately, that happens all the time in real lif...

More

 

Identity theft increasingly targets children

The Justice Department estimates 11.7 million people, representing five percent of all persons age 16 or older in the United States, were victims of identity theft between 2006 and 2008. These cases resulted in total financial losses of over $17 billion.

But increasingly, the victims are not adults and are well below the age of 16. A 2012 report by Richard Power, a Distinguished Fellow at Carnegie Mellon CyLab, found children are targeted for identity theft at 35 times the rate of adults.

For example, Power found that Nathan, a 14-year-old from Kentucky, had a credit history that went back more than 10 years. Several credit cards and a foreclosed mortgage were already in his credit profile, put there by someone living in California. The thief established good credit for the first 10 years and was able to finance a $605,000 home in California through first and second mortgages.

When a parent is the thief

But the thief isn't always a stranger. Randy, who works at a car dealership in rural Virginia, says he has seen an increasing number of cases of young people buying their first car, only to find they can't because their credit is ruined.

“We run a credit check and in turns out their parents have used their identities to open credit card accounts, run up huge bills, and don't pay,” he said. “It's terrible. Usually the young person breaks down and cries.”

Experts who follow this sort of crime say parental identity theft accounts for only a small percentage of identity theft cases in the U.S. but concede the numbers are rising. The Federal Trade Commission (FTC) tracks identity theft but does not keep information about how many children have their identities stolen by a parent.

It's easy for a parent to steal their child's identity because they have access to the child's Social Security number. They can also easily intercept mail to keep the child or other family members from discovering what they have done.

Rationalization

Not all parents who steal their children's identity think they are stealing, or doing anything wrong. They fully intend to pay off the debt in a timely matter and think they will be establishing a good credit history for their child. But in addition to being illegal, their good intentions almost always fail and they doom their children to beginning their adult life with bad credit.

The system is also helpful to someone who wants to assume a child's identity because companies that issue credit do not have any way to confirm the age of the applicant. If the applicant using the Social Security number of a four-year old says they are 28, the credit provider usually accepts their word.

The Identity Theft Resource Center (ITRC) says that, while it's understandable how that could slide by in a telephone or online application, few credit issuers request proof of identity in an in-person application process. Even then, many clerks have not been trained on how to recognize counterfeited or altered licenses.

Something that needs to be fixed

“This is a fault within our system that needs to be rectified,” the group says.

The credit reporting agencies also have no way to know that the Social Security number belongs to a minor. ITRC says there is little, if any, sharing of information about the age of a person between the credit bureaus and the Social Security Administration.

The age of the applicant becomes “official” with the first credit application. For example, if the first application indicates that the applicant is 24, the credit agencies believe that person is 24 until a dispute is filed and proven.

Identity thieves know this and it's a major reason that children have become favorite targets. At a minimum, parents should contact all three credit reporting agencies and request a credit report for their child. If you are told that there is no credit report, take that as good news. A credit report should not exist until that child’s first credit application as an adult.

There are also a number of private companies that offer additional steps that they say will keep a child's identity more secure

Read More - Click Here!

If your PC picks up a virus, whose fault is it?

Want to avoid being attacked by viruses and other malware? Two recent studies reveal the secret: regular patching. A fully patched system with a firewall enabled offers almost complete protection... Read More – Click Here!

Illegal Jamming Cell Phones Interest Peaks

In the United States, it is generally illegal to sell, own or use one without the government's permission. Fines can be as much as $16,000 with jail time. The devices are offered for sale on a handful of websites.

Mislan, a former communications electronic warfare officer in the U.S. Army, said law enforcement has "very specific worries" about how cell-phone jammers could be used by criminals.

But even someone looking to do no more than hush an annoying neighbor on the bus could do some harm, he said.

For example, in the Philadelphia case, the jammer could have cut off the bus driver's communication with a dispatcher who was trying to communicate emergency or traffic information. And that's not to mention other folks in the area (aside from the offensive loud talkers) who may have missed potentially important phone calls.

"Who is he to play god with our cellphones?" Mislan said.

Jammers work in much the same way online denial-of-service attacks on websites do -- transmitting a signal on the same frequency as mobile phone calls in the area.

"In layman's terms, they basically just interrupt the signals in the area," Mislan said. "They are a louder signal, if you will, than anything else in the area. As a phone tries to connect to a tower, it can't because there's this other noise, if you will, in the way."

Read More - Click Here!

 

Illegal credit card practices cost American Express millions

Photo(James Limbach @ ConsumerAffairs) More than 335,000 consumers who were victimized by American Express's illegal credit card practices will be collecting millions of dollars in restitution. Unfair billing tactics and deceptive marketing are among the allegations.

 

The Consumer Financial Protection Bureau (CFPB) has ordered the financial services giant to refund an estimated $59.5 million for engaging in pratices that the agency says include unfair billing tactics and deceptive marketing with respect to credit card “add-on products” such as payment protection and credit monitoring. The company has also been ordered to pay an additional $9.6 million in civil penalties.

“We first warned companies last year about using deceptive marketing to sell credit card add-on products, and everyone should be on notice of this issue,” said CFPB Director Richard Cordray. “The order, he said means refunds for “thousands of American Express customers who were harmed by these illegal practices. Consumers deserve to be treated fairly and should not pay for services they do not receive.”

The CFPB isn't the only agency getting its pound of flesh. The Federal Deposit Insurance Corporation (FDIC) is fining American Express Centurion Bank $3.6 million, and the Office of the Comptroller of the Currency (OCC) is fining American Express Bank, FSB $3 million. This is the fourth action the CFPB has taken in coordination with fellow regulators to address illegal practices with respect to credit card add-on products.

Misleading marketing

PhotoThe CFPB says its examiners discovered that, beginning in 2000 continuing through 2012, three of American Express’s subsidiaries and their vendors and telemarketers engaged in misleading and deceptive tactics to sell some of the company’s credit card add-on products. One such product, a payment protection product called “Account Protector,” allowed consumers to request that 2.5% of their outstanding balance, up to $500, be canceled if they encounter certain life events like unemployment or temporary disability.

Among other things, American Express misled consumers about:

  • The benefits of the payment protection products: Some consumers were led to believe that if they bought the Account Protector product, their minimum monthly payment would be canceled if they experienced a qualifying life event. In reality, the benefit payment would be limited to 2.5% of the consumer’s outstanding balance -- up to $500. In many cases, that amount was less than the minimum payment due.
  • The length of coverage of the payment protection products: Consumers were led to believe that the benefit periods for Account Protector would last up to 24 months. In fact, only two of the 13 qualifying events with benefit periods had benefit periods of up to 24 months. The other 11 qualifying events had benefit periods of only one, two, or three months.
  • The fees associated with payment protection products: American Express or its vendors would claim that there would be no fee if the balance in the account was paid off every month, without disclosing that the account balance had to be paid off before the end of the billing cycle, which was an earlier date than the consumer’s statement due date.
  • The terms and conditions of the Lost Wallet product: American Express used telemarketing sales calls conducted in Spanish to enroll the vast majority of Puerto Rico consumers in this product. Yet American Express did not provide uniform Spanish language scripts for these enrollment calls, and all written materials provided to consumers were in English. As a result, American Express did not adequately alert consumers during the calls about the steps necessary to receive and access the full product benefits.

Unfair billing and other illegal practices

PhotoAmerican Express also engaged in unfair billing practices related to its “identity protection” add-on products. These products supposedly include a service to monitor the card members’ credit information. To obtain credit monitoring services, consumers generally must provide written authorization. American Express, however, charged many consumers for these products without or before having the written authorization necessary to perform the monitoring services. As a result, the company:

  • Billed consumers for services they did not receive: Consumers were charged fees as soon as they enrolled in identity protection add-on products, even when American Express or its vendors had not yet obtained the authorization necessary to begin monitoring the consumers’ credit information. American Express did not inform consumers that they needed to complete a second step in the enrollment process to obtain all of the advertised benefits. Approximately 85 percent of consumers who enrolled in the identity protection products paid the full product fee without receiving all of the advertised benefits. In some cases, consumers paid for these services for several years without receiving all of the promised benefits.
  • Unfairly charged consumers for interest and fees: The unfair monthly fees that customers were charged sometimes resulted in customers exceeding their credit card account limits. This then led to additional fees for the customers. Some consumers also paid interest charges on the fees for services that were never received.
  • Failed to inform consumers about their right to a free credit report: Federal law requires that when telemarketing sales calls are made that include offers of free credit reports, the call must include a disclosure about the consumer’s right to a free credit report from a federally authorized source. In some solicitations, American Express did not make the required disclosure.

The hammer drops

PhotoAmerican Express subsidiaries have agreed to correct their practices and refund consumers who were harmed by the illegal practices. Specifically, they have agreed to:

  • Stop deceptive marketing: American Express must cease selling the Account Protector, Identity Protection, and Lost Wallet Puerto Rico add-on products until it has submitted a compliance plan to the CFPB. The plan will be designed to eliminate all deceptive or unfair practices and violations of other laws relating to the sale, marketing, and administration of these products and to ensure that these unlawful acts do not occur again.
  • End unfair billing practices: Consumers will no longer be billed for certain identity protection products if they are not receiving the promised benefits. American Express also must take steps, subject to the CFPB's approval, to ensure these unlawful acts do not occur in the future.
  • Pay restitution of approximately $59.5 million to more than 335,000 consumers who purchased the products: American Express has already provided refunds to many consumers and must make further refunds. These American Express entities will be paying restitution to consumers who purchased the Account Protector, Identity Protection, or Lost Wallet Puerto Rico add-on products. American Express must submit a plan for remediation to the Bureau. Once the plan has been reviewed, the American Express entities must begin promptly implementing the remediation.
  • Provide refunds or credits without any further action by consumers: If the consumers are still American Express customers, they will receive a credit to their accounts. If they are no longer an American Express credit card holder, they will receive checks in the mail. Consumers are not required to take any action to receive their credit or check.
  • Submit to an independent review: An independent third-party will help ensure the refunds have been provided in compliance with the terms set forth in the CFPB’s order.
  • Review other credit card add-on products: American Express must hire an independent third-party to review American Express’s other credit card add-on products for compliance with federal consumer financial laws. If any compliance issues are found, American Express must submit a plan to the Bureau explaining how it will correct those violations and provide remediation if necessary.
  • Improve oversight of third-party vendors: The CFPB is also requiring that American Express continue to strengthen its management of third-party vendors who manage these add-on products.
  • Pay a $9.6 million penalty: The CFPB has ordered that American Express pay a $9.6 million fine to the agency's Civil Penalty Fund.

 

In the AntiVirus War The Bad Guys Are Winning

(CyberheistNews) We all had the nagging suspicion that antivirus is not cutting it anymore, but the following numbers confirm your intution. I have not seen more powerful ammo for IT security budget to transform your employees into an effective "last line of defense": a human firewall. 

I have covered Virus Bulletin here many times, and have kept track over the years since this is the industry I lived in for 10 years before KnowBe4, and why I started this company in 2010. 

Virus Bulletin (VB) is the AV industry's premier "insider site", and shows how good/bad endpoint detection rates are, but VB also covers spam filters, and tests them on a regular basis. 

Both antivirus (aka endpoint protection) and spam filter tests are published in quadrants graphing the results. What most people do not know, is that participants in this industry all share the same samples, and it's often just a matter of who gets the definition out first, because soon enough everyone else has that malware sample and blocks the hash. 

Well, there is bad news: your proactive antivirus detection rates have dramatically declined in 12 months. 

Don't take my word for it. Just look at the quadrants for Jun-Dec 2015 and compare it to the most recent one for 2016. Note the fact that in 2015, the proactive detection is a bit spread out, but the midpoint hovers around 80%, and the reactive midpoint sits at roughly 90-95%. (Reactive means they know this sample, have a hash, and can block it, Proactive means this is an unknown sample and the security software's heuristics need to recognize the malware behavior.) 

Next, look at the same midpoints a year later for April-Oct 2016. 

The bad guys are winning 

Note that reactive detection dropped a little bit and now clusters on the 90% line, but if you eyeballproactive detection, it has dramatically dropped to 67-70%. You would expect that with modern machine-learning techniques, proactive protection would improve, but it is going the opposite direction. By the way, if your AV is not here, the vendor declined to participate, and you can draw your own conclusions about why. 

Now you might think that if AV does not catch it, your spam filter will. Think again. 

Martijn Grooten at VB commented on VB's most recent spam filter test that ransomware would be much worse if it wasn't for email security solutions: "Many experts believe that ransomware is set to become an even worse problem in 2017 than it was in 2016 — which is rather bad news, given the damage it has already done. 

"Still, the problem could be much worse: a test of security products performed by Virus Bulletin in November/December 2016 showed that at least 199 out of every 200 emails with a malicious attachment were blocked by email security solutions (or spam filters). Of course, the fact that spam is sent out in large volumes means that even a very low success rate is sufficient for attackers to make a good return on investment — and thus to cause a lot of damage." Here is the quadrant for spam filters: 

Now, let's have a look at that number of 1 in 200 making it through. 

Statistics, extrapolations and counting by the Radicati Group from February 2015, estimate the number of email users worldwide was 2.6 billion, and the amount of emails sent per day (in 2015) to be around 205 billion. That is likely higher now. DMR offers these other fascinating statistics on email, compiled in August 2015:

  • The average office worker receives 121 emails a day
  • Percentage of email that is spam: 49.7%
  • Percentage of emails that have a malicious attachment: 2.3%

Simple math shows that 100+ billion spam emails are sent every day. Of those, 2.3 billion have a malicious attachment. One half of one percent (one in 200) of those makes it through the filters, showing a suprisingly high number of 11,500,000 every day. But let's be conservative and just say millions. 

That puts the potential for malware making it in your users' inbox into the millions... every day 

And that is just looking at malicious attachments, of which these days 93% are ransomware

Keep in mind that the bad guys are also very active with CEO Fraud using a spoofed "From" email address, and even more important, the most vicious attacks (like the hacks into the Clinton campaign) were based on a simple social engineering spear phish. 

The above makes a very strong case for a brand new look at your last line of defense, your users. 

It makes all the sense in the world to transform them into a human firewall ASAP, and keep them on their toes with security top of mind. Step them through new-school security awareness training which combines on-demand interactive, engaging web-based training with frequent simulated phishing attacks right in their inbox. This is a very effective approach, with the best ROI of practically any IT security tool. We have just received a Forrester Total Economic Impact report that shows an ROI of less than a month.

Increase Online Security Nine Ways

A new Consumer Reports survey suggests most of us need help in that area.

(Mark Huffman  @ ConsumerAffairs) Privacy seems to be a commodity in short supply these days. Every month there seems to be some new revelation of a data breach, in which a hacker is able to gain access to consumers' private information.

But not all privacy breaches result in identity theft. Information about you is constantly being collected, especially when you use a computer or other device connected to the Internet.

There are things you, as a consumer and computer user, can do to protect your online privacy but few of us do them. A new report from Consumer Reports find 62% of U.S. consumers using the Internet have done nothing to protect their privacy.

"The most effective defense against an international onslaught of shadowy hackers is being a well-informed and vigilant individual," said Glenn Derene, Electronics Editor for Consumer Reports. "It should be clear by now that consumers can't rely solely on institutions to safeguard their valuable personal information online. Our report identifies some tools that can help people shut the door on cybercriminals."

The report finds consumers are vulnerable in a number of different areas. Hospitals and doctors' offices, for example, have your medical history stored on computers that could be vulnerable to a breach. If you use any of the commercial cloud services your privacy may also be at risk.

Consumer Reports, for example, says services like Dropbox and Evernote “have a spotty security record.”

What you can do

So, what can you do to better protect your privacy? It may be impossible to provide complete protection but there are a number of things you can do to increase your protections.

If you store private information on a cloud-based service the security experts at Consumer Reports say you should encrypt it with an encryption program. In the event of a breach it will be harder for a hacker to access your data.

Your online privacy starts with your Internet Service Provider (ISP). Your ISP can track your online activity because it has your computer's IP address.

Often times the website you visit can see your IP address as well and among the information it gleans from that is your geographic location. That's why when you visit a global website you might see an ad for a business in your local area.

Reduce your visibility

According to Privacy Rights Clearinghouse you can limit this information by using a service such as Tor  that can block this information from being transmitted.

You can use a Virtual Private Network (VPN), which replaces your IP address with one from the VPN provider. A VPN subscriber can obtain an IP address from any gateway city the VPN service provides.

There are other ways to limit your ISP's tracking ability outlined here.

Your home network should be secured with a password. In public places like airports and coffee shops, remember that WiFi networks are not secure and any information you send over them is vulnerable.

Evaluate your security settings. Select options that meet your needs without putting you at increased risk.

Cookies

Be aware of your Internet cookies setting. Cookies are short pieces of data used by web servers to identify users. Some cookies may be helpful for storing images and data from websites that you frequent, but others are malicious and collect information about you.

When visiting a new website look for a privacy policy statement or seal that indicates the site abides by privacy standards.

An important step in protecting your online privacy is being very selective about what you download. While it might be tempting to download a free software application, these “freebies” almost always now come with other Potentially Unwanted Programs (PUPs).

Another step to enhance your online privacy is to install a good anti-virus software and keep it updated. The updating is important because new threats emerge all the time. Anti-virus programs aren't perfect but they can help.

You're being followed

It's worth noting that not all encroachments on your privacy have the objective to getting access to your money or identity, but there can be creepy nonetheless. Companies seeks as much information about your online habits as possible, primary in hopes of selling you something.

Others collect information about you to sell to other companies, or even share with the government. The American Civil Liberties Union (ACLU) is pushing for stronger protections.

“Protections for online privacy are justified and necessary, and the government must help draw boundaries to ensure that Americans’ privacy stays intact in the Digital Age,” the group says.

Congress can do something too. As a first step, the ACLU advocates an overhaul of the Electronic Communications Privacy Act (ECPA) which was passed in 1986, before the Internet as we know it today even existed.

Infected Over 20,000 WordPress Sites

With 20,000 sites swallowed up, a botnet is eating WordPress alive

Hackers controlling a “botnet” of over 20,000 infected WordPress sites are attacking other WordPress sites, according to a report from The Defiant Threat Intelligence team. The botnets attempted to generate up to five million malicious WordPress logins within the past thirty days.

Per the report, the hackers behind this attack are using four command and control servers to send requests to over 14,000 proxy servers from a Russian provider. Those proxies are then used to anonymize traffic and send instructions and a script to the infected WordPress “slave” sites concerning which of the other WordPress sites to eventually target. The servers behind the attack are still online, and primarily target the XML-RPC interface of WordPress to try out a combination of usernames and passwords for admin logins.

“The wordlists associated with this campaign contain small sets of very common passwords. However, the script includes functionality to dynamically generate appropriate passwords based on common patterns … While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets,” explains The Defiant Threat Intelligence team.

Attacks on the XML-RPC interface aren’t new and date back to 2015. If you’re concerned that your WordPress account might be impacted by this attack, The Defiant Threat Intelligence team reports that it is best to enable restrictions and lockouts for failed logins. You also can consider using WordPress plugins which protect against brute force attacks, such as the Wordfence plugin.

The Defiant Threat Intelligence team has shared information on the attacks with law enforcement authorities. Unfortunately, ZDNet reports that the four command and control servers can’t be taken offline because they are hosted on a provider that doesn’t honor takedown requests. Still, researchers will be contacting hosting providers identified with the infected slave sites to try and limit the scope of the attack.

Some data has been omitted from the original report on this attack because it can be exploited by others. The use of the proxies also makes it hard to find the location of the attacks, but the attacker made mistakes which allowed researchers to access the interface of the command and control servers behind the attack. All of this information is being deemed as “a great deal of valuable data” for investigators.

Insidious New Social Engineering Attack

(CyberHeist) There is a new insidious IRS scam that you need to warn your employees, friends and family about, and inform your HR department to start with.

Seasoned internet criminals are sending bogus emails with attachments, text messages and even snail mail claiming to be from the IRS and using a phony Form CP 2000.

This form is normally mailed by the IRS when income reported by employers does not match the income reported on the taxpayer's income tax return. To further confuse the potential victim, the letter accompanying the phony IRS form indicates that the form relates to the Affordable Care Act.

This scam is being investigated by the Treasury Inspector General for Tax Administration. The real CP 2000 form is a hefty six-pager with instructions about what steps to take whether you agree or disagree with the assessment. At the moment, the crooks are extorting straight cash out of victims, but this may just as well be used as a vehicle for instant malware infections.

I suggest you send the following to your employees, friends and family, and while you are at it, warn them against hurricane Matthew charity scams that are cropping up. You're welcome to copy/paste/edit:

"There is an insidious new IRS scam doing the rounds. They send you a phony IRS CP 2000 form and claim the income reported on your tax return does not match the income reported by your employer. This is meant to get you worried. To confuse you further, the bad guys claim this has something to do with the Affordable Care Act.

You might receive emails with attached phony forms, text messages and even live calls to your phone about this! You need to know that the IRS will never initiate contact with you to collect overdue taxes by an email, text message or phone call.

If you get any emails, text messages, old-time snail mail or even live calls about this, do not respond and/or hang up the phone. If you receive a "CP 2000" form in the mail and doubt this is legit, you can always call the IRS at 1-800-366-4484 to confirm it is a scam."

If you want a safe way for employees to report suspicious email to your organization's Incident Response team, download KnowBe4's complimentary Phish Alert Outlook add-in which gives your user a one-click option to send you any suspicious email including full headers.

Internet Publishing and Digital Rights: The Changing Balance between Access and Ownership

Most people have difficulty understanding intellectual property rights, partly because of their abstract nature; they appear as just a bundle of invisible rights. Moreover, intellectual property rights are so complicated that it is easier to pretend they do not exist and to ignore them rather than to try to comprehend them. However, ignorance is no protection under the law - as many ordinary people have found out at their own expense. New international legislation regarding copyright has changed the way the public interacts with information, and as Bill Thompson, a commentator for the BBC World Service programme Go Digital, points out, the new legislation could make criminals of any one of us. Simply by using peer-to-peer network software to share unlicensed copies of films and music we could be breaking the law (Thompson 2003) .

How have we reached a situation where ordinary people can so easily find themselves breaking the law without even realising it? The answer lies in the changes to copyright law.

Read More - Click Here!

Internet Scam That Hijacks Your Hard Drive

The Internet Scam That Hijacks Your Hard Drive
The Internet Scam That Hijacks Your Hard Drive

Viruses used to be so simple.

(Andrew Lumby @ FiscalTimes) You’d go online with your dial-up modem, take 25 minutes to naively download an appealing-sounding .exe file, and suddenly a sheep would walk across the screen or an embarrassing e-mail would be sent to your entire address book. Some would even wish you a Happy New Year.

Annoying, maybe, but they had their own ‘90s cyber-kiddie sense of charm.

Some viruses, of course, were incredibly disruptive. Now, though, viruses and malware have become even more malicious. They’re out for more than just hacker cred – they’re out for your money.

 

For a long time, malware scammers used tactics known as Scareware. The malicious software fraudulently claims that your computer has a serious virus infection then sends you to a page to buy their (useless) anti-virus software.

Related: Porn, Drugs, Hitmen, Hackers: This Is the Deep Web

While this is certainly still around, many people have gotten wise to the fraud. Now some scammers are playing hardball. Enter Ransomware.

Ransomware is a form of malware that encrypts files on your hard drives with a highly complicated algorithm then presents you with an ultimatum: Pay up or you lose your files forever. The inherent brilliance in the software is this: While the software can be removed, the files remain encrypted. Paying the ransom is the only chance you have to see your files again.

Although this scam has been around since 1989, only recently has it become widespread due to advancements in cryptography algorithms, the ability to extort via the anonymous currency Bitcoin, and the digitization of once-analog items of sentimental value like family photos and home videos.

Some consumers are aware of the latest and most notable iteration of this trend known as CryptoLocker, which encrypts the user’s data with a 2048-bit RSA Algorithm. The scammers weren’t fooling around when they invented this complicated algorithm, which is incredibly difficult – if not impossible – to crack without a key, which will cost victims about $150 to $300.

Cryptolocker has been incredibly successful. Owing to surprisingly good “customer service” — the majority of people who pay the ransom have their files restored — the men behind the Cryptolocker curtain have raked in over $27 million in Bitcoin over a period of three months, according to an examination of the Bitcoin blockchain by ZDNet.

Related: Cyber Crime Pays: A $114 Billion Industry

Due to the inherent success of the software, it seems only logical that a bevy of copycats would show up.

And they have. In droves.

One version, which claimed the owner of the computer had been caught with illicit material on his computer, demanded a fine. The ordeal caused a Romanian man to take his own life and that of his son two weeks ago.

While Ransomware has evolved as a threat to home computer users, it bears a sizeable risk to the business world as well. After all, the earlier versions of Cryptolocker actually targeted business professionals, hiding itself within emails claiming to be a “consumer complaint.”

McAfee, the prominent maker of anti-virus products, predicts that Ransomware in 2014 will evolve to further target businesses and business owners, and that the software will shift to the mobile realm this year. Scammers will, according to McAfee, use the information gleaned from business owners' mobile devices to gain a “tactical advantage” over the businesses, which could end up costing them untold amounts of money.

It's scary stuff certainly, but home users and business owners still have one easy way out – ensuring all their files are backed up using a cloud-based service, untouchable to any scammers.

In terms of which service to pick, there are hundreds of them out there.

  • Box for Business is an affordable option, offering a terabyte of storage per user, at a price of $15 a user.
  • Amazon’s S3 offer’s a pay-per-use monthly pricing scale at 10 cents a gigabyte.
  • At $55 a month for 3 users, SugarSync for Business is a slightly pricier option, but boasts a collaborative sharing platform and mobile access.

Suffice it to say, regardless of the particular needs of your family or your organization, there’s a service out there’s that caters to them. There’s no excuse to keep only data stored locally.

Once everyone does this, Ransomware will seem much less threatening.

Iron Clad Laptop Security

Folks use laptops for everything these days. Many keep the family financials and corporate secrets on them, them carry them to far away places during business travel and vacations. Once whilst traveling to LA on business, I was setting in an Atlanta restroom stall when someone tried to grab my netbook from under the door. Fortunately, the laptop bag strap was wrapped around my leg and the thief gave up. But had he succeeded, there is no telling what he could have done with the data. Therefore, at a minimum, we recommend doing the following 4 items:

1) Use Strong passwords (UPPERCASE lowercase Numbers and special characters like !@#$%&*? 10-12 characters long)

2) Fingerprint readers

3  Full-disk encryption

4) Theft and loss recovery

Read More here

Is Amazon Best Price THE BEST PRICE

(Christopher Maynard @ ConsumerAffairs) In June, we reported that sometimes consumers had to do a little extra work to find the best prices when shopping on Amazon. Researchers from Northeastern University pointed out that not all items that consumers buy on the site come directly from Amazon, so what pops up first in your search may not necessarily be the best price.

Now, a new report by ProPublica shows that price comparisons on the site may be even more complicated. The organization alleges that Amazon fixes the results of its price-comparison pages so that items sold directly by Amazon, or by merchants who pay the company to ship products on their behalf, are given priority in the search results.

This is a potentially huge problem since these comparison pages are supposed to let consumers find the best deals for the products they want.

Shipping costs

The report cites an example of trying to find the best deal on Loctite super glue. After entering in the request, results for different options were spit back out. One result showed the product being sold for $6.75 from a company in Texas with free shipping, while another similar offer showed the product going for $7.27 with free shipping from a company in Ohio.

However, the result that ranked first was being offered by Amazon itself for an even higher price, at $7.80. While this price wasn’t all that much higher than the previous two options at first glance, the researchers found that the offer did not include free shipping.

With the additional cost of the shipping, the price came out to $14.31 before taxes, slightly less than double the price of the previous two offers. The researchers found that this was a common part of Amazon’s algorithmic pricing. Products sold by third-party merchants who were not a part of Amazon’s shipping service were ranked by the cost of the product and the shipping fee, while those sold by Amazon and affiliated parties were ranked without the shipping fee included.

Availability of free shipping

Amazon has provided some explanation for the discrepancy, saying that the vast majority of its products are eligible for free shipping if a consumer is a Prime member or signs up for Super Saver Shipping.

“With Prime and Super Saver Shipping (which requires no membership and ships orders above $49 for free), the vast majority of our items – 9 out of 10 – can ship for free. The sorting algorithms the article refers to are designed for that 90% of items ordered, where shipping costs do not apply,” said Amazon in a statement.

However, as the statement alludes to, free shipping is contingent on a couple of factors. If a consumer is not a Prime member and does not create an order that totals more than $49, then the items they search for may not be in optimal order for them to find a deal. 

Is Amazon Turning Shoppers Into Paid Spies?

The customers think they're being smart shoppers, and maybe they are.  After all, what's wrong with comparing prices between stores and online merchants?  Theoretically nothing, except that it's a trend that local merchants say could be the death of them.  The harm done to communities by the loss of local businesses would far outweigh any savings consumers might realize, retailers say.

Read More - Click Here!

Is Mobile Banking Secure

(Mark Huffman Consumer Affairs) The Internet continues to become mobile, meaning in the future even more consumers will use their smartphones and tablets for online banking. Most banks have already rolled out mobile apps and are encouraging customers to use them.

But how secure are they? A new report from Reportlinker.com suggests mobile banking is fairly secure for now. Its Mobile Banking Security Insight Report suggests the financial services industry will continue to benefit from the immediacy that smart mobile devices (SMDs) offer but there are significant risks that must be counteracted before consumers are confident in accepting them.

Banks like mobile banking because it's good business. Mobile customers are generally young and affluent. In other words, the same people who want the latest gadgets – smartphones and tablets – are the very people the banks want as customers.

Risks

But what are the risks?

“Anyone who has access to your cell phone has access to your identity in a few clicks,” said Elizabeth Baker, an assistant professor at Wake Forest University and an expert in information system security issues. “Often, credit card companies limit your financial responsibility if your card is stolen and fraud is committed. This is not true for your checking and savings bank accounts. Money fraudulently withdrawn can be costly.”

The new report acknowledges this growing risk. It notes that while the current level of risk is probably still lower than using online banking on your PC, criminals are quickly turning their attention to the mobile platform as more consumers start using mobile devices.

“As the mobile device becomes the number one screen for our daily lives it conversely becomes an increased target for malicious activity,” the report finds. “Mobile devices are increasingly being attacked.”

Potential

But the report, compiled by Goode Intelligence, says the mobile banking platform has the potential to be much more secure than your desktop. That's because it can also be used as a security token.

If a consumer registers a specific phone to the bank account the authentication process can be simplified for the user who merely has to enter a private PIN or passcode to prove they are in possession of the registered phone.

At the same time, the report says smart phones have the potential to offer stronger authentication. Geolocation, voice recognition, built-in cameras and fingerprint readers could all be used, if required, to offer additional layers of security when authenticating users.

Seamless security

The report suggests this could all be done seamlessly, so that mobile banking is both secure and convenient for the consumer.

Most importantly, all these extra measures could be added without spoiling the user experience. It means that mobile banking can offer better security and better user convenience at the same time.

To reach that level of security, however, it says banks should create an encrypted communication channel between user and bank. It should then create a security protocol that only allows the registered phone to access the account and ensures that the person using the phone is the registered customer.

That security layer is currently lacking. Experts like Baker worry that smartphone users currently are not taking enough steps to secure their phones with password protections, in the event they are lost or stolen.

Is Password-protected public Wi-Fi Safe

Password-protected public Wi-Fi is safe?
I'm always urging my listeners to secure their home wireless networks to keep out hackers and criminals.

Unfortunately, the same isn't true for public Wi-Fi, such as your neighborhood coffee shop or café, even if it is password-protected. 

The point of a password at home is to keep hackers off the network entirely. With public Wi-Fi, hackers can access the network for the price of a cup of coffee.

Once a hacker is on the network, your laptop or mobile gadget is exposed. Any sensitive browsing you do, such as online banking, puts your information at risk of being intercepted.

Some hackers even like to set up their own network with the same name as the coffee shop network. You might think you're connecting to a legitimate business network, but it's really a hacker-controlled network. That makes it even easier for them to steal your information. Even security professionals fall for this tactic!

Be wary about where you go and log in when Web browsing in public. Wait until you get home to do any online banking or shopping, or at least use a cellular connection.

Is the Google Cookie Tracking Everyone's Surfing Habits?

On 1/29/09 Steve Rubel of Micro Persuasion expressed his concerns about Google search engine tracking ability through cookies that they implant on our computers when we use Google Search. Is the Google Cookie Tracking Everyone's Surfing Habits? His concerns:

\"First, Google yesterday made some subtle changes to its privacy policy. Coincidence? Maybe.

Second, according to the Google Adwords blog, the search engine has now added a new site traffic metric in Ad Planner called Unique Visitors (cookies). This, according to Google is a new cookie-based metric that \"help(s) you cross check and compare metrics, similar to Google Analytics unique visitor metrics.\"

The help page goes a little bit further, saying that unique visitors (cookies) is \"the estimated number of unique cookies on a site. The unique visitors (cookies) metric is more similar to data from server logs, analytics applications, and ad servers.\"

Google does not provide any additional details on how they are gathering the data from cookies. Is it possible that this means that as long as you have visited Google once and get cookied that they are now tracking every single site you visit, even if you didn't get there via a search? It's unclear. But it sounds like it. I hope they will be more transparent.

However, if this is true, given the huge number of people that have done at least one Google search (e.g. everyone) that sounds like they are collecting a staggering amount of data. And something that might alarm privacy advocates while at the same time creating the largest consumer panel on the web - e.g. everyone, except those who delete their cookies.\"

Google Response to Steve Rubel 1/30/09: \"A Google spokesperson emailed in the following statement in response to my post...

\"Google does not track users in the manner described in the article. We do not track every site every Google user goes to, nor do we have the capabilities to track in this manner.

The updates to our privacy policy made on Wednesday refer to data collection only for the purpose of detecting and preventing fraud or other misconduct; Google Ad Planner is not using any of this data in our enhanced features. There is no relationship between our updated privacy policy and our updated Ad Planner features.\"

Seems to make sense. However, it doesn't explain where the cookie data comes from. Others point out in the comments that Google has a lot of cookies sprinkled across the web through Doubleclick, etc. and that - in theory - they could triangulate the data.

Is your Boss watching your online activities

By 2015 research firm Gartner expects more than 60 percent of corporations to monitor their employees’ external social media use.

But that doesn’t mean you should be expected to hand over the login details to your Facebook or Twitter accounts.

Some corporations want to monitor digital activity to make sure their employees are not sharing sensitive information that could damage their brand or pose a security risk to the company on social media sites. However, personal information they discover on such sites can also generate serious liabilities for the company.

“The conflicts involved were highlighted through recent examples of a small number of organizations requesting Facebook login information from job candidates,” said Andrew Walls, research vice president of Gartner. “Although that particular practice will gradually fade, employers will continue to pursue greater visibility of social media conversations held by employees, customers and the general public when the topics are of interest to the corporation.”

Relaxnews spoke with Allen Ackerman, a digital media recruiting expert at the Magnet Agency in the US, about social media and job seeking.

Some recent reports in the media have implied that employers often ask a job candidate or employee to hand over their social network login details so they can check what they are saying online but Ackerman says this is absolutely not the case.

“[N]or is it common (and probably not) legal for an employer to ask for these.  We have Equal Opportunity laws in the US that bar discrimination on race, sex, ethnicity or religion. This is clearly an invasion of one’s privacy,” he said, but cautioned that public posts were another issue.

Read More - Click Here!

Is your Flash Drive A Security Risk

A flash drive, smaller than a package of chewing gum, has made it much easier to move computer files around. These inexpensive drives can hold dozens of gigabytes of data, more capacity than a standard computer hard drive a decade ago.

But with this convenience comes risk. Because these drives are so small, and are normally carried in a pocket or purse, they can be easily lost. If they happen to contain sensitive files – personnel information, for example – they can pose a data breach.

Flash drives can also be infected with malware, and evidence suggests many are. Paul Ducklin, of Sophos Security, reports his firm recently purchased the USB flash drives sold at a rail company's lost property auction. Two-thirds, Ducklin reports, contained Windows malware.

Read More - Click Here!

Read Also - Click Here!

Is your car spying on you

Photo(Jim Hood @ ConsumerAffairs) A new report from the Government Accountability Office finds that several major automakers and GPS manufacturers collect information about your location from on-board navigation systems.

In some cases, they also retain the information for at least a little while and sometimes share it with third parties.

According to the report, the companies can 'track where consumers are, which can in turn be used to steal their identity, stalk them or monitor them without their knowledge. In addition, location data can be used to infer other sensitive information about individuals such as their religious affiliation or political activities.'

Sen. Al Franken (D-Minn.) requested the investigation and said the findings demonstrate that while companies providing in-car location services have taken concrete steps to protect their customers' privacy, more work needs to be done.

"Modern technology now allows drivers to get turn-by-turn directions in a matter of seconds, but our privacy laws haven't kept pace with these enormous advances," Franken said. "Companies providing in-car location services are taking their customers' privacy seriously — but this report shows that Minnesotans and people across the country need much more information about how the data are being collected, what they're being used for, and how they're being shared with third parties."

"Just common sense"

PhotoSen. Franken

Franken said the report also underscores the need for him to reintroduce and pass a location privacy bill that made it through committee in 2012 but didn't achieve final Senate passage.

"It's just common sense that all companies should get their customers' clear permission before they collect or share their location information," Franken said in a prepared statement.

The report evaluated privacy protections provided by in-car navigations systems (e.g. OnStar), portable navigation devices (e.g. TomToms and Garmins), and mapping apps (e.g. Google Maps).

Ultimately, GAO found that while companies take various positive steps to protect the location information of drivers, they need to be more forthcoming to consumers about the data they collect, how they use them, and if and why they share them with third parties.

Sen. Franken originally requested the report after he convened a hearing on protecting mobile privacy in May 2011, during which experts testified about the benefits and dangers of using location data. That September, Sen. Franken successfully pressed OnStar to reverse a privacy policy change that would have allowed that company to continue tracking former subscribers even after they discontinued OnStar services. 

Franken,  Chairman of the Judiciary Subcommittee on Privacy, Technology, and the Law, has made technology and privacy a key concern. He has pushed several companies on the privacy implications of new technologies.

In September, he raised privacy questions about Apple's new iPhone fingerprint technology and also pressed Facebook to reconsider the potential expansion of its facial recognition program. After Facebook proceeded with the expansion anyway, Franken successfully pressed the Department of Commerce to convene privacy advocates and industry stakeholders to examine the privacy implications of facial recognition technology.

According to the report, even if a motorist wants data about their travel destroyed, the entity collecting the data isn't required to destroy it. 

AAA urges caution

AAA said the report demonstrates the need for companies to protect consumer rights through the principles of transparency, access, control, choice and security.

“Connected cars can dramatically improve the driving experience, but companies must be responsible in their use of consumer information,” said Bob Darbelnet, President and CEO of AAA. “The data that today can be routinely collected by cars includes some of the most sensitive data that can be collected about a person, including information about their precise location and driving habits.”

“Companies have an obligation to protect consumer rights when offering connected car services,” said Darbelnet. “It is a positive sign that automakers have taken initial steps to address the privacy and security of location data, but more must be done to reduce potential risks faced by consumers.”

Is your online data out of control?

PhotoThere is probably a lot of information about you in cyberspace. If you have a Facebook account, or know people with a Facebook account, it's almost a certainty.

The issue leaped into the headlines in early December when Facebook made changes to its privacy settings. It was supposed to simplify things but one result was the removal of the option for users to hide themselves from the site's main search tool.

"Many people posted stuff on their timelines that they did not expect to be publicly searcheable," Mark Rotenberg, executive director of the Electronic Privacy Information Center, said at the time.

Smile!

But it's not just your comments on Facebook, but photographs too. People post millions of pictures of family and friends, and if you happen to be in the picture – and even “tagged” with your name – your image is there for all to see and no one asks you for permission.

Facebook Jan. 24, 2013, 4:49 p.m.
Consumers rate Facebook

And because pictures are easily downloaded from the Internet, once a picture of you is out there, it can end up anywhere. Vikash, of Punjab, Pakistan, reports that she discovered her likeness as the ID for someone else's Facebook account.

“I wish to make a complaint against Facebook not blocking a Facebook ID that's using my photo as the profile picture,” she wrote in a ConsumerAffairs post. Facebook ID (name redacted) is a fake ID and it used my photo as the profile picture.

Then there's the recent example of a California woman whose Facebook pictures became the image of Notre Dame linebacker Manti Te'o's dead girlfriend. Your likeness, it seems, is out of control. Just ask 17 women in Texas.

Revenge-porn

The women have joined a class-action lawsuit against a “revenge-porn” website, claiming ex-boyfriends published nude photographs of them on the site. The women are suing Texxxan.com, as well as Godaddy.com, a commercial website hosting service, and all subscribing members.

The women claim their former lovers, angry at being dumped, published the photographs in an attempt to humiliate them, in an act of revenge.

"I'm going after the revenge porn industry," attorney John Morgan told the Houston Chronicle. "Those sickos who post private information of women without their knowledge."

It may be an extreme example, but it highlights the difficulty consumers have in maintaining control over their image in the Internet age. But what about other kinds of private data?

Little or no control

Microsoft, citing a survey showing 45 percent of U.S. adults feel they have little or no control over the personal information companies gather about them while they are browsing the Web or using online services, is promoting new privacy features in Windows 8.

"As online activities have become a valuable part of daily life, privacy is incredibly important,” said Brendon Lynch, Microsoft's chief privacy officer.

Microsoft has produced a series of web videos that explains how consumers can use the new privacy tools in the operating system. 

Mobile threats

Privacy risks, of course, are not confined to your desktop PC but increasingly are found on your mobile devices. Trend Micro, a security software company, found an explosion in Android threats in 2012, with new Android malware outpacing PC malware by a ratio of 14 to three.

Social media platforms continued to grow as areas of concern with attackers targeting them more, users putting themselves at risk by oversharing on them, and their legitimate services being co-opted to support cybercriminal activities, the company said.

How does your mobile device become compromised? In many cases it's done by downloading an app that is actually a front for malware. You can provide some measure of protection by only downloading apps from reputable sources. An app promoted through an unsolicited text or email is probably compromised.

The future may be even more hazardous. For 2013 Trend Micro expects hackers to infiltrate legitimate cloud services, using a blog or social media site like Facebook to transmit commands. Every web site now is supposed to have a privacy policy. It might be a good idea to read them.

Read More - Click Here!

It’s the old school security threats that keeps getting people

Everybody in IT knows it  is a dangerous world out there, filled with an endless variety of cyber attacks aimed at compromising and taking advantage of security flaws. But there is still a persistent lack of awareness of specific threats and how best to confront them, according to Rob Havelt, director of penetration testing for Trustwave, an international provider of information security and compliance solutions.

The irony, he says, is that it is not necessarily the newest, scariest  malware or hack technique that can compromise an enterprise. There are some very cool examples, like hacking into the security cameras so they could point them, zoom in and read passwords:

Read More - Click Here!

Java still flawed after update

Keyboard and padlock(BBCNews) Oracle issued an emergency update to its widely-used Java web software on Sunday, but experts say it still contains security flaws.

Last week the US government advised users to disable it because of a bug that leaves computers vulnerable to being hacked.

Security specialists claim the fix has not done enough to make PCs secure.

Oracle says that more than one billion people use Java, and some games like Minecraft are built around it.

The bugs can make a computer open to infection by viruses. Last year net security specialist Kaspersky said that 50% of hacks carried out by seeking out software bugs were done via Java.

"We don't dare to tell users that it's safe to enable Java again," Adam Gowdiak, a researcher with Poland's Security Explorations told Reuters.

In a blog about the "unscheduled" update, Oracle says it has changed Java's default security settings to "high" which it says means users will be notified of any extra applications which start running while they are browsing.

Oracle says the vulnerability applies to the latest version of the software, Java 7. It has declined to comment.

Java is a programming language that enables software to run on many operating systems. It is also installable on web browsers.

Read More - Click Here!

July 10 2012 Patch Tuesday

Patch Tuesday will be July 10, 2012 (Today). Microsoft stated that it will release nine bulletins addressing 16 vulnerabilities.

This month, very computer on your network will receive an update. This is what we expect:

    3 bulletins are rated as Critical
    6 bulletins are rated as Important
    5 bulletins addressing vulnerabilities that could lead to Remote Code Execution
    3 bulletins addressing vulnerabilities that could lead to Elevation of Privilege
    1 bulletin addressing vulnerabilities that could lead to Information Disclosure

Affected Products:

    All supported versions of Microsoft Operating Systems - XP, Vista, Windows 7, Windows Server
    Microsoft Internet Explorer 9
    All supported versions of Microsoft Office products (2003, 2007, 2010)
    Microsoft InfoPath 2007, 2010
    Microsoft SharePoint Server 2007, 2010
    Microsoft Groove Server 2010
    Microsoft SharePoint Services 3.0
    Microsoft SharePoint Foundation 2010
    Microsoft Office Web Apps 2010
    Microsoft Visual Basic for Applications
    Microsoft Visual Basic for Applications SDK

Most likely, Microsoft will patch a vulnerability that has received limited zero-day attacks.  In June Microsoft released Security Advisory KB2719615  admitting to a vulnerability in MSXML that had previously received limited attacks.  This Patch Tuesday, we will pay particular attention to see if Microsoft releases additional fixes for Zero-Day vulnerabilities.

Bottom line: Make sure you restart your computers Tuesday and Wednesday morning

In addition, none of our customer computers or servers were affected by DNS Changer Malware!!!

 

Just how effective is antivirus software

(Mark Huffman @ ConsumerReport) For years, any article about how to protect yourself from computer viruses and malware was usually tagged with “and keep your antivirus software up to date.”

That advice, however, appears to be in the review process as several tech sources have started to question the software's effectiveness.

The latest concern comes from the Department of Homeland Security's Computer Emergency Readiness Team (CERT), which singled out the popular antivirus software packages from Symantec, most commonly marketed under the Norton brand.

“Symantec antivirus products use common unpackers to extract malware binaries when scanning a system,” the agency noted. “A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction.”

Multiple critical vulnerabilities

Last month, Google's Project Zero also sounded the alarm over Symantec products. It published details of what it called “multiple critical vulnerabilities” in the company's endpoint protection products that include ways for a hacker to remotely execute code changes.

“These vulnerabilities are as bad as it gets,” the Google researchers warned. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”

In statements to various media, Symantec has said that it addressed the issues raised by Project Zero in subsequent updates.

Other warnings

But it turns out that questions about the effectiveness of antivirus software aren't exactly news. Last year, a technology blog for government IT specialists warned that “simply installing antivirus technology does not protect today’s endpoints.”

It cited a Lastline Labs study the previous year on the effectiveness of antivirus scanners, noting that much of the newly introduced malware slipped by nearly half of the antivirus vendors.

The study said that two months in, one third of the antivirus scanners still failed to find many of the malware samples. In fact, the malware that experts conceded is the least likely to be detected proved the points, with a majority of the antivirus scanners failing to find it. Some eventually found it, but it took a while.

Waste of money?

So at $30 to $50 a year, is antivirus-software a waste of money? Wired posed that question as early as 2012, when it discovered that many of the world's top IT security experts personally do not use an antivirus product.

At the time, Wired concluded the software is probably not a waste of money, especially for businesses that employ multiple users who might do stupid things.

But the report noted that malware creators test their products against the latest antivirus-software, so the most effective defense for most consumers is to be cautious about the websites they visit and to not open questionable attachments

Kaspersky anti-virus cuts web access of thousands of PCs

hand tapping keyboard Kaspersky is one of the world's best known security companies

Thousands of computers running Microsoft's Windows XP operating system were unable to connect to the internet after installing an anti-virus update.

Users said they were also unable to access their internal company networks.

Russian IT security company Kaspersky Labs told users to disable its anti-virus software or roll back the update.

Two hours later it issued a fix - but since their PCs were unable to auto-install new code from the net, users had to perform several tasks first.

Kaspersky told its customers: "Please disable the web AV component of your protection policy for your managed computers."

It then told them to go the repositories section, download an update and re-enable the protection.

Repair jobs

The company issued a statement, apologising "for any inconvenience caused by this database update error".

"Actions have been taken to prevent such incidents from occurring in the future," it said.

Dorset-based IT consultant Graham Lord wrote on the micro-blogging site Twitter: "Bravo on breaking the internet on all your XP clients.

"Your update just set back one of my repair jobs by a day's work."

But Spain-based security blogger David Barroso tweeted: "So Kaspersky QA [quality assurance] team failed with this update but they quickly released a fix, which it is something good."

Read More - Click Here!

Keeping Windows XP Just Got More Dangerous

Windows XP Security Just Got Worse Again

(Steve Ranger @ ZDNetHere’s another reason to upgrade that old Windows XP PC: Microsoft has now stopped providing antivirus signatures for the out-of-support operating system.

Even after support for the venerable OS ended in April last year, Microsoft continued to provide its malicious software removal tool and updates to Microsoft Security Essentials - that is, until yesterday.

It has not been possible to download Microsoft Security Essentials for Windows XP since the end of support, but PCs with it already installed have been receiving anti-malware signature updates for the last 16 months. Because the malicious software removal tool is connected with the company’s anti-malware engine and signatures, that has also remained working.

Microsoft has stressed that the two tools were never enough to defend the ageing OS, warning: “Any PC running Windows XP after April 8, 2014 should not be considered protected as there will be no security updates for the Windows XP operating system.”

“We strongly recommend that you complete your migration to a supported operating system as soon as possible so that you can receive regular security updates to help protect your computer from malicious attacks,” the company said.

Some companies are simply moving away from Microsoft all together! 

Windows XP was launched way back in 2001 and has remained a firm favourite with businesses and consumers since. Indeed, getting them to upgrade to later versions of Windows has been something of a headache. The US Navy recently paid out $9m for an extended support deal, and data from NetMarketShare suggests as many as 12 percent of PCs accessing the internet are still running XP.

Security expert Graham Clueley said: “My best recommendation to you is to stop using Windows XP entirely, especially if your XP computer is connected to the internet. Simply finding an alternative antivirus to run on Windows XP can only be considered a stop-gap, as the updates will not continue indefinitely.”

Know Your Online Rights

The Internet enables us to improve communication, erase physical barriers, and expand our education. Its absorption into our society has been extraordinary.  It touches nearly every part of our lives from how we apply for jobs and where we get our news, to how we find friends.  A few Web sites have virtually replaced some things, like the encyclopedia and the phone book. 

But with acceptance comes a decrease in skepticism.  You may assume that the same laws or societal rules that protect your privacy in the physical world apply to the digital world as well.  But the Internet remains largely unregulated and the policies governing it underdeveloped.  Laws concerning online privacy are still being developed.

To date, the U.S. Supreme Court largely has taken a hands-off approach to regulating the Internet and online privacy in favor of free speech.  However, the federal government is increasingly interested in regulating the Internet, for example through child pornography and gambling laws.  One important thing to keep in mind when relying on the law to protect you is that if U.S. law is broken in another country, prosecuting the criminal may prove difficult or impossible.

Knowing how to navigate the Internet safely is essential to maintaining your privacy online.

1: What Internet Activities Reveal My Personal Information?

When you are online, you provide information to others at almost every step of the way.  Often this information is like a puzzle that needs to be connected before your picture is revealed.  Information you provide to one person or company may not make sense unless it is combined with information you provide to another person or company.  Below is a summary of the more common ways you give information to others when using the Internet.

Signing up for Internet service

If you pay for the Internet yourself, you signed up with an Internet Service Provider (ISP). Your ISP provides the mechanism for connecting your computer to the Internet. There are thousands of ISPs around the world offering a variety of services.

Each computer connected to the Internet, including yours, has a unique address, known as an IP address (Internet Protocol address). It takes the form of four sets of numbers separated by dots, for example: 123.45.67.890. It’s that number that actually allows you to send and receive information over the Internet.  Depending upon your type of service, your IP address may be "dynamic", that is, one that changes periodically, or "static", one that is permanently assigned to you for as long as you maintain your service.

Your IP address by itself doesn’t provide personally identifiable information. However, because your ISP knows your IP address, it is a possible weak link when it comes to protecting your privacy.  ISPs have widely varying policies for how long they store IP addresses.  Unfortunately, many ISPs do not disclose their data retention policies.  This can make it difficult to shop for a “privacy-friendly” ISP.

E-mail and list-serves

E-mail. When you correspond through e-mail you are no doubt aware that you are giving information to the recipient. You might also be giving information to any number of people, including your employer, the government, your e-mail provider, and anybody that the recipient passes your message to.  The federal Electronic Communications Privacy Act (ECPA) makes it unlawful under certain circumstances for someone to read or disclose the contents of an electronic communication (18 USC § 2511).

But, the ECPA is a complicated law and contains many exceptions.  ECPA  makes a distinction between messages in transit and those stored on computers. Stored messages are generally given less protection than those intercepted during transmission. Here are some exceptions to the ECPA:

  • The ISP may view private e-mail if it suspects the sender is attempting to damage the system or harm another user. However, random monitoring of e-mail is generally prohibited.
  • The ISP may legally view and disclose private e-mail if either the sender or the recipient of the message consents to the inspection or disclosure. Many ISPs require a consent agreement from new members when signing up for the service.
  • If the e-mail system is owned by an employer, the employer may inspect the contents of employee e-mail on the system. Therefore, any e-mail sent from a business location is probably not private. Several court cases have determined that employers have a right to monitor e-mail messages of their employees. (See PRC Fact Sheet 7 on employee monitoring, www.privacyrights.org/fs/fs7-work.htm.)
  • Services may be required to disclose personal information in response to a court order or subpoena.  A subpoena may be obtained by law enforcement or as part of a civil lawsuit.  The government can only get basic subscriber information with a subpoena.  The government needs a search warrant to get further records.  A subpoena as part of a private civil lawsuit may disclose more personal information. 
  • The USA PATRIOT Act, passed by Congress after the terrorist attacks of September 11, 2001, and amended in 2006, makes it easier for the government to access records about online activity.  In an effort to increase the speed in which records are acquired, the Act eliminates much of the oversight provided by other branches of the government.  And it expands the types of records that can be sought without a court order.   For additional information about the USA PATRIOT Act, visit the Web sites of the American Civil Liberties Union, www.aclu.org, the Center for Democracy and Technology, www.cdt.org, the Electronic Frontier Foundation, www.eff.org, and the Electronic Privacy Information Center, www.epic.org

In U.S. v Warshak (decided December 14, 2010), the Sixth Circuit Court of Appeals ruled that although an ISP has access to private e-mail, the government must obtain a search warrant before seizing such e-mail. The issue that the court dealt with in this case was the expectation of privacy that is afforded to e-mail hosted on a remote server.  The court stated:

Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection.... It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve....

The decision is particularly important to the extent that it could spur Congress to update the federal statutes that, in some cases, do allow warrantless searches of e-mail.

E-mail discussion lists and list-serves. When participating in online discussion groups, which are sometimes called "list-serves," remember that either the sender or the recipient can consent to the inspection or disclosure of the e-mail.  Additionally, if you are concerned about junk e-mail, forwarded messages, or other unsolicited mail, you should note that you are giving your e-mail address to numerous people.

On many of these discussion lists, the e-mail address of members is readily available, sometimes on the e-mails sent and often through the group’s Web site. Although a subscription and sometimes a password is required to use the list, there’s nothing to prevent another member of the list to collect and distribute your e-mail address and any other information you post. In addition, some message boards and list-serves may be archived. 

Browsing the Internet

Browsers.  Although it may not seem like you are giving very much information, when you browse the Internet you are relaying personal information to Web sites.  Your browser likely provides your IP address and information about which sites you have visited to Web site operators.  As you move from site to site online, numerous companies utilize sophisticated methods to track and identify you.  The Web Privacy Census measures trends in internet tracking at the 25,000 most popular websites. 

Almost all browsers give you some control over how much information is kept and stored. Generally, you can change the settings to restrict cookies and enhance your privacy. Note that if you choose a high privacy setting, you may not be able to use online banking or shopping services.  Most major browsers now offer a "Private Browsing" tool to increase your privacy.  However, researchers have found that "Private Browsing" may fail to purge all traces of online  activity.  Many popular browser extensions and plugins undermine the security of "Private Browsing".  http://crypto.stanford.edu/~dabo/pubs/abstracts/privatebrowsing.html.

Search engines. Most of us navigate the Internet by using search engines. Search engines have and use the ability to track each one of your searches. They can record your IP address, the search terms you used, the time of your search, and other information.  We encourage you to closely review your search engine's privacy policy.

You may also inadvertently reveal information through your search strings.  For example, you might do a search to determine if your Social Security number appears on any Web sites.  You might enter the search terms " Jane Doe 123-45-6789."   The Google search string might look like this: http://www.google.com/#hl=en&source=hp&q=Jane+Roe+123-45-6789&btnG=Googl... Retention of that search string would mean that your search engine has a record of your name and Social Security number.

Major search engines have said they need to retain personal data, in part, to provide better services, to thwart security threats, to keep people from gaming search ranking results, and to combat click fraud scammers. However, major search engines often have retained this data for over a year, seemingly well beyond the time frame necessary to address these concerns. Some search engines have reduced the time that they retain users' IP addresses. Major search engines delete or anonymize IP addresses according to the following schedule:

  • Yahoo-18 months
  • Bing (formerly MSN/Windows Live)-6 months
  • Google-9 months

Startpage (www.startpage.com), a search engine operated by Ixquick, based in The Netherlands, does not record users’ IP addresses at all.  The privacy policy was created partially in response to fears that if the company retained the information, it would eventually be misused. The company concluded, “If the data is not stored, users privacy can't be breached.”  Startpage will remove all identifying information from your query and submit it anonymously to Google.

Online Privacy Tip:  It's a good idea to avoid using the same web site for both your web-based email and as your search engine.  Web email accounts will always require some type of a login, so if you use the same site as your search engine, your searches can be connected to your email account.  By using different web sites for different needs -- perhaps Yahoo for your email and Google for your searches -- you can help limit the total amount of information retained by any one site.  Alternatively, log out of your email and clear your browser's cookies (see Cookies below) before going to other sites, so that your searches and browsing are not connected to your email address.

Online Privacy Tip:  Avoid downloading search engine toolbars (for example, the Google toolbar or Yahoo toolbar). Toolbars may permit the collection of information about your web surfing habits.  Watch out that you do not inadvertently download a toolbar when downloading software, particularly free software.

Online Privacy Tip:  Google combines information about you from most of its services, including its search engine, Gmail, and YouTube.  Be sure to disable automatic sign-ins by following the instructions at http://support.google.com/accounts/bin/answer.py?hl=en&answer=39273.  Also be sure to clear your browser's cache and cookies by following the instructions at http://support.google.com/accounts/bin/answer.py?hl=en&answer=32050.  While you must be signed in to access Gmail, most Google services can be used without being signed in to your account.

For more information on search engines you can read:

Cookies. When you visit different Web sites, many of the sites deposit data about your visit, called "cookies," on your hard drive. Cookies are pieces of information sent by a Web server to a user's browser. Cookies may include information such as login or registration identification, user preferences, online "shopping cart" information, and so on. The browser saves the information, and sends it back to the Web server whenever the browser returns to the Web site. The Web server may use the cookie to customize the display it sends to the user, or it may keep track of the different pages within the site that the user accesses.

For example, if you use the Internet to complete the registration card for a product, such as a computer or television, you generally provide your name and address, which then may be stored in a cookie.  Legitimate Web sites use cookies to make special offers to returning users and to track the results of their advertising. These cookies are called first-party cookies.

However, there are some cookies, called third-party cookies, that communicate data about you to an advertising clearinghouse which in turn shares that data with other online marketers. These third-party cookies include "tracking cookies" which use your online history to deliver other ads.  Read more about tracking cookies at http://www.pcworld.com/printable/article/id,257603/printable.html.

Your Web browser and some software products enable you to detect and delete cookies, including third-party cookies. For illustrated instructions on how to delete cookies in popular web browsers, read http://www.pcworld.com/article/242939/how_to_delete_cookies.html.  You can also download a Windows PC cleaning tool such as CCleaner at http://www.piriform.com/ccleaner.

You can also opt-out of the sharing of cookie data with members of the Network Advertising Initiative by going to www.networkadvertising.org/consumer/opt_out.asp.

Flash cookies. Many websites have begun to utilize a new type of cookie called a "flash cookie" (sometimes also called a "supercookie") that is more persistent than a regular cookie.  Normal procedures for erasing standard cookies, clearing history, erasing the cache, or choosing a delete private data option within the browser will not affect flash cookies.  Flash cookies thus may persist despite user efforts to delete all cookies.  They cannot be deleted by any commercially available anti-spyware or adware removal program.  However, if you use the Firefox browser, there is an add-on called "BetterPrivacy" that can assist in deleting flash cookies: https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/.

During July and August 2010, three class action lawsuits were filed against several companies for their use of flash cookies.  These companies are alleged to have knowingly tracked users in a way that was not adequately disclosed in their privacy policies.  Defendants include major media companies (MySpace, ABC, ESPN, Hulu, MTV, and NBC Universal Disney, and Warner Brothers) and online advertising companies (Quantcast, Specificmedia, and Clearspring).  http://www.zdnet.com/blog/btl/ad-network-at-center-of-third-flash-cookie-lawsuit/38346.  The lawsuits were settled in June 2011.  Under the terms of the settlement, the defendants will cease  respawning cookies and amend their privacy policies.  They also paid a $3.2 million monetary settlement.  http://www.privacyandsecuritymatters.com/2011/06/court-approves-settlement-of-flash-cookie-class-action/.

For more information about flash cookies you can download UC Berkeley School of Law's paper entitled "Flash Cookies and Privacy" at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862 and "Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning" at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1898390.

Fingerprints.  A device fingerprint (or machine fingerprint) is a summary of the software and hardware settings collected from a computer. Each computer has a different clock setting, fonts, software and other characteristics that make it unique. When a computer goes online, it broadcasts these details to other computers that it communicates with. These details can be collected and pieced together to form a unique "fingerprint" for that particular device. That fingerprint can then be assigned an identifying number, and used for similar purposes as a cookie. 

Fingerprinting could eventually replace the cookie as the primary means of tracking computers. Tracking companies are embracing fingerprinting because it is tougher to block than cookies. Cookies are subject to deletion and expiration, and are rendered useless if a user decides to switch to a new browser.

You can tests your browser to see how unique it is based on the information that it will share with the sites that you visit. Panopticlick will give you a uniqueness score, letting you see how easily identifiable you might be as you surf the web. A paper reporting the statistical results of Panopticlick submissions titled How Unique Is Your Browser? explains he degree to which modern web browsers are subject to "device fingerprinting" through the information that they transmit to websites upon request. 

Unfortunately, fingerprinting is generally invisible, difficult to prevent, and semi-permanent. There's no easy way to delete fingerprints that have been collected. Computer users determined to prevent fingerprinting can block JavaScript on their computer. However, some parts of a website (for example, video and interactive graphics) may not load, resulting in a blank space on the webpage. One way to block JavaScript is to use the Firefox browser with the “add-on” program called NoScript, available at http://noscript.net/getit. The combination of Firefox and NoScript can stop JavaScript on websites.

Interactive use: Instant messages (IM) and social networks

Instant messages (IM).  IM conversations have a feel of casualness about them, which can lead some to let down their guard.  Although seemingly informal, IM conversations can be archived, stored, and recorded on your computer as easily as e-mails.

The rule that "delete does not mean delete" applies to IM conversations as well as e-mail. Virtually all IM programs have the ability to archive and the IM program may automatically turn this feature on. Archiving IM conversations simply means saving the conversation in a text file just like you would any other file, such as a Word document.  Some of these IM programs automatically save your chats unless you select otherwise.

It is important to realize that your conversation can be saved onto a computer even if only one person agrees. When you are talking to a person over IM, they do not need to tell you if they are recording and saving your conversation. If you want to make sure that your Google Talk conversation partner is not saving your chat on their computer you can select the feature called "off the record."

Similar to e-mail, workplace IM can be monitored by your employer.  More on workplace monitoring can be found in our Fact Sheet 7, www.privacyrights.org/fs/fs7-work.htm.

IM has become a new target for spammers.  “Spim,” usually involves get-rich-quick scams or pornography.  Often the spimmer will include a link in the message, which could cause spyware to be installed on your computer if you click on the link.  You can reduce your exposure to spim by adjusting your IM account to only allow messages from specified people.

Social networks.  Online social networks are websites that allow users to build connections and relationships to other Internet users. Social networks store information remotely, rather than on a user’s personal computer. Social networking can be used to keep in touch with friends, make new contacts and find people with similar interests and ideas. These online services have grown in popularity since they were first adopted on a large scale in the late 1990s.

Many people besides friends and acquaintances are interested in the information people post on social networks.  Identity thieves, scam artists, debt collectors, stalkers, and corporations looking for a market advantage are using social networks to gather information about consumers.  Companies that operate social networks are themselves collecting a variety of data about their users, both to personalize the services for the users and to sell to advertisers. 

Our Fact Sheet 35- Social Networking Privacy: How to be Safe, Secure and Social provides information about the advantages and disadvantages of using social networks, what kind of information may be safe to post and how to protect it, as well as who is able to access different types of information posted to these networks.

Personal Web sites and blogs

Domain names. Many individuals obtain their own Web site address or URL (Uniform Resource Locator), called domain names. For example, our domain name is www.privacyrights.org. Individuals may use their own name or a variant, such as www.johndoe.com.  Domain registrations are public information unless you pay an additional fee to make your domain name private. (Search on private domain registration to find providers of this service).

Anyone can look up the owner of a domain name online by using a service such as www.domainwhitepages.com or www.internic.net/whois.html.  To see how easy it is to find out who owns a Web address, use one of these services to check our domain name, privacyrights.org.

If you set up your own Web site, you will need to provide an address where the registration service can reach you. You may be able to use a P.O. Box which would reduce the amount of information someone sees if they look up your domain name.  In addition you may want to choose an e-mail account that does not reveal unnecessary information, such as where you attend school. An e-mail address from a free Webmail service might be preferable to one with a .edu domain for example. 

Blogs.  Web logs, or “blogs,” are journals (or newsletters) that are frequently updated and intended for general public consumption. Depending on the service you use to post your blog, your private information may be available. Generally blog services will allow you at least some control over how much personal information you make public. Read the service agreement carefully to determine exactly what is required and what will be revealed.

Most blogs also allow comments by readers. Although some allow you to comment anonymously, others require registration and at least an e-mail address. Consider carefully how much information you’re willing to give and if you want your personal information linked to your comments or posts forever.  Most blogs will record your IP address, which may enable them to determine your identity.  In addition, if the blog has placed a cookie on your computer, it may be able to associate your post with other comments that you have made.

In addition to information you may be providing through signing up for the blog, the contents of your blog are published for everyone, including employers, to see.  There have been reports of employers firing employees for blogging.  The content does not even necessarily have to be about the employer. 

Online Privacy Tip:  Determine who you want your audience to be.  If you are writing only for friends and family consider making your blog accessible only by password.  Using a pseudonym can help hide your identity, but if your blog becomes popular people may try to uncover your true identity.  To limit this possibility you can keep Google and other search engines from listing your blog.  To find out how and for other tips, read the Electronic Frontier Foundation’s (EFF) tips on safe blogging, available at www.eff.org/Privacy/Anonymity/blog-anonymously.php.  EFF has also written a free legal guide for bloggers, at www.eff.org/bloggers/lg.

Managing your financial accounts and online banking

Being able to check your balances, transfer money between accounts, pay your bills, and track your checks online is a great convenience. But online banking requires you to transmit a lot of sensitive information over the Internet. While it makes sense for the bank to have that information, you don’t want anyone else to get it.

Most banks and other financial institutions use a system of passwords and encryption to safeguard your information.  Be sure to use a different password for online banking (and for any other online financial accounts) than you use on any other website. Make sure that your password is random and cannot be easily guessed.  See PRC's Alert "10 Rules for Creating a Hacker-Resistant Password".

Make sure that any computer used for managing your financial account has an up-to-date operating system, firewall, and software (Including antivirus and anti-malware programs).  Otherwise, your login credentials could be stolen.  Read more about maintaining your computer's security in PRC's Fact Sheet 36, "Securing Your Computer to Maintain Your Privacy".

Never login to your financial accounts from a public computer.  Keyloggers or other malware could steal your login credentials.  Likewise, it's not a good idea to login from a public Wi-Fi hotspot, since your communications might be intercepted. Read more about Wi-Fi safety at https://www.privacyrights.org/fs/fs36-securing-computer-privacy.htm#wifi.

When managing your financial accounts online, be careful that you are giving your information to the proper institution.  Many fraudulent sites have been set up to look like the real thing.  Beware of “phishing” e-mails, which typically ask you to update your account information, but are really looking to steal your personal information. Never respond to unsolicited requests for passwords or account numbers, no matter how realistic they look.

Consumer (but not business) bank accounts generally are protected by the Electronic Funds Transfer Act, which limits consumer losses for online theft to $50, as long as the consumer reports the loss within 60 days after the fraudulent transfer appears on the statement.  Your rights are explained in more detail at http://www.bankrate.com/finance/savings/could-bank-hackers-steal-your-money-1.aspx.

Each bank has its own privacy policy. It’s up to you to determine if that policy meets your needs. Some banks will share some of your information with others for marketing purposes unless you specifically notify them not to. Generally this is referred to as an “opt out” option.  To read more about these options and financial privacy, check out Fact Sheet 24: Protecting Financial Privacy in the New Millennium: The Burden Is on You, available at www.privacyrights.org/fs/fs24-finpriv.htm.

For additional tips on how to bank online safely, see http://www.fdic.gov/bank/individual/online/safe.html and http://www.us-cert.gov/reading_room/Banking_Securely_Online07102006.pdf.

2: How Do Others Get Information about Me Online?

Marketing

The Internet can be useful to businesses for marketing purposes.  Through the Internet, businesses can sell and communicate with customers.  The Internet also allows businesses to identify and learn about their customer base. 

Additionally, many customers expect that a company they interact with in the physical world will also have an online presence.  What consumers may not be aware of is how all of these purposes interact.  When a business meets your need of having a Web site with store hours and directions, it may also meets its need of determining how many customers may want to go to a particular store branch.

Web bugs. Many Web sites use Web bugs to track who is viewing their pages.  A Web bug (also known as a tracking bug, pixel tag, Web beacon, or clear gif) is a graphic in a Web site or a graphic-enabled e-mail message.  The Web bug can confirm when the message or Web page is viewed and record the IP address of the viewer.

An example you might be familiar with is an electronic greeting card.  Hallmark and other companies allow you to request that you be notified when the recipient views your card.  The Web sites likely employ Web bugs to tell them when the recipient viewed the card.

Unfortunately, users have little control over the data collection by Web bugs on most sites. Furthermore, Web bugs placed by third-parties are not governed by a web site's privacy policy. For more information about Web bugs, see http://knowprivacy.org/web_bugs_recommendations.html and http://knowprivacy.org/web_bugs.html.

Online Privacy Tip: You can defeat e-mail Web bugs by reading your e-mail while offline, an option on most e-mail programs.  Some e-mail systems avoid Web bugs by blocking images that have URLs embedded in them.  You might have seen the message “To protect your privacy, portions of this e-mail have not been downloaded.”  This message refers to Web bugs.  You can choose to allow these images to be downloaded, but they likely contain Web bugs.

Direct marketing.  Consumers may notice that online newspapers and other businesses have boxes asking you if the Web site can save your account information for future transactions.  Whether it asks you for permission to save your information or not, you can bet that your information is being stored and used by the marketing department. 

Web sites have increased their use of direct marketing.  Direct marketing is a sales pitch targeted to a person based on prior consumer choices.   For example, Amazon may recommend books that are similar to others you have purchased.

Another example is Google’s e-mail service, Gmail.  Gmail scans incoming e-mails and places relevant advertisements next to the e-mail.  For example, if your grandmother sends you an e-mail with a chicken noodle soup recipe, when you open your inbox you can read your grandmother’s e-mail and also see advertisements for www.cooks.com or Chicken Little stuffed animals. If your recipient uses Gmail, Google will scan your message and provide advertisements to the recipient even if you, the sender, do not use Gmail.

Use of your information for marketing is not limited to companies you do business with.  Many companies sell or share your information to others.  If you sign up for a free magazine subscription, the company may share your information with affiliates.  This is similar to what happens with traditional junk mail, but since you have entered the information yourself into an electronic system, sharing with other businesses can be done rapidly and cheaply. 

To avoid spam laws, most Web sites ask your permission to send you future information and offers.  However, this permission is often presumed and the permission box already checked.  To avoid the use of your information this way, always uncheck boxes that state that you agree to receive periodic offers and information.

Behavioral marketing or targeting refers to the practice of collecting and compiling a record of individuals' online activities, interests, preferences, and/or communications over time. Companies engaged in behavioral targeting routinely monitor individuals, the searches they make, the Web pages they visit, the content they view, their interactions on social networking sites, the content of their emails, and the products and services they purchase.  Further, when consumers are using mobile devices, even their physical location may be tracked. This data may be  compiled, analyzed, and combined with information from offline sources to create even more detailed profiles.

Marketers can then use this information to serve advertisements to a consumer based on his or her behavioral record. Ads may be displayed based upon an individual's web-browsing behavior, such as the pages they have visited or the searches they have made. Advertisers believe that this may help them deliver their online advertisements to the users who are most likely to be influenced by them.

Behavioral information can be used on its own or in conjunction with other forms of targeting based on factors like geography or demographics. Marketers have developed an array of sophisticated data collection and profiling tools which monitor and analyze our online activity.

Typically, behavioral targeting will place a cookie (a file that tracks users as they visit various sites) on the user’s computer. The cookie might link the user to categories based on the content of the pages they visit. For example, a user may be pegged as a golfer, a reader of mystery novels, or someone interested in taking a vacation in Las Vegas. The cookie can then be used to show people ads that are relevant to their interests, regardless of the sites they are visiting. Google, Microsoft, and Yahoo all engage in some form of behavioral targeting.

For more information about cookies, and how to delete them, read the section entitled "Cookies" at www.privacyrights.org/fs/fs18-cyb.htm#Browsing.

Behavioral marketing is much more sophisticated than so-called “contextual marketing” by which marketers target users with ads that are served based solely upon on a given Web page's content.  In February 2009, Federal Trade Commission (FTC) issued a report, “Self-Regulatory Principles for Online Behavioral Advertising.” The report is available at www.ftc.gov/os/2009/02/P085400behavadreport.pdf. The report examines behavioral marketing and proposes principles to govern industry self-regulatory efforts. The FTC’s principles generally provide for:

  1. transparency and consumer control;
  2. security and limited data retention for consumer data;
  3. affirmative express consent for material changes to existing privacy promises; and
  4. affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising.

Examining these principles, the key issue concerns how online advertisers can best protect consumers' privacy while collecting information about their online activities. The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertisers generally supports and personalization that many consumers appear to value.

The FTC report also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected - including sensitive information regarding health, finances, or children - could fall into the wrong hands or be used for unanticipated purposes.

In March 2012, the FTC issued a report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. In the report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, the FTC also recommended that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.

The March 2012 FTC report calls on companies handling consumer data to implement recommendations for protecting privacy, including:

  • Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy
  • Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities
  • Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them.

Most privacy advocates believe that self-regulatory principles are weak and are not likely to result in meaningful protection for consumers. According to the World Privacy Forum (WPF), self-regulation has been a proven failure. www.worldprivacyforum.org/pdf/WPF_FTCcomments04112008fs.pdf. The WPF published a report documenting and analyzing various issues regarding the current self-regulatory regime. www.worldprivacyforum.org/pdf/WPF_NAI_report_Nov2_2007fs.pdf.

Online Privacy Tip: You can visit www.privacychoice.org to opt out of tracking cookies from dozens of behavioral tracking networks. Tracking companies that offer an opt out provide a cookie that tells their systems not to record your behavior when your browser communicates with their servers.  Instead of visiting each individual network to opt out, the PrivacyChoice site will collect opt out cookies in your browser from the participating tracking networks.  If you use the Firefox browser, the Privacychoice add-on can tell when cookies are deleted from your browser, and in that event it re-writes all of the opt-out cookies.

For further discussion of behavioral targeting issues, see:

Official use: Court records / employers / government (law enforcement and foreign intelligence)

Court records.  When you file a lawsuit for divorce or are a party to a civil lawsuit or criminal case, court records are accessible to the public.  As the government increasingly moves to eliminate paper records in favor of electronic records, your personal information could end up on the Internet.

There are two ways public records are accessible electronically. Some jurisdictions post them on their government Web sites, thereby providing free or low-cost access to records. Government agencies and courts also sell their public files to commercial data compilers and information brokers. They in turn make them available either online or through special network hookups. The following are examples of public records containing personal information that may be available (availabilty may vary from state to state):

  • Property tax assessor files. Typical records contain name of owner, description of property, and the assessed value for taxation purposes. Some systems even provide blueprints and photographs of the property.
  • Motor vehicle records. Registration, licensing, and driver history information
  • Registered voter files
  • Professional and business licenses
  • Court files
  • Case indexes
  • Tax liens and judgments
  • Bankruptcy files
  • Criminal arrest and conviction records, and warrants
  • Civil court recordings
  • Registered sex offenders

You should also be aware that old newspaper articles are often available online.  One potential risk is that an article containing inaccuracies about you may be found, but a corresponding correction or later article will not be readily apparent. 

Employers. Individuals who access the Internet from work should know that employers are increasingly monitoring the Internet sites that employees visit.  Be sure to inquire about your employer's online privacy policy. If there is none, recommend that such a policy be developed. If you are unsure of what the policy is or if there is no policy, assume everything you do on your work computer is being monitored.  In most states there is no law requiring your employer to tell you if it monitors e-mail or Internet usage.  In Delaware and Connecticut, an employer must advise employees in a “conspicuous manner” that monitoring is occurring.  In Connecticut there is a limited exception for investigations of illegal activity. 

See these PRC guides for more information:

Government.  The government may want your personal information for law enforcement purposes as well as for foreign intelligence investigations.  Various laws govern these procedures.  Below is an overview of some of the ways the government may obtain your personal information.  Many of the laws are in flux and are being reinterpreted.  Additionally, news reports have alleged that the National Security Agency has been wiretapping phone calls and e-mails without specific statutory authority.  The legal implications of this program are unclear at this time.   

Law enforcement access.   Law enforcement generally can access your electronic communications and records in two ways: through wiretapping or through subpoena.

The Electronic Communications Privacy Act of 1986 (ECPA) provides some protection against government access to email and other online activities.  ECPA is a difficult law to understand and apply, because the law relies upon outdated practices and technology.  ECPA does reflect a legislative recognition that some Internet activities deserve protection.  The difficulty is figuring out to which Internet activities these protections apply.  Case law continues to address the proper application of ECPA.

Law enforcement can also use a pen/trap tap to get the following information from your ISP:

  • e-mail header information other than the subject line,
  • your IP address,
  • the IP address of computers you communicate with, and
  • possibly a list of all Web sites you visit. 

A pen/trap is defined in the Patriot Act as “a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication.” To read more on the definition go to www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00003127----000-.html.  In order to use a pen/trap wiretap, law enforcement only needs to establish that such information is relevant to an ongoing investigation.  This is a lower standard than the probable cause standard required for a search warrant.

To learn more about how the Patriot Act has expanded the power of the government and law enforcement, go to the ACLU’s Web site at  www.aclu.org/safefree/general/17326res20030403.html.

The Electronic Frontier Foundation examined the policies of 18 major Internet companies (including email providers, ISPs, cloud storage providers, and social networking sites) to assess how well they publicly commit to standing with users when the government seeks access to user data.  Read their report When the Government Comes Knocking, Who Has Your Back? (May 2012) for details.

Foreign intelligence investigations. Under the Foreign Intelligence Surveillance Act of 1978 (FISA) the government is supposed to get a search warrant from a secret court for this type of surveillance.  The government is required to show that the target of the surveillance is a foreign power or the agent of a foreign power.  

Illegal activity and scams

Criminals can capture your information online in various ways, but one distinguishing factor is that in some cases you give them the information yourself. And sometimes criminals use technology to steal your personal information without your knowledge.  It is important to recognize that theft occurs both ways.   Even if you pride yourself on being wary of scams and never give your personal information to strangers, you should not overlook security steps for your computer.

Increasingly these activities may lead to financial losses.  Losing money from computer crime can be especially devastating because often it is very difficult to get the money back.  Because of the remote nature of the Internet, computer crime presents at least three challenges: (1) locating the criminal, (2) finding a court having jurisdiction, and (3) collecting the money.  In fact many cyber criminals operate in other countries.  Although law enforcement is becoming increasingly aware of computer crime, you should largely rely on yourself for protection. 

Many of these scams are complicated, and criminals are always likely to come up with new tricks to stay ahead of the law.  If you are buying over the Internet or setting up online accounts, be aware that these risks are out there. 

Shopping online.  Use a credit card for online financial transactions.  Debit cards do not provide as much protection from fraud as credit cards. If a criminal uses your debit card, your entire checking account can be wiped out.  With a credit card you are able to see the charges before you pay for them, which gives you an opportunity to dispute the charges. 

When you provide your credit card account number to a shopping site, you want to be sure that the transmission is secure. Look for the unbroken padlock at the bottom right of the screen.  You can right click on the padlock to make sure the security certificate is up-to-date.  If it is not, you should not order from that Web site.  Also make sure the Web address has the letter 's' after http in the address bar at the top of the page.  The ‘s’ indicates that your financial information will be encrypted during transmission.  For additional online shopping tips, read the PRC's e-commerce guide at www.privacyrights.org/fs/fs23-shopping.htm.

Online auctions.  Online auction fraud takes many forms.  Some forms of fraud are difficult to avoid, while others can be avoided by taking smart precautions.  Fraud can occur when the seller doesn’t ship what was bought or the product is not as good as promised.  This type of fraud can be frustrating and hard to avoid.  Buyers should pay close attention to fraud alerts posted by the online auction companies.  If you pay with a credit card, your credit card company may be able to reimburse you for the fraud. 

Never use a wire transfer to pay for something from an online auction site.  The FTC issued an alert warning about the dangers of wire transfers.  The full alert is available at www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt169.pdf.

Fraud also occurs when a buyer sends a seller a check for more than the amount of the product and asks the seller to wire the buyer the difference.  This fraud can be particularly devastating.  As the FTC points out in its alert, once you wire money it is virtually impossible to get the money back – even in the event of fraud. 

To protect yourself, never accept a check for more than the cost of the product.  Even if the bank “clears” your check and deposits the funds in your account, that does not mean the check is legitimate.  If it turns out the check is fraudulent, your bank will expect you to cover the funds that were put into your account. Consumers who suspect an online auction transaction is fraudulent should report it to the FTC at www.ftc.gov and to the auction company.

Nigerian 419 letters. Nigerian 419 letters, also called advance-fee scams, are sent via e-mail to millions of people.  The letters typically relay a story of a foreign person who has inherited a windfall of money, but needs help in getting the money out of the country.  The sender offers the recipient a share of the money for help in transferring the money.   The assistance required is usually to front money to pay for "taxes," "attorneys costs," "bribes," or "advance fees.”  Although this scam sounds far-fetched the FBI reports that the average financial loss from these scams is $3,000.  The FTC has an alert warning of these scams at www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt117.shtm.  You can also find information at www.lookstoogoodtobetrue.com.

Malicious Links

It is very easy to get duped into clicking on a malicious link. If you click on a malicious link, you will most likely be taken to a site that tricks you into providing personal information that can then be used to steal your money, or even worse, your identity. Clicking on a dangerous link could also cause malware to automatically download onto your computer.

Malicious links may look like they were sent by someone you trust, such as:

  • A friend or someone who you know.
  • A legitimate-looking company selling a product or service.
  • A bank or other business that you have an existing account with.

Most people think that malicious links arrive by email. But, criminals are finding even sneakier ways to trick you into clicking on a dangerous link. You could receive the malicious link in an instant message, a text message, or on a social networking site like Facebook or Twitter.

Malicious links are hard to spot. They often:

  • Are ever-so-slightly misspelled versions of well-known URLs.
  • Use popular URL shortener sites to hide the real URL.
  • Use simple HTML formatting to hide the real URL. This is the most common method for emailed dangerous links. You think you’re clicking on a trustworthy link, but you are redirected to a dangerous link.

To protect yourself from malicious links, consider the following tips:

  • Do not click on a link that appears to be randomly sent by someone you know, especially if there is no explanation for why the link was sent, or if the explanation is out of character for the sender (i.e. horribly misspelled or talking about what a great deal they discovered).
  • Do not click on a link that was sent to you by a business you don’t know that is advertising a great deal. Instead, perform an online search for the business, make sure it’s legitimate, and go directly to the business’ website to find the deal yourself.
  • Do not click on a link that was sent to you by a business you have an existing account with. Either go to the business’ site yourself, or call up the business and confirm the legitimacy of the link. (Note that some businesses may require that you verify your email address as part of a registration process, which requires you to click on a link contained in an email. Typically, the link will be emailed to you immediately after you register online with the business. It’s a good idea to check your email right after you register with a business.)

3: Cloud Computing

What is cloud computing?

It is difficult to come up with a precise definition of cloud computing.  In general terms, it’s the idea that your computer’s applications run somewhere on the “cloud”, that is to say, on someone else’s server accessed via the Internet.  Instead of running program applications or storing data on your own computer, these functions are performed at remote servers which are connected to your computer through the Internet or other connections.

In telecommunications, a “cloud” is the unpredictable part of any network through which data passes between two end points.  In cloud computing the term is used to refer generally to any computer, network or system through which personal information is transmitted, processed and stored, and over which individuals  have little direct knowledge, involvement, or control.

With more reliable, afford­able broadband access, the Internet no longer functions solely as a communi­cations network.  It has become a platform for computing.  Rather than running software on your own computer or server, Internet users reach to the “cloud” to combine software applications, data storage, and massive computing power. 

It’s interesting to note that cloud computing is really nothing new.  It's the modern version of the 1960’s-era computer timesharing model.  That model was based upon the high cost of computers at that time.  With computer and data storage prices plummeting, it seems odd that there would be a return to that sort of model.

Who provides cloud computing services and what services do they provide?

It’s a bit easier to understand the concept of cloud computing by providing examples. Google operates several well-known cloud computing services.  It offers its users applications such as e-mail, word processing, spreadsheets and storage, and hosts them "in the cloud"--in other words, on its own servers, not yours.  So, for example, you can type a document without maintaining any word processing software on your computer.  You can use Google’s software “in the cloud”.  All you need is an Internet capable device.   It doesn’t even need to be a computer.

Cloud computing services also may allow you to synchronize files between your Internet accessible devices, so that you can see a file from your home or office computer on a mobile device.  Some of best known consumer-oriented cloud services include:

  • Google Drive
  • Dropbox
  • Microsoft Skydrive
  • Apple iCloud

Other examples of cloud computing include:

  • Web-based email services such as Yahoo Mail
  • Photo storing services such as Google’s Picassa
  • Spreadsheet applications such as Zoho
  • File transfer services such as YouSendIt
  • Online medical records storage such as Microsoft’s HealthVault
  • Social networking sites such as Facebook
  • Applications associated with social networking sites such as Farmville
  • Tax preparation services such as H & R Block
  • Word processing services such as AjaxWrite
  • Accounting and payroll services such as Intuit

The above services are ready to use “out of the box”.  In addition, many cloud computing companies offer customized cloud computing services tailored to the specific needs of businesses and other organizations.

Some of the major players in cloud computing include:

  • Google   
  • Yahoo
  • Microsoft
  • IBM       
  • Amazon
  • Salesforce
  • Sun Microsystems
  • Oracle
  • EMC
  • Intuit
  • Apple

What are the risks of cloud computing?

When users store their data with programs hosted on someone else's hardware, they lose a degree of control over their sensitive information.  The responsibility for protecting that information from hackers, internal breaches, and subpoenas then falls into the hands of the hosting company rather than the individual user. This can have many possible adverse consequences for users.

The privacy policy and terms of service of the hosting company should always be read carefully.  While generally lengthy and sometimes difficult to understand, they will provide a good outline of what the host can and cannot do with your information.  However, it is important to realize that most privacy policies and terms of service can and do change.  In fact, you may not have an opportunity to remove your information from the hosting site before such a change.

The location of the host’s operations can significantly impact a user’s rights under the law.  The location of the records might not be disclosed in the terms of service or might be changed without notice.  This could have substantial legal consequences.

Government investigators or civil litigants trying to subpoena information could approach the hosting company without informing the data's owners.  The hosting company generally does not have the same motivation as the user to defend against disclosure of the information. 

Some companies could even willingly share sensitive data with marketing firms. So there is a privacy risk in putting your data in someone else's hands. Obviously, the safest approach is to maintain your data under your own control.

There is also a risk that the host might shut down its operations, declare bankruptcy, or sell the business to another provider.  What might happen to your data if that were to happen?

Unexpected service disruptions can prevent cloud computer users from accessing their data or performing vital business functions.  For example, in June 2010, Intuit suffered a massive site disruption interrupting its Quicken and QuickBooks services.  Customers were unable to access Quicken sites for an extended period of time.  http://www.pcmag.com/article2/0,2817,2365179,00.asp

One of the problems with cloud computing is that technology is frequently light years ahead of the law.  There are many questions that need to be answered.  Does the user or the hosting company own the data?   Can the host deny a user access to their own data?   And, most importantly from a privacy standpoint, how does the host protect the user’s data?

So, before you utilize any cloud computing services, be aware of the potential risks.  And make sure that you carefully read the privacy policy and terms of service of the hosting company to become aware of your rights.

Who is legally responsible for data breaches in the cloud?

If, through no fault of your own, information stored in the cloud were breached, who would bear responsibility for the consequences?  The standard contract from the major cloud providers puts the responsibility for any data loss on the person or business placing the information in the cloud.  Of course, it might be possible for a large business to negotiate the terms of the standard contract.  As a consumer, you probably have no control over whether an organization you do business with places your personal information in the cloud. 

Where can I find out more about cloud computing?

Read the World Privacy Forum's report on cloud computing (Feb. 2009), available at www.worldprivacyforum.org/cloudprivacy.html. The title is Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, by Robert Gellman.

For more information on the privacy implications of cloud computing, see Ann Cavoukian, Privacy in the Clouds-A White Paper on Privacy and Digital Identity: Implications for the Internet (Information and Privacy Commissioner of Ontario), www.ipc.on.ca/images/Resources/privacyintheclouds.pdf

4: Additional Resources

Other nonprofit privacy organizations

Several nonprofit public interest groups advocate on behalf of online users. They also provide extensive information about privacy issues on their Web sites. 

American Civil Liberties Union
Find your local ACLU chapter: www.aclu.org/affiliates/
Web : www.aclu.org

Consumer Federation of America, Fake Check Scams, www.consumerfed.org/index.php/consumer-privacy/fake-check-scams

Electronic Frontier Foundation
454 Shotwell St., San Francisco, CA 94110
Voice: (415) 436-9333
E-mail: information@eff.org
Web : www.eff.org.
Also see EFF's "Surveillance Self-Defense" project: https://ssd.eff.org/

Electronic Privacy Information Center
1718 Connecticut Ave. N.W., Suite 200, Washington, DC 20009
Voice: (202) 483-1140
E-mail: epic-info@epic.org
Web : www.epic.org.

PrivacyActivism
E-mail: info@privacyactivism.org
Web : www.privacyactivism.org

World Privacy Forum
Voice: (760) 436-2489
E-mail: info2005@worldprivacyforum.org
Web: www.worldprivacyforum.org

Government agencies

The Federal Trade Commission is the federal government's primary agency for online privacy oversight. Its Web site provides a great deal of information on public policy matters as well as consumer tips.

Federal Trade Commission
600 Pennsylvania Ave. N.W., Washington, DC 20580
Web : www.ftc.gov/privacy/index.html

The FTC’s Onguard Online Web site offers tips for avoiding Internet fraud, securing your computer and ways to protect your personal information.   www.onguardonline.gov

Several federal agencies and public interest groups have sponsored the online Consumer Computer Privacy Guide at www.consumerprivacyguide.org. This site offers extensive tips, a glossary of terms, and video tutorials with step-by-step instructions on how to take advantage of privacy settings for the programs you use online.

Federal law enforcement and industry representatives have joined together to produce a Web site called Looks Too Good to Be True, which educates consumers about Internet scams. www.lookstoogoodtobetrue.com

The U.S. Computer Emergency Readiness Team (U.S. Cert) provides numerous computer security resources on its website at http://www.us-cert.gov/index.html.  It provides downloads to a number of valuable publications at http://www.us-cert.gov/reading_room/

Other resources

The Internet Education Foundation in cooperation with consumer groups and industry associations, has developed GetNetWise, a Web site for parents, children, and anyone wanting basic information on Internet safety. Visit this useful resource at www.getnetwise.org.

The FBI publishes a Parent’s Guide to Internet Safety, available at www.fbi.gov/publications/pguide/pguidee.htm.

The Federal Trade Commission offers extensive resources for children and parents. Visit www.ftc.gov/bcp/conline/edcams/kidzprivacy/index.html. To learn more about the Children's Online Privacy Protection Act, go to www.ftc.gov/privacy/index.html

PRC Fact Sheet 21, "Children in Cyberspace" at www.privacyrights.org/fs/fs21-children.htm.

PRC Fact Sheet 36, "Securing Your Computer to Maintain Your Privacy" at http://www.privacyrights.org/fs/fs36-securing-computer-privacy.htm.

Priveazy offers videos, quizzes, and lessons to help you maintain your online privacy at https://www.priveazy.com/.

The National Conference of State Legislators maintains a list of Selected State Laws Related to Internet Privacy.

Links to glossaries

Please note: We have provided the names and Web addresses of several commercial and freeware products in this guide. Such mention does not imply endorsement.

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.

Read More - Click Here!

Komandos 3 essential Facebook security and safety settings

It is no secret about how dangerous Facebook is to your privacy. You have to take action to protect your security when you use the site. That's why I wrote this must-read column about critical Facebook privacy settings.

However, I saw a very interesting study not too long ago. If you follow my Breaking Tech News page, you probably saw it, too. It said that 23 percent of the time people spend on mobile gadgets is spent using the Facebook app. That's more than any other app.

Using Facebook's app on your mobile gadget opens you up to new privacy concerns. Mobile gadgets are an increasing target for hacks and theft. Click here for ways to keep your gadget safe. It's not impossible to make the Facebook app safe, though. You just need to know about a few settings and strategies.

1. Enable two-step verification
Two-step verification is the hot new security trend in the tech world. You can learn why it's important in this tip. Since the start of 2013, Twitter, Apple and Microsoft have all added it. Facebook has actually had it for years.

To turn it on, go to Account Settings>>Security>> Login Approvals. Click the checkbox and enter your cellphone number. When you try to log in on a new gadget, you'll receive a text with a code. You need to enter that code before you can log in.

This stops hackers from logging in to your account from other mobile gadgets. Even if they have your name and password, they won't get the second code.

2. Set up Trusted Contacts
Hackers are sneaky. There's still a small chance someone could break into your account. This new Facebook feature uses your friends to take the account back.

To set it up, click the gear icon and choose "Security Settings." Once you click "Trusted Contacts," you'll have to enter your password. Then, click "add friends." You'll need to select at least three friends before you can click "Done."

Now, those friends can help if you forget your password and are locked out. It's like giving a family member a spare key to your house.

It's especially useful if a thief steals your gadget and it's already logged into Facebook. You can quickly get in to your account and change your password.

3. Use common sense
Security settings are nice, but your safety depends on some other crucial behaviors. When you're using your gadget in public, don't focus on it exclusively. That makes it easier for a thief to snatch your gadget

Other common-sense tips apply here, too. You need to have a lock code on your phone. I'll explain how to create a secure one in this tip. You should also learn how to use public Wi-Fi safely.

Don't forget that your smartphone and tablet need security software, as well. You can find some of my favorites in this tip.

Most importantly, make your Facebook password different from your other account passwords. That way if hackers get it, they won't get your other accounts. Click here for ways to create secure, memorable passwords for all of your accounts.

Locking down your accounts doesn't require a degree in computer security. These three tips will help you lock things down with ease.

    Public Wi-Fi isn't just a concern on your smartphone or tablet. Use these five tips to surf safely on public Wi-Fi from a PC.
    A nasty virus won't just wreck your computer; it hurts your privacy, too! Here are five signs your computer is infected.
    If a hacker does find a way in, don't panic. Quick action can take the account back. Recover a hacked account with these tips.

See More - Click Here!

no secret about how dangerous Facebook is to your privacy. You have to take action to protect your security when you use the site. That's why I wrote this must-read column about critical Facebook privacy settings. 

However, I saw a very interesting study not too long ago. If you follow my Breaking Tech News page, you probably saw it, too. It said that 23 percent of the time people spend on mobile gadgets is spent using the Facebook app. That's more than any other app.

 

Using Facebook's app on your mobile gadget opens you up to new privacy concerns. Mobile gadgets are an increasing target for hacks and theft. Click here for ways to keep your gadget safe. It's not impossible to make the Facebook app safe, though. You just need to know about a few settings and strategies.

1. Enable two-step verification
Two-step verification is the hot new security trend in the tech world. You can learn why it's important in this tip. Since the start of 2013, Twitter, Apple and Microsoft have all added it. Facebook has actually had it for years.

- See more at: http://www.komando.com/tips/index.aspx?id=14599&utm_medium=nl&utm_source...

Latest Dangerous Facebook Scam

(scambusters.org) Facebook scams recently hit the headlines in the Internet fraud world -- again -- this time tricking tens of thousands of members into giving crooks access to their pages.

Pretending to offer software that can reveal who's checking out users' profiles, they invite victims to sign up and download what turns out to be malware.

By contrast, another set of scammers claim they'll remove viruses from PCs that aren't really infected, while yet more schemers chase your money by claiming to offer free groceries.

All the details in this week's Snippets issue.

Before we begin, you may want to spend a moment looking at this week's most popular articles from our other sites:

Is a Pellet Stove Worth Buying? Learn the pros and cons of a pellet stove to see if they will work for you.

The Therapeutic Uses of Chocolate, Our Favorite Food: Find out what the therapeutic uses of chocolate are beyond its already known ability to soothe the savage beast!

Finding the Best in Business Credit Card Online Application: Get the most from your online business credit card application with these must-read details.

Make Your Own Natural Acne Treatment Products: Try making these allnatural acne treatment cleansers if you're tired of paying so much for acne treatments that cause dry, itchy, and peeling skin.

Now, here we go...


Watch Out for Phony Privacy Software in Latest Facebook Scams


Seems like barely a week passes without new Facebook scams popping up. Hardly surprising since the social networking site has more than 500 million members, making it a prime target for crooks.

We've covered plenty of these Facebook scams in previous issues.

Facebook Scam Leads Internet Crime Wave

Social Networks Targeted for Holiday Scam Season

But a real doozy showed up during the past couple months, tricking tens of thousands of Facebook users into giving crooks access to their profile pages.

This particular Facebook scam plays on people's curiosity to know who's been checking out their profile.

In fact, there's currently no way a regular Facebook user can really do this. But that's merely an open invitation to crooks to pretend that you can if you use the application they provide.

According to an article at pcmag.com, victims get a message that says something like: "OMG OMG OMG... I can't believe this actually works! Now you really can see who viewed your profile!"

It then provides a link to a page where you're asked to give access to your profile page so that your page visitors can be recorded using an application the crooks call "ePrivacy."

The scammers then steal information from your account and use it to send the same "OMG" message to all your friends -- in your name!

Action: As we said, you can't get any software that shows who visited your pages. And if you already fell for this trick, in Facebook go to Account -> Privacy Settings -> Applications and Websites and delete the app.

Free Groceries Scam

Since we're talking about Facebook scams, if you're a member, you may recently have received an offer of free groceries for completing surveys.

To qualify, you have to "friend" the page offering the deal and then embark on a seemingly never-ending round of market research survey completion.

So far, we've been unable to find anyone online who ever got their grocery voucher but there are sure a lot of people angry at being sucked into this game.

It's just one version of many schemes that use "free groceries" as bait for participation. Sometimes, it's just an out-and-out scam.

For example, consumers responding to a recent series of radio ads offering free groceries discovered all was not as it seemed.

What they got instead was a membership card supposedly entitling them to coupons they could exchange for the groceries. The catch: Recipients had to "activate" the card by paying a substantial fee.

In another variation, radio ads promise a $1,000 grocery card as part of a supposed research project.

This turns out again to be coupons offered via a website. This time, it tells victims they'll receive coupons worth discounts of up to 80% off the cost of certain items -- but they have to pay the promoter a 10% fee to get the coupons.

Even worse, many of the supposed offers turn out to be worthless and won't be honored by the manufacturer.

Yet another free groceries scam involves multi-level marketing (MLM). You know the sort of thing: you buy discounted grocery vouchers, which you must then sell to others for a marked up price, with the lure that they can sell them to yet more suckers.

And so on until the whole giant pyramid collapses.

Action: If a promoter asks you to pay for coupons you'll want to know first if the company really exists and has a creditable reputation; then you need to do your math and see if the deal makes sense. Otherwise, don't do it.

As for surveys, while many may be legitimate, you'll usually find that it takes you hours to qualify for just a small payoff. See these earlier Scambusters articles for more.

Online Surveys: Can You Actually Earn Any Money?

Online Surveys: Are They All Scams? Plus 2 Real Alternatives...

Oh, and those MLM schemes? The legality of some of them is highly dubious -- and so are the chances of making any money. Give them a miss.

Phony Expert Comes to the Rescue

While the Facebook scam we started off this week's issue with focuses on attempts to trick you into giving access to malicious software, other crooks come at you from a different angle, pretending your PC is already infected and they want to help you get rid of the culprit.

Most commonly, this scam takes the form of scareware, when you get a screen pop-up warning you of the supposed infection and inviting you to pay to have it removed.

You may end up not only paying but also, again, downloading malware onto your PC. We covered scareware in a previous issue, How to Spot and Avoid a Scareware or ID Theft Protection Scam.

In the latest variant, scammers actually phone you, claiming they're computer experts who just happen to have identified a virus on your PC (goodness knows how!) that's also affecting other users in the neighborhood.

To save your good name and reputation, the scammer asks you to let him access your PC remotely (which is perfectly possible and can easily be done with just a couple of clicks by you).

Hey presto! He's inside your PC, nosing around and stealing whatever information he wants, or demanding a fee for supposedly getting rid of the "virus."

Action: If the guy has to ask you to give him access to your PC, how come he supposedly already knows it's infected? There's no way anyone can detect a virus this way.

If you get a call like this, just hang up. And never click on a pop-up that warns of an infection.

If you don't already have it, install reputable Internet security software; that should give you the protection you need.

The golden rule in spotting and dealing with the scams outlined in this week's issue is never to accept at face value the warnings, "free" offers and supposed invitations to help you, whether they come by phone or online.

Follow that rule and you'll avoid those "free groceries," scareware and Facebook scams!

Read More - Click Here!

Latest email scam targets PayPal and Amazon users

Consumers should be wary of emails stating that there is a security problem with their PayPal or Amazon account. Emails of this nature are the latest email scheme designed to trick users into giving up personal information.

Responding to one of these emails, or clicking on a link to submit your information, gives scammers access to your financial information. It may even infect your computer with a virus.

“These online services and businesses make it easy for consumers to shop and pay for items online, but there are people out there who want to use this convenience as a way to steal your money, or even worse, your identity,” said Mississippi Attorney General Jim Hood in a statement.

These phishing scams can also appear as pop-up messages on your computer, he noted. Tip-offs that an email from PayPal or Amazon might actually be from a scammer include typos and plenty of questions designed to gather personal information.

Misspelled words: a red flag

(Sarah Young @ ConsumerAffairs) Think twice before responding to an email asking for your username, password, or financial information. Reputable business will never ask for this information in an email, Hood said.

Misspelled words are another giveaway that the email you’re looking at may have been crafted by a scammer. Hood says the latest PayPal email scam misspells the word PayPal and sends you to a fake website.

Scammers attempt to trick Amazon users into giving up their personal information by asking them to confirm an order for something they didn’t buy, asking that they update their payment information, or asking for their username, password or other information. Like emails intended to ensnare PayPal users, these emails usually contain misspelled words or grammatical errors.

Protecting against phishing emails

PayPal and Amazon have nothing to do with the scams, he noted. So, instead of responding to unsolicited emails from PayPal or Amazon, Hood recommends going to the companies’ websites and using the sites’ secure login to verify account activity.

“Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files,” he said. To reduce your risk of falling victim to a phishing scam, Hood recommends heeding the following advice: 

  • Do not respond to any unsolicited e-mails of this nature.
  • Do not click on any attachments associated with such emails, as they may contain viruses or malware.
  • If you are concerned about your account, contact the organization in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address. In any case, don’t cut and paste the link in the message.
  • If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”).

Latest iPhone and iPad Phishing scam

Photo(Jennifer Abel @ ConsumerAffairs) Since this is a consumer website rather than an etiquette-advice column, we frequently remind everyone that when dealing with businesses in the modern interconnected era, you must always take the otherwise-rude attitude “Don't call me; I'll call you.”

For example: if you have, or think you might have, a problem with [pick one or more]: your bank, NetflixMicrosoft, Amazon, eBay, PayPal, electric company or any other account, you should definitely contact your bank or whoever, to see about fixing that problem.

But if everything seems fine and then suddenly, out of the blue, you get a text, phone call, email or any other message saying “Hi, this is your bank or Netflix or whoever, telling you there's a huge problem with your account so you need to give us some verification information right away” — don't believe it. Chances are that unsolicited message is actually from a scam artist posing as a legitimate business entity in hope of tricking you into handing over confidential information.

That said: if you're the worrywart type who simply can't ignore such a message, just in case there really is a problem, feel free to contact the company in question; just don't use the contact information you received in that unsolicited message. Go online (or even look in an old-fashioned phone book, if you want to contact the local electric company) and seek out the contact information yourself.

Worse than usual

All such scams are awful, especially from the victims' perspective, but the most recent one is even worse than usual: not just a phishing scam, but one targeting those already victimized by a previous scam! So far it's mainly been affecting people in Australia and New Zealand – but it has recently made it to America, and it's spreading.

The initial scam involves iPhone or iPad users being “locked out” of their devices after a scammer figured out how to hack the otherwise-useful “Find My iPhone” feature: try using your device and you are only able to access your email, where you find a note ordering you to put $100 into the scammer's PayPal account if you want the device unlocked.

That particular ransom email is “legitimate” – so much as any criminal ransom note can be “legitimate” – in that it actually is from the hacker himself.

A mere two days later, on May 29, security bloggers at Symantec warned of scammy phishing emails, allegedly from Apple, purporting to protect iFolks from being ransomed out of their iStuff.

The emails claim that the victims' iCloud infrastructure had been breached, so you have to change your password right now.

Of course, if you are foolish enough to fall for it, what actually happens is that you give your password to a scammer, who can then use it to break into your iThing and then do pretty much whatever he wants—anything from lock you out of it, to stealing or corrupting any files within.

Some of the subject headings in those sleazy emails included:

Please update your Apple account now

Apple – Your Account Is Not Confirmed

Please Verify Account Information For Your Apple ID

please verify the email address associated with your Apple ID

Incidentally, such language is hardly unique to this Apple-flavored phishing attempt; phishers pretending to be from Netflix, your bank or any other company often use the same phrasing. The whole idea, from the scammers' perspective, is to sound scary and ominous enough to override your usual sense of anti-scam skepticism.

Lenovo computers come pre-installed with nasty security threats

 

Photo

Photo credit: Levono

Security researchers discovered this week that Lenovo computers come pre-installed with a particularly nasty form of adware that hijacked users' web connections to make them very easy to spy upon and extremely vulnerable to “man in the middle” attacks (although, as of Thursday afternoon, Lenovo says that henceforth it will stop pre-loading the adware on forthcoming machines).

 

Any Lenovo computer installed with a program called Superfish is as risk — and uninstalling Superfish won't make the problem go away. Superfish supposedly offers users a “visual search” experience, although what it actually does is insert third-party ads into websites and Google search results (hence its “adware” designation).

As annoying as those third-party ads are to users, they're not the main problem. The real issue with Superfish is that it intercepts all encrypted communications, enabling it to see things it's not supposed to. Worse still is how Superfish does this. As Robert Graham from Errata Security explained:

SuperFish installs its own root CA certificate [and] then generates certificates on the fly for each attempted SSL connection. Thus, when you have a Lenovo computer, it appears as SuperFish is the root CA of all the websites you visit. This allows SuperFish to intercept an encrypted SSL connection, decrypt it, then re-encrypt it again.

And it still gets worse: Superfish uses the same fake security certificate every time, on every Lenovo machine, and even if you remove Superfish from your computer, the flawed fake security certificate remains.

What to do

How can you tell if your Lenovo computer is infected with Superfish or not? Filippo and LastPass have both released online “tests” which will tell you whether your Lenovo is infected or not.

In a worst-case scenario – you discover your machine is infected, but you can't afford to replace it right now – you should at least avoid using that machine for any secure online activities, such as online banking or even checking your emails. Basically, avoid doing anything password-protected with your computer, since you can't get rid of those fake security certificates.

LinkedIn Hacked What To Do

If you get an email from LinkedIn saying you need to reset your password, it's real. The social networking site has reported a data breach in which an undisclosed number of passwords were compromised.

"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Vincente Silveira, a LinkedIn director, wrote on the company's blog. "These members will also receive an email from LinkedIn with instructions on how to reset their passwords."

Silveira stresses there will not be any links contained in the email that informs you that you must reset your password. However, once you follow the initial step request password assistance, then you will receive an email from LinkedIn with a password reset link.

Read More - Click Here!

Linkedin Password Leak How To Change Yours

On June 6 Norwegian website Dagens IT reported that 6.4 million passwords had been stolen from professional networking site LinkedIn and posted on a known Russian hacker site. 

Though user details have not been posted along with the passwords, it is widely believed that the hackers will also have access to this information. LinkedIn responded quickly to the issue on Twitter, sending the following message from its official account (@LinkedInNews): "Our team is currently looking into reports of stolen passwords. Stay tuned for more."

To protect your LinkedIn account experts recommend that users change their password as quickly as possible. 

To change your password on LinkedIn, log into the site using your existing details, then hover over your name displayed in blue on the top right of the site and click on 'Settings' in the drop box that appears. On the following screen, select ‘Change' displayed in blue next to the word ‘Password' and enter your new details.

Read More - Click Here!

Linux The Most Secure Choice

Linux security( @ TechRepublic) According to the UK's Communications-Electronics Security Group (CESG), Linux is the clear choice when it comes to security

 

Recently, the United Kingdom's Communications-Electronics Security Group (CESG) ran a series of tests to find out which operating system would be the most secure platform for the UK government. The test consisted of the following categories:

  • VPN
  • Disk Encryption
  • Authentication
  • Secure Boot
  • Platform Integrity and Sandboxing
  • Application Whitelisting
  • Malicious Code Detection and Prevention
  • Security Policy Enforcement
  • External Interface Protection
  • Device Update Policy
  • Event Collection for Enterprise Analysis
  • Incident Response

 

The goal was to see which platform would pass most of the 12 tests. The winner, Ubuntu 12.04 (Figure A), was far ahead of both Windows 8 and Mac OS X. The CESG site contains all of the findings, or you can read the Canonical summarization of the report. From the Canonical summary:

“All in all, Ubuntu 12.04 LTS stacks up as the most secure of the current desktop and mobile operating systems. Supported by Canonical with free security updates for 5 years, and without malware problems, it’s hard to beat in official public sector applications. We are working hard to close the gap and make Ubuntu clearly stand out as the most trustworthy operating system for the future and we hope to make excellent progress before our next LTS release in April 2014, 14.04 LTS, which will be even better.”

Figure A

 

Figure A

 The Ubuntu 12.04 desktop ready to install.

One interesting statement from the full report is that no operating system that's currently available can meet all of the above tests. Also interesting from the full report is that Samsung devices running Android 4.2 scored as high as Ubuntu 12.04.

Why 12.04? Because it's the most recent Long Term Support (LTS) release. Canonical is confident that 14.04 (the next LTS release) will meet or exceed the tests passed by 12.04. As for the current LTS: Ubuntu 12.04 passed nine of the 12 tests and had zero significant risks. Windows 8 passed seven with 1 significant risk. OS X passed eight tests with zero significant risks.

What does this mean?

One can surmise that the UK government is looking for their platform of the future. With the dramatic rise in cyber-crime, every government agency (business or enterprise) would be remiss in failing to run similar tests or, at the very least, giving the UK report a close read.

People have argued for years about platform security. There have been numerous events held with the sole purpose of determining a clear winner. Unfortunately, many of those tests and research papers cannot be trusted, simply because they were sponsored events (with vested interests in one particular platform performing beyond the others). But for the needs of a government agency (or an enterprise-grade business), the tests run by the CESG are right on the money. These are unbiased, unfiltered tests with end results that aren't concerned with market share, board of directors, or investors.

And in the end... Linux wins. Period.

No, Linux may not hold the coveted spot on top of the business and home desktop food chain, but now that a government entity has singled out Ubuntu 12.04 as the must secure platform available, this could easily change. Why? Businesses can't function without security. If the thought leaders of industries can't wrap their heads around that one fact, they're dooming countless businesses -- and not recommending Linux for desktop use is senseless.

Over the last five years, I've been working as a remote support engineer for hundreds of clients (with thousands of end users). I can say this with complete assurance: Nearly 100% of the problems I've dealt with could have been avoided by simply using Linux. Desktops have lost data and businesses have lost hundreds of thousands (if not millions) of dollars because of Windows. That is not opinion... that is fact. Had those users been using Linux, that would not be the case.

It never ceases to amaze me the amount of reports and claims of Windows superior security, when real-world results point to quite the opposite. And now, thanks to the UK government, there is official proof that Linux (specifically Ubuntu 12.04) is the best choice in a world where security should be priority number one.

The results of this test couldn't have come at a more poignant time. With Windows XP about to be put to rest, there will be a seemingly endless needs for businesses around the globe to replace those aging desktops. With all of the choices available to them, there is now one that stands well above the rest. That choice is Linux.

 Share your thoughts about this report and the future of Linux in the discussion thread below

Live CD What Is It

Ubuntu 12.04 running from a live CD, with the Unity desktop environment

(wikipedia) A live CD, live DVD, or live disc is a complete bootable computer installation including operating system which runs in a computer's memory, rather than loading from a hard disk drive; the CD itself is read-only. It allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery. A live ISO is an ISO image of a Live CD which can be used in virtual machine environments, mounted as if it were a CD/DVD and used as the virtual machine's boot CD. Live CDs, ISOs, and images usually include an operating system available without charge or restrictive licence such as Linux, rather than a commercial one such as Microsoft Windows, for legal rather than technical reasons.

The functionality of a live CD is also available with a bootable live USB flash drive, or even an external USB drive. These may have the added functionality of writing changes on the bootable medium. Also, solid-state devices are faster than optical drives. Write-locked Live SD WORM systems are the direct solid-state counterpart to live CDs, and can be booted natively in a media card slot or by using a USB adapter. Write-locked Live SD systems avoid excessive write cycles or corruption by ill-conditioned software, such as malware.

While a live CD typically does not alter any operating system or files already installed on a computer's secondary storage (such as hard disk drives), many live CDs include software mechanisms and utilities for altering the host computer's data stores, including installation of an operating system. This is important for the system management aspect of live CDs, which can be useful for removing malware, for drive imaging, and for system recovery. Unless such software is used, at the end of a live CD session the computer remains as it was before. The live system is able to run without permanent installation by placing the files that normally would be stored on a hard drive into RAM, typically in a RAM disk. The computer must have sufficient RAM both to store these files and maintain normal operation.

History

All except the earliest digital computers are built with some form of minimal built-in loader, which loads a program or succession of programs from a storage medium, which then operate the computer. Initially a read-only medium such as punched tape or punched cards was used for initial program load. With the introduction of inexpensive read-write storage, read-write floppy disks and hard disks were used as boot media.

After the introduction of the audio compact disc, it was adapted for use as a medium for storing and distributing large amounts of computer data. This data may also include application and operating-system software, sometimes packaged and archived in compressed formats. Later, it was seen to be convenient and useful to boot the computer directly from compact disc, often with a minimal working system to install a full system onto a hard drive. While there are read-write optical discs, either mass-produced read-only discs or write-once discs were used for this purpose.

The first Compact Disc drives on personal computers were generally much too slow to run complex operating systems; computers were not designed to boot from an optical disc. When operating systems came to be distributed on compact discs, either a boot floppy or the CD itself would boot specifically, and only, to install onto a hard drive. The first live CD was FM Towns OS first released in 1989.[citation needed]

Origin of Linux live

Although early developers and users of distributions built on top of the Linux kernel could take advantage of cheap optical disks and rapidly declining prices of CD drives for personal computers, the Linux distribution CDs or "distros" were generally treated as a collection of installation packages that must first be permanently installed to hard disks on the target machine.

However, in the case of these distributions built on top of the Linux kernel, the free operating system was meeting resistance in the consumer market because of the perceived difficulty, effort, and risk involved in installing an additional partition on the hard disk, in parallel with an existing operating system installation.

The term "live CD" was coined because, after typical PC RAM was large enough and 52x speed CD drives and CD burners were widespread among PC owners, it finally became convenient and practical to boot the kernel and run X11, a window manager and GUI applications directly from a CD without disturbing the OS on the hard disk.

This was a new and different situation for Linux than other operating systems, because the updates/upgrades were being released so quickly, different distributions and versions were being offered online, and especially because users were burning their own CDs.

The first Linux-based 'Live CD' was Yggdrasil Linux first released in beta form 1992~1993 (ceased production in 1995), though in practice its functionality was hampered due to the low throughput of contemporary CD-ROM drives. DemoLinux, released in 1998, was the first Linux distribution specially designed as a live CD. The Linuxcare bootable business card, first released in 1999, was the first Live CD to focus on system administration, and the first to be distributed in the bootable business card form factor. As of 2010, Finnix (first released in 2000) is the oldest Live CD still in production. Knoppix, a Debian-derived Linux distribution, was released in 2003, and found popularity as both a rescue disk system and as a primary distribution in its own right.

Since 2003, the popularity of live CDs has increased substantially, partly due to Linux Live scripts and remastersys, which made it very easy to build customized live systems. Most of the popular Linux distributions now include a live CD variant, which in some cases is also the preferred installation medium.

Uses

Live CDs made for many different uses. Some are designed to demonstrate or "test drive" a particular operating system (usually Linux or another free or open source operating system). Software can be tested, or run for a particular single use, without interfering with system setup. Data on a system which is not functioning normally due to operating system and software issues can be made available; for example, data can be recovered from a machine with an active virus infection without the virus process being active and causing more damage, and the virus can be removed with its defences against removal bypassed.

Although some live CDs can load into memory to free the optical drive for other uses, loading the data from a CD-ROM is still slower than a typical hard drive boot, so this is rarely the default with large live CD images, but for smaller live CD images loading the filesystem directly into RAM can provide a significant performance boost, as RAM is much faster than a hard drive, and uses less power.[1] Experienced users of the operating system may also use a live CD to determine whether and to what extent a particular operating system or version is compatible with a particular hardware configuration and certain peripherals, or as a way to know beforehand which computer or peripheral will work before buying.[1] A live CD can be used to troubleshoot hardware, especially when a hard drive fails, and more generally as a recovery disc in case of problems. Some live CDs can save user-created files in a Windows partition, a USB drive, a network drive, or other accessible media. Live backup CDs can create an image of drives, and back up files, without problems due to open files and inconsistent sets.

A few additional uses include:

  • installing a Linux distribution to a hard drive
  • testing new versions of software
  • listing & testing hardware [2]
  • system repair and restoration
  • high security/non-invasive environment for a guest
  • cracking, stealing, and changing passwords
  • network security testing
  • being the primary or backup operating system for any computer
  • quick and simple clustering of computers [3]
  • computer forensics
  • playing video games or running applications that require a different operating system
  • providing a secure server platform where crucial files cannot be permanently altered
  • providing a secure, reliable platform for the performance of high-vulnerability tasks such as internet banking;
  • Internet kiosks and public computers, which can be brought back to their original state by a reboot

Thematic Live CDs

Several live CDs are dedicated to specific type of applications according to the requirements of thematic user communities. These CDs are tailored to the needs of the applications in subject including general knowledge, tutorial, specifications and trial data too.

Some of these topics covers sub topics, e.g. IT administration breaks down to firewall, rescue, security, etc. type of live CDs. In some cases a particular LiveDVD covers more than one topic.

Live CD software appliances

Packaging a software appliance as an installable live CD, or live ISO, can often be beneficial as a single image can run on both real hardware and on most types of virtual machines.

This allows developers to avoid the complexities involved in supporting multiple incompatible virtual machine images formats and focus on the lowest common denominator instead.

Typically after booting the machine from the live CD, the appliance either runs in non-persistent demo mode or installs itself, at the user's request, to an available storage device.

Mounting without burning

The files on a live CD ISO image can be accessed in Microsoft Windows with a disk image emulator such as Daemon Tools, or in Unix variants by mounting a loop device. Later versions of Windows (i.e. Windows 8 and later), and software available for earlier versions, allow an ISO to be mounted as a volume.

After mounting the live CD's filesystem, software on the live CD can be run directly, without booting it, by chrooting into the mounted filesystem.

A live CD ISO image can also be mounted by Virtual Machine software such as VirtualBox and VMware Workstation or can be converted to a Live USB using SYSLINUX. Tools such as UNetbootin can automate this process.

Common traits

Some live CDs come with an installation utility launchable from a desktop icon that can optionally install the system on a hard drive or USB flash drive. Most live CDs can access the information on internal and/or external hard drives, diskettes and USB flash drives.

Live CDs are usually distributed on read-only media, requiring either copying to rewriteable media (i.e. a hard drive or CD writer) or complete remastering to install additional software; however, there are exceptions such as Puppy Linux which has the ability to save files to the live CD itself or other multisession media, allowing data, programs and customized settings to be written.[clarification needed]

The first live CDs used Linux as their operating system, available without charge or restrictive licence. The term came to be used for any CD containing operating system and software which could be run without installation on the host computer; example include OpenSolaris, BeleniX and others based on Solaris. Other operating systems which can be used live include AmigaOS 4, Amithlon, AROS, FreeBSD, FreeDOS, Mac OS, Microsoft Windows installation and repair discs, OS/2, ReactOS, NetBSD, OpenBSD, MINIX 3, Plan 9 from Bell Labs, and MorphOS. There are maintenance versions of Microsoft Windows bootable from CD such as BartPE, Windows PE, and Microsoft Diagnostics and Recovery Toolset (DaRT), previously known as Emergency Repair Disk Commander (ERD Commander).

The first personal computer operating system on a CD to support "live" operations might have been the AmigaOS, which could be booted from CD on an Amiga CDTV in 1990.[citation needed]. Earlier examples of live OS are of course the operating systems used from floppy, and most widely spread is DOS.

Unlike previous operating systems on optical media, though, Linux and OS/2 "live CDs" were specifically designed to run without installation onto other media like a hard disk drive. The live CD concept was meant to promote Linux and showcase the abilities of the free, open source operating system on conventional personal computers with Microsoft Windows already installed.[citation needed]

On a PC, a bootable Compact Disc generally conforms to the El Torito specification. Many Linux based live CDs use a compressed filesystem image, often with the cloop compressed loopback driver, or squashfs compressed filesystem, generally doubling effective storage capacity, although slowing application start up[citation needed].

The resulting environment can be quite rich: typical Knoppix systems include around 1,200 separate software packages. Live CDs have a reputation for supporting advanced auto-configuration and plug-and-play functionality. This came out of necessity to avoid requiring the user to configure the system each time it boots and to make it easily usable by those who are new to the operating system.

Technique

A read-only file system, such as on a CD-ROM has the drawback of being unable to save any current working data. For this reason, a read-only file system is often merged with a temporary writable file system in the form of a RAM disk. Often the default Linux directories "/home" (containing users' personal files and configuration files) and "/var" (containing variable data) are kept in ramdisk, because the system updates them frequently. Puppy Linux and some other live CDs allow a configuration and added files to be written and used in later sessions.

In modern live CDs, a read-only file system is merged with a RAM drive using transparent techniques such as UnionFS, AuFS or EWF. Boot loaders like syslinux can boot ISO files from USB memory devices.

Live CDs have to be able to detect and use a wide variety of hardware (including network cards, graphic cards etc.) in realtime, often using facilities such as udev, hotplug, hal, udisk etc.. which are a common part of all distributions based on Linux kernel 2.6.

Boot code

During live CD initialization, a user typically may resort to using one or more boot codes to change the booting behavior. These vary from distribution to distribution but can most often be accessed upon first boot screen by one of the function keys.

LogMeIn How To

Create an account

The first step in using LogMeIn is creating an account. Simply visitwww.logmein.com and create an account using the provided link. The next step, after creating an account, is to load the LogMeIn Pro software on the computer you wish to access remotely.

LogMeIn installation

Install LogMeIn Pro by selecting that option (the LogMeIn Pro link) from LogMeIn's Web site (from the PC you wish to serve as the remote access host). When you create a new LogMeIn account, the option is automatically presented. (You'll be instructed to click the Add Computer link.) (Figure A)

Figure A

Click the Add Computer link when creating an account to install LogMeIn Pro on the workstation or server you wish to serve as the remote access host machine.

Upon clicking Add Computer, the LogMeIn software will begin downloading. The program is approximately eight megabytes in size, so depending upon your Internet connection, the process should take only a few moments.

 

When the software has downloaded, you can run the installation program. The LogMeIn setup program will appear, as shown in Figure B.

Figure B

The LogMeIn setup program walks you through installing the remote connectivity software.

After accepting the license agreement, you can choose either a Typical or Custom installation. When choosing the Custom option, the next screen you'll see provides you with the opportunity to name the system. This is the name that will appear when you attempt to connect to the system remotely.

The rest of the Custom installation enables specifying proxy settings (if necessary) and the destination installation folder.

When the installation program completes, a menu will appear indicating LogMeIn is enabled and online (Figure C). An icon also appears within the Windows System Tray (Figure D). At this point, the system can be accessed remotely by any user knowing the LogMeIn user account name and password. No firewall ports require configuration, nor do server account settings need to be updated to enable remote access.

Figure C

LogMeIn confirms it is enabled and online upon completing installation.

Figure D

LogMeIn also adds an icon to the Windows System Tray.

Connect to a remote LogMeIn-enabled system

To connect to the remote system on which you've installed LogMeIn Pro, enterwww.logmein.com in the address bar of the computer's Web browser. On the LogMeIn home page, supply your LogMeIn username (e-mail address) and password and click the Log Me In button (Figure E).

Figure E

Users can, from any Internet connected system, remotely access any PC or server with LogMeIn installed on it.

The PC or server upon which you installed and enabled the LogMeIn software will appear (Figure F).

Figure F

LogMeIn-enabled PCs and servers associated with your LogMeIn account appear on the My Computers page.

Click the link for the system to which you wish to connect. You'll see a screen indicating that LogMeIn is connecting to that remote system. Next, you'll see a login screen for the remote Windows system. Here, you need to enter a username, password, and domain for a valid account on the system to which you're connecting (Figure G).

Figure G

Once LogMeIn connects you to the remote system, you still must log in to the remote system as if you were sitting in front of it.

Once you've successfully logged on to the remote system (by supplying a valid user account and password) the connection will be complete. As you can see in Figure H, the LogMeIn Pro software will present you with six options:

 

 

 

  1. Remote Control
  2. File Manager
  3. Guest Invite
  4. File Share
  5. Preferences
  6. Help

 

Figure H

LogMeIn Pro presents users with these six options.

Each of these items provides its own features and optional settings. Let's explore each individually.

Remote Control

Selecting Remote Control opens the remote system and displays its desktop. While completing the connection, LogMeIn Pro redirects print jobs to your local default printer automatically. A menu appears providing three options: Connect My Default Printer To The Remote Computer, Synchronize My Clipboard With The Remote Computer, and Remember SYSTEMNAME And Don't Display This Dialog Again. Select (or clear) any of the check boxes as required.

Upon clicking Proceed, LogMeIn will display the remote system's desktop (Figure I). You can then control the remote system as if you were physically seated in front of it.

Figure I

LogMeIn Pro shares data with remote systems via a secure 256-bit encrypted connection.

Several options enable customizing the remote control session. Users can select color quality, choose whiteboard or laser pointer mode, choose to match screen resolutions between connected systems, fit the remote window to the current window, or view the remote system actual size. All those options are accessible from the View menu. Full Screen and Connect Drives (for simplifying the sharing of files between the two systems) buttons also appear at the top of the Remote Control window. Should you need to perform a Ctrl+Alt+Del keystroke combination on the remote system, LogMeIn supplies a button for that, as well (Figure J).

Figure J

LogMeIn Pro's toolbars present numerous options for customizing the remote desktop display.

Clicking the More button from LogMeIn's menu bar displays a second toolbar. From the second toolbar, users can specify the remote screen size in pixels, set the zoom value, and open a chat session for connected guests.

Guest Invite

Using LogMeIn Pro's Guest Invite feature, LogMeIn Pro subscribers can invite specific individuals to temporarily access the PC or server's desktop. Note that for this feature to work, the user must be seated at the host system.

File Manager

Selecting File Manager opens a new LogMeIn Pro window. That window features two columns, one for the current system and a second window listing the remote system's files and folders. Exchanging files between the two systems is as simple as dragging and dropping the files between the two windows (Figure K).

Figure K

LogMeIn Pro's File Manager makes quick work of remotely exchanging files between two systems.

File Share

LogMeIn Pro's File Share feature enables sharing files with specific contacts. The feature works by creating a secure link to files on the remote system. That secure link can then be shared with contacts with whom you wish to share files. In addition to creating the secure link, LogMeIn Pro users can specify that users receive a certain number of downloads or provide a timeframe within which the files must be accessed.

Preferences

Using the Preferences menu, users can customize Remote Control sessions, Security Settings, Network Settings, Log Settings, Reboot Options, and Advanced Options (Figure L).

Among the Remote Control session settings that can be customized are general settings (such as enabling guest invitations), security (such as disabling host keyboard and mouse, blanking the host's monitor, and locking the console if the session is broken), visible and audible notification (alarm beeps for alerting the user when remote control sessions start or end), interactive user's permission (such as requiring a remote user to approve the remote connection request), remote printing, and drive connection. Simple check boxes are provided for enabling (or disabling) each clearly listed feature.

Security settings that can be customized include access controls (defining or editing user-specific permissions), changing the Windows system password, preventing specific IP addresses from connecting to the host, filtering IP addresses, logs, SSL setup, and personal passwords.

File transfer limits, bandwidth restrictions, and idle time settings are configured from within Network Settings, as are proxy settings.

Among the Log Settings that can be configured are the number of days for which log files should be kept, system log parameters (for sending log files to a Syslog server) and remote control recording (LogMeIn Pro can create video files of remote sessions).

From the Reboot menu, users can opt to restart the LogMeIn session. Users can also choose to reboot the remote system normally. Should a program have locked up, users also have a hard reboot option (and even an emergency reboot alternative) available in which Windows isn't permitted to gracefully shut down. Instead, these reboots force Windows to restart as if the reset button were physically depressed on the front of the remote host computer. Further reboot options include a safe-mode reboot (in which Windows starts in Safe Mode with Networking Enabled) and a reboot scheduled for a specific time.

Advanced Options available to LogMeIn Pro users include disabling HTML-based remote control, disabling HTML content compression and customizing specific log on messages. The default language settings are also configured from within the Advanced Options menu.

Figure L

LogMeIn enables users to customize numerous session settings.

Help

From the Help menu, LogMeIn provides a Getting Started guide designed to quickly bring new users up to speed using the remote connectivity software. There's also an online user manual, as well as more information on the software license. Customer support and feedback links are provided within the application's Help menu.

An effective investment

LogMeIn provides a solid and reliable tool for solving remote connectivity issues. Further, the software solves the infamous problem of trying to print remote data on a local system.

While the software is designed, by default, to deliver a potent remote connectivity solution, knowing how to access the application's advanced features make any investment in the utility that much more effective.

LogMeIn How To

Create an account

The first step in using LogMeIn is creating an account. Simply visitwww.logmein.com and create an account using the provided link. The next step, after creating an account, is to load the LogMeIn Pro software on the computer you wish to access remotely.

LogMeIn installation

Install LogMeIn Pro by selecting that option (the LogMeIn Pro link) from LogMeIn's Web site (from the PC you wish to serve as the remote access host). When you create a new LogMeIn account, the option is automatically presented. (You'll be instructed to click the Add Computer link.) (Figure A)

Figure A

Click the Add Computer link when creating an account to install LogMeIn Pro on the workstation or server you wish to serve as the remote access host machine.

Upon clicking Add Computer, the LogMeIn software will begin downloading. The program is approximately eight megabytes in size, so depending upon your Internet connection, the process should take only a few moments.

 

When the software has downloaded, you can run the installation program. The LogMeIn setup program will appear, as shown in Figure B.

Figure B

The LogMeIn setup program walks you through installing the remote connectivity software.

After accepting the license agreement, you can choose either a Typical or Custom installation. When choosing the Custom option, the next screen you'll see provides you with the opportunity to name the system. This is the name that will appear when you attempt to connect to the system remotely.

The rest of the Custom installation enables specifying proxy settings (if necessary) and the destination installation folder.

When the installation program completes, a menu will appear indicating LogMeIn is enabled and online (Figure C). An icon also appears within the Windows System Tray (Figure D). At this point, the system can be accessed remotely by any user knowing the LogMeIn user account name and password. No firewall ports require configuration, nor do server account settings need to be updated to enable remote access.

Figure C

LogMeIn confirms it is enabled and online upon completing installation.

Figure D

LogMeIn also adds an icon to the Windows System Tray.

Connect to a remote LogMeIn-enabled system

To connect to the remote system on which you've installed LogMeIn Pro, enterwww.logmein.com in the address bar of the computer's Web browser. On the LogMeIn home page, supply your LogMeIn username (e-mail address) and password and click the Log Me In button (Figure E).

Figure E

Users can, from any Internet connected system, remotely access any PC or server with LogMeIn installed on it.

The PC or server upon which you installed and enabled the LogMeIn software will appear (Figure F).

Figure F

LogMeIn-enabled PCs and servers associated with your LogMeIn account appear on the My Computers page.

Click the link for the system to which you wish to connect. You'll see a screen indicating that LogMeIn is connecting to that remote system. Next, you'll see a login screen for the remote Windows system. Here, you need to enter a username, password, and domain for a valid account on the system to which you're connecting (Figure G).

Figure G

Once LogMeIn connects you to the remote system, you still must log in to the remote system as if you were sitting in front of it.

Once you've successfully logged on to the remote system (by supplying a valid user account and password) the connection will be complete. As you can see in Figure H, the LogMeIn Pro software will present you with six options:

 

 

 

  1. Remote Control
  2. File Manager
  3. Guest Invite
  4. File Share
  5. Preferences
  6. Help

 

Figure H

LogMeIn Pro presents users with these six options.

Each of these items provides its own features and optional settings. Let's explore each individually.

Remote Control

Selecting Remote Control opens the remote system and displays its desktop. While completing the connection, LogMeIn Pro redirects print jobs to your local default printer automatically. A menu appears providing three options: Connect My Default Printer To The Remote Computer, Synchronize My Clipboard With The Remote Computer, and Remember SYSTEMNAME And Don't Display This Dialog Again. Select (or clear) any of the check boxes as required.

Upon clicking Proceed, LogMeIn will display the remote system's desktop (Figure I). You can then control the remote system as if you were physically seated in front of it.

Figure I

LogMeIn Pro shares data with remote systems via a secure 256-bit encrypted connection.

Several options enable customizing the remote control session. Users can select color quality, choose whiteboard or laser pointer mode, choose to match screen resolutions between connected systems, fit the remote window to the current window, or view the remote system actual size. All those options are accessible from the View menu. Full Screen and Connect Drives (for simplifying the sharing of files between the two systems) buttons also appear at the top of the Remote Control window. Should you need to perform a Ctrl+Alt+Del keystroke combination on the remote system, LogMeIn supplies a button for that, as well (Figure J).

Figure J

LogMeIn Pro's toolbars present numerous options for customizing the remote desktop display.

Clicking the More button from LogMeIn's menu bar displays a second toolbar. From the second toolbar, users can specify the remote screen size in pixels, set the zoom value, and open a chat session for connected guests.

Guest Invite

Using LogMeIn Pro's Guest Invite feature, LogMeIn Pro subscribers can invite specific individuals to temporarily access the PC or server's desktop. Note that for this feature to work, the user must be seated at the host system.

File Manager

Selecting File Manager opens a new LogMeIn Pro window. That window features two columns, one for the current system and a second window listing the remote system's files and folders. Exchanging files between the two systems is as simple as dragging and dropping the files between the two windows (Figure K).

Figure K

LogMeIn Pro's File Manager makes quick work of remotely exchanging files between two systems.

File Share

LogMeIn Pro's File Share feature enables sharing files with specific contacts. The feature works by creating a secure link to files on the remote system. That secure link can then be shared with contacts with whom you wish to share files. In addition to creating the secure link, LogMeIn Pro users can specify that users receive a certain number of downloads or provide a timeframe within which the files must be accessed.

Preferences

Using the Preferences menu, users can customize Remote Control sessions, Security Settings, Network Settings, Log Settings, Reboot Options, and Advanced Options (Figure L).

Among the Remote Control session settings that can be customized are general settings (such as enabling guest invitations), security (such as disabling host keyboard and mouse, blanking the host's monitor, and locking the console if the session is broken), visible and audible notification (alarm beeps for alerting the user when remote control sessions start or end), interactive user's permission (such as requiring a remote user to approve the remote connection request), remote printing, and drive connection. Simple check boxes are provided for enabling (or disabling) each clearly listed feature.

Security settings that can be customized include access controls (defining or editing user-specific permissions), changing the Windows system password, preventing specific IP addresses from connecting to the host, filtering IP addresses, logs, SSL setup, and personal passwords.

File transfer limits, bandwidth restrictions, and idle time settings are configured from within Network Settings, as are proxy settings.

Among the Log Settings that can be configured are the number of days for which log files should be kept, system log parameters (for sending log files to a Syslog server) and remote control recording (LogMeIn Pro can create video files of remote sessions).

From the Reboot menu, users can opt to restart the LogMeIn session. Users can also choose to reboot the remote system normally. Should a program have locked up, users also have a hard reboot option (and even an emergency reboot alternative) available in which Windows isn't permitted to gracefully shut down. Instead, these reboots force Windows to restart as if the reset button were physically depressed on the front of the remote host computer. Further reboot options include a safe-mode reboot (in which Windows starts in Safe Mode with Networking Enabled) and a reboot scheduled for a specific time.

Advanced Options available to LogMeIn Pro users include disabling HTML-based remote control, disabling HTML content compression and customizing specific log on messages. The default language settings are also configured from within the Advanced Options menu.

Figure L

LogMeIn enables users to customize numerous session settings.

Help

From the Help menu, LogMeIn provides a Getting Started guide designed to quickly bring new users up to speed using the remote connectivity software. There's also an online user manual, as well as more information on the software license. Customer support and feedback links are provided within the application's Help menu.

An effective investment

LogMeIn provides a solid and reliable tool for solving remote connectivity issues. Further, the software solves the infamous problem of trying to print remote data on a local system.

While the software is designed, by default, to deliver a potent remote connectivity solution, knowing how to access the application's advanced features make any investment in the utility that much more effective.

Looking up medical info on the web poses a privacy risk

(Truman Lewis @ ConsumerAffairs) True or false: The Internet is a good place to find health information because it's completely confidential.

Answer: False, at least according to a new analysis of over 80,000 health-related web pages. Researchers found that nine out of ten visits result in personal health information being leaked to third parties, including online advertisers and data brokers.

This puts users at risk for two significant reasons:

First, people's health interests may be publicly identified along with their names. This could happen if hackers or other criminals get hold of the information, it is accidentally leaked, or data brokers collect and sell the information.

Second, many online marketers use algorithmic tools which automatically cluster people into groups with names like "target" and "waste". Predictably, those in the "target" category are extended favorable discounts at retailers and advance notice of sales. Given that 62% of bankruptcies are the result of medical expenses, it is possible anyone visiting medical websites may be grouped into the "waste" category and denied favorable offers.

Timothy Libert, a doctoral student at the University of Pennsylvania's Annenberg School for Communication conducted the study. He wrote a software tool that investigates Hypertext Transfer Protocol (HTTP) requests initiated to third-party advertisers and data brokers.

91% of health pages

He found that 91% of health-related web pages initiate HTTP requests to third-parties. Seventy percent of these requests include information about specific symptoms, treatment, or diseases (AIDS, cancer, etc.).

The vast majority of these requests go to a handful of online advertisers: Google collects user information from 78% of pages, comScore 38%, and Facebook 31%. Two data brokers, Experian and Acxiom, were also found on thousands of pages.

"Google offers a number of services which collect detailed personal information such as a user's persona email (Gmail), work email (Apps for Business), and physical location (Google Maps)," Libert writes. "For those who use Google's social media offering, Google+, a real name is forcefully encouraged. By combining the many types of information held by Google services, it would be fairly trivial for the company to match real identities to "anonymous" web browsing data."

Indeed, in 2014, the The Office of the Privacy Commissioner of Canada found Google to be violating privacy Canadian laws.

"Wholly anonymous"

"Advertisers promise their methods are wholly anonymous and therefore benign," Libert writes. "Yet identification is not always required for discriminatory behavior to occur." He cites a 2013 study where individuals' names were associated with web searches of a criminal record, simply based on whether someone had a "black name."

"Personal health information - historically protected by the Hippocratic Oath - has suddenly become the property of private corporations who may sell it to the highest bidder or accidentally misuse it to discriminate against the ill," Libert said. "As health information seeking has moved online, the privacy of a doctor's office has been traded in for the silent intrusion of behavioral tracking."

Libert points out that the Federal Health Insurance Portability and Accountability Act (HIPPA) is not meant to police business practices by third party commercial entities or data brokers. The field of regulation is widely nonexistent in the U.S., meaning that individuals looking up health information online are left exposed and vulnerable.

The findings are reported in the article "Privacy Implications of Health Information Seeking on the Web," appearing in the March 2015 issue of Communication of the ACM.

Macs never get viruses Is That True

Last year's outbreak of the malicious Trojan called Flashback infected more than 600,000 Macs. The year before that, the fake anti-virus rogueware known as MacDefender also caused chaos for Mac users.

These high-profile security breaches were a wake-up call for Mac users who believed that Apple computers were immune to the viruses that plague PC users.

Apple once boasted in its ads that Mac users could relax and let the built-in defenses of OS X do all the heavy lifting to safeguard their data. The tech giant has since toned down that message.

Don’t let your purchase of a Mac lull you into a false sense of security. Like PC users, Mac users should make safe browsing and vigilant virus monitoring a top priority.

Main Website That Share Your Personal Information

(Wall Street Journal) Which Websites Are Sharing Your Personal Details?
To identify what personal information gets passed to other companies when you log in to popular websites, The Wall Street Journal tested 50 of the top sites (by U.S. traffic) that offer registration, excluding sites that required a real-world account, such as banking sites. The Journal also tested 20 selected other sites that focus on sensitive subjects such as dating, politics, health, or children’s issues, and our own site, WSJ.com. Click here to read more about the methodology. Results for each site are below. Sites are ranked by popularity, based on comScore's numbers. Sites not in comScore's top 1,000 are marked with a "*".
 
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               

Make connected devices more secure

For starters, change the default password on all connected devices

As we have recently seen, everyday devices that connect to the internet – the so-called Internet of Things (IoT) -- are vulnerable to cyber-attack.

Last month, a hacker harnessed tens of millions of these devices to launch denial of service attacks that temporarily blocked access to major web destinations like Amazon, Netflix, and Twitter.

Apparently, it wasn't that hard to do. These devices, for the most part, are largely unprotected by security software. How many IoT devices are in your home? Probably a lot more than you think.

The IoT includes things like your router, your DVR, and your printers. But it might also include your refrigerator, smart lighting system, and your thermostat.

Invasion of the botnets

A clever hacker can easily penetrate these devices and insert a botnet, ready to take over the device and follow the hacker's orders. Botnets have taken over PCs for years, using them to send out spam emails. Now that they can seize millions of other devices, they are even more of a threat.

Security Intelligence, a cyber-security publiction, raised the IoT security issue two years ago. Back then, it pointed to several potential pitfalls.

First, with so many devices – and some estimates predict 30 billion connected devices by 2020 – it will be next to impossible keeping security on them up to date.

Because there will be so much data moving through the IoT, how do you tell the good data from the potentially harmful data? And with companies using proprietary implementations, it could make it harder to find hidden or unknown zero-day attacks.

What to do

While there are step consumers can take to make their IoT more secure, California Attorney General Kamala Harris says manufacturers of these devices have not done a good job of telling consumers how to do it. A first step, she says, is for consumers to change the default passwords for any and all devices that connect to the internet.

To do that, find the default login information in the user manual, or in some cases, on the device itself. If it isn't obvious, do an online search for “default router, DVR, or webcam username and password,” then check for the name and model of your device.

You then use the default log-in to access your account and change the password.

Ultimately, Harris says manufacturers need to do a better job of making their devices more secure to start with, and regularly updating their security protection.

Malware Report By Country Yields Suprising Results

Hacking(Jeff Roberts @ Gigaom) Google’s Transparency Report is a document that shines light on threats to the internet, including copyright takedowns and government surveillance requests. On Tuesday, the search giant announced a new section that highlights sources of malware and phishing attacks.

According to a company blog post, the information is an outgrowth of Google’s “safe browsing” program which warns consumers when they visit a site that appears to be infected with malware. The site details specific incidents but also shows overall trends. These include the pleasant surprise that, unlike government surveillance, malware does not appear to be on the rise. Here’s a screenshot:

Google malware screenshot

The coolest part of the report may be a heat map that lets a user mouse over countries to view the rate of suspicious sites. The United States scores very well; a Google scan of Autonomous Systems turned up a malware rate of only 2%.

The highest rate of malware, however, doesn’t belong to obvious suspects like Russia or Ukraine (8% each), but instead India (15%) and many Latin American countries like Mexico (12%) and Chile (11%). Central Europe also had high malware rates, in particular Hungary (15%) and Bosnia (16%). Google cautions that this data is “not comprehensive and is best viewed as an indicator of the global malware problem.”

To see the full report: Click Here!

Malware alert - ignore that order confirmation email!

Photo

A genuine order confirmation

(Jennifer Abel @ ConsumerAffairs) And especially don't click on any links or download attachments in those emails

With the December holiday-shopping season revving into full gear, the world's thieves, fraudsters and malware writers have been doing the same thing. If you have any web-based email accounts, chances are you've been noticing a recent uptick in the number of “order confirmation” messages landing in your inbox – and chances are they're all fraudulent, trying to trick you into loading dangerously nasty malware onto your computer.

Security blogger Brian Krebs went into some detail explaining the technical aspects of the latest batch of emails: those realistic-looking messages, allegedly from Walmart, Home Depot, Costco or similar retailers, will load a spam botnet called Asprox, which Krebs said is “a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email (such as the pharmaceutical spam detailed in my new book Spam Nation), and perpetuates additional Asprox malware attacks.”

But from a non-technical perspective, all you really need to do is notice that the emails, though professional-looking, are also addressed generically rather than specifically. Almost all dangerous malware or phishing emails do that.

Could apply to anyone

Consider, for example, the fake jury duty or court-appearance notice. If you get such a message, it's always vague enough that it could apply to anybody: “You must appear in court for jury duty.” “You are being sued for lots of money in court.”

Compare that to what a real jury duty or court appearance notice looks like: “Morton Finkleblatt of 37 West Street is ordered to appear in Federal District Court, 1500 Courthouse Plaza.”

Of course, if you actually get a notice it won't look like that, because your name isn't Morton Finkleblatt and you probably don't live at 37 West Street, either. Even if you do, those listed addresses are supposed to mention a city and state, too – specifically, the state where you personally live, and the city hosting the courthouse nearest you. Finally, an actual jury duty or court-appearance notice will come to you printed on paper, arriving in your old-fashioned mailbox.

Of course, that last bit isn't necessarily the case when you buy something from an online retailer: if the seller contacts you, it'll likely be via email rather than snail-mail. But those genuine, non-scammy emails will still include your specific identifying information — real messages from Amazon don't say “Your order has shipped,” they say “Wile E. Coyote, your order of ACME rocket-powered roller skates has shipped.”

The same holds true for Walmart, Home Depot, Target, Costco, and pretty much every legitimate online retailer out there: they might send you emails if you're a customer of theirs, but those emails are addressed specifically to you. And when you get real order-tracking emails or other information about a purchase you actually made, you're not asked to do anything as a result, certainly not asked to click on a link in the email or download some virus-ridden file attachment.

Malware and invoice scam losses $1 billion in 18 months

 

Photo

Photo © Kheng Guan Toh - Fotolia

If you pay any attention to any news stream, you'll see a near-constant flow of articles warning you about the latest scam to prey on unwary individual consumers: advance-fee job scams, Facebook like-farming scams, jury-duty ornotice-to-appear scams, IRS scams, phishing scams, and more.

 

With all this focus on scams targeting individual people, it's sometimes easy to overlook the scams that target businesses. But that would be a mistake. Indeed, from a scammer's perspective, a business (or non-profit) of a certain size can be easier to fool than an ordinary billpayer – mainly because businesses typically have a lot more bills to pay.

Invoice scams hurt businesses

In January, for example, we warned you about a then-new variant of the “invoice scam,” a classic form of fraud wherein the scammer sends out fake bills or invoices in hope that the victim will pay those fraudulent bills in addition to real ones. At the time, the U.S. Postal Service estimated that American businesses lose millions if not billions of dollars to such scams every year – though the exact amount is probably impossible to determine, because the scam's very nature means many of its victims have no idea they're being victimized.

At any rate, that new variant of the “fake invoice scam” might be called the “real invoice scam” — although the FBI's Internet Crime Complaint Center (or IC3) dubbed it the “Business E-Mail Compromise.”

Here's how it works: let's say you own (or have a job handling payments for) a candy-making company. If so, there are many suppliers to whom your business makes regular payments: candy-makers need to buy massive quantities of sugar, corn syrup, chocolate liquor, and/or other raw ingredients used to make candies.

If I'm a modern invoice scammer, chances are I needn't even bother with an invoice. All I have to do is send an official-looking email to your @candymaker.com business address, while pretending to be one of your suppliers: “Hello, this is SugarCorp writing to inform you that we've recently switched banks. Please update our information in your payment database: instead of sending SugarCorp payments to account Y at bank Z, send future payments to account A at bank B.” Then I relax, have a drink, and watch the money roll in – at least until the real SugarCorp contacts your Accounts Payable department to ask why they haven't been paid.

And if my scamming self has actual hacking skills, rather than the mere ability to write a convincing-looking fake email, then so much the better: instead of waiting for one of your employees to fall for my scambait and divert payments to me, I can simply hack into the right account and make those arrangements on my own.

Huge losses worldwide

In January, the IC3 issued a report saying that from Oct. 1, 2013 through Dec. 1, 2014, it received complaints about this scam from every U.S. state and 45 other countries, totaling 1,198 American victims who lost a combined $179,800,000, and 928 non-Americans who lost a combination of non-U.S. currencies worth $35,220,000 – worldwide losses across 46 nations totaling $215 million in 14 months.

And either the pace of such scams is quickening, or vastly more victims have come forward, since that January report. Yesterday, when the Wall Street Journal ran an article about such email business fraud, it said “Companies across the globe lost more than $1 billion from October 2013 through June 2015 as a result of such schemes, according to the Federal Bureau of Investigation. The estimates include complaints from businesses in 64 countries, though most come from U.S. firms.”

Compare that to what the FBI said in its January IC3 report: from October 2013 through last December, worldwide losses were less than a quarter-billion dollars – and only seven months later that total had more than quadrupled to over a billion dollars.

One recent victim profiled in the Journal lost $100,000 to such a scam in April, only instead of a candymaker losing money to a bogus sugar producer, it was a scrap-metal producer scammed by a fake titanium vendor. David Megdal, vice-president of a Phoenix-based scrap processing company called Mega Metals, said that the company had wired $100,000 to a German vendor (or so it thought) as payment for 40,000 pounds of titanium shavings. But sometime after Mega Metals made that April wire transfer, the real titanium vendor let the company know it still hadn't received payment.

Turns out that an unknown “third party” had managed to compromise the email account of a broker who works for Mega Metals. An inspection of the malware on the broker's computer shows that the thieves managed to steal the passwords to the broker's email, then used that access to make alterations to legitimate payment arrangements.

Bad as this loss was, it could've been much worse – $100K is a relatively small transaction for Mega Metals, which pays up to $5 million for some (legitimate) shipments. In order to avoid future repeats of this scam, the company now verifies email wire transfer instructions with a phone call to the company receiving payment – and does not call any number provided in the email itself.

Take precautions

Mega Metals has basically adopted an anti-phishing rule we've repeated here often: “Don't call me; I'll call you.”

In other words, be suspicious of any unsolicited email (or text, or phone call) you get reporting problems or changes with your accounts – even if that email does seem to be from a legitimate business, financial or government institution. If you're worried about a problem with your Netflix account, bank account, or anything else, it's okay if you contact Netflix or your bank, but be wary when Netflix or your bank allegedly contacts you.

If you're a business owner, it's fine for you to contact your suppliers about issues regarding payment arrangements – but if someone claiming to represent your supplier contacts you to request a change, you must verify this on your own rather than taking that unsolicited message at its word. You didn't call them; they called you, and in today's world that's a warning sign of a scam.

Malware in Pirated Videos

Attorneys general from more than half the states have signed onto a campaign to warn consumers about websites trafficking in pirated content.

The websites attract visitors by offering free movies and other stolen entertainment content, but also give viewers more than they bargained for in the form of malware.

The campaign is led by the Digital Citizens Alliance, an advocacy group that focuses public attention on internet threats. The promise of free entertainment content, it says, comes at a high cost.

"With technology moving so fast, it's sometimes difficult to know what is risky," said Tom Galvin, Executive Director of the Digital Citizens Alliance. “That is why state AGs are playing a vital role in alerting consumers to the danger that consumers face from malware and content theft websites."

Galvin cites data from RiskIQ showing one in three websites providing free entertainment content can infect visitors' devices with malware, potentially exposing information than can be used for identity theft.

'Drive-by downloads'
Just visiting one of these websites can lead to infection. RiskIQ found 45 percent of malware was delivered through so-called "drive-by downloads" that do not require the victim to click on a link.

"From websites to new devices loaded with pirated content, hackers have found ingenious ways to invade your home," Galvin said. "The best defense is knowledge, and AGs are providing it."

The attorneys general from 28 states are appearing in public service announcements distributed online and airing on television stations in their states.

The Federal Trade Commission (FTC) has also been active in this area, warning consumers to stay away from websites offering access to pirated content.

Will Maxson the FTC's assistant director in the Division of Marketing Practices, said the agency downloaded movies from five sites offering them for free. In all five cases, he says, the agency's computers ended up with malware.

Neither the Digital Citizens Alliance nor the FTC identified specific websites that they said are distributing malware along with free entertainment.

Malware loves Windows Task Scheduler

More malware is using Windows Task Scheduler to do its dirty work. Here's how to mitigate this surprising attack vector from Stuxnet worm, recent Zlob variants, and click-fraud Trojans like Bamital.

Stuxnet exploited Task Scheduler in a way that was previously unknown -- it was a true zero-day attack. But malware doesn't have to get too fancy to put Task Scheduler to ill use. For example, malware will often create a task that looks for certain preconditions to launch, downloads new malicious code on a schedule, or uses scheduled tasks as a way to always remain in memory. I've seen malware hunters struggle to find out how the malicious code "keeps re-infecting their clean system." Answer: Check the Task Scheduler. Read More - Click Here!

Managing: Computer Abuse Prevention VS Personal Privacy

Companies are responsible for the use of electronic equipment in a way that does not harm the business whilst protecting its employees, customers, and investors. On the other hand, employees have certain privacy expectations that can result in invasion of privacy claims when management does not take steps to ensure responsible use and privacy policies. This article addresses the rights of both businesses and employees, and makes recommendations to help keep managers out of civil court.

The legal environment

Abuse of the Internet and email tops the list of employee activities that might result in worker claims that a hostile work environment exists. This is particularly true in organizations where access to pornographic sites is not restricted.

In Adamson v. Minneapolis Public Library, the library paid $435,000 to settle a sexual harassment claim. The claim was made by 12 librarians who asserted that a hostile work environment was created by patrons accessing pornographic or sexually explicit material. In a related case, Chevron Corporation paid over $2 million to settle litigation brought by four women who claimed they received Internet pornography from coworkers on Chevron computers.

Another valid reason to monitor employee use of electronic devices is to ensure each person is actually working while in the office. Employees are paid to provide a certain level of productivity. The courts have ruled that it is not unreasonable for employers to check to ensure that personal Internet browsing or personal email use is not interfering with business processes.

Monitoring of email and other forms of electronic communication might also be necessary to ensure proper handling of information that could potentially fall under discovery during current or future litigation. The new Federal discovery rules, which took effect on December 1, 2006, are reason enough to begin controlling how electronic communication is managed. The new rules, part of a change to the Federal Rules of Civil Procedure, put additional emphasis on corporate responsibility for producing information requested during litigation.

Finally, employers are allowed to monitor electronic communication for the purpose of preventing intellectual property theft.

The basis for an employer's right to monitor electronic information is The Electronic Communications Act of 1986 (18 U.S.C. Section 2510, etseq). The ECPA provides for employer monitoring of electronic communication if the device monitored is used in the normal course of business. The device should be owned by the employer and be part of the business network.

However, there is a limit on the information that an employer can access. Managers are not allowed to eavesdrop on their employees or browse through electronic media for reasons unrelated to abuse prevention. Judicial impatience is growing with employers who violate what is seen as a reasonable expectation of privacy. In other words, if you are reading through material that you know does not constitute abuse you might be on very shaky legal or moral ground.

In an article entitled "Employers' Rights to Monitor Employee Email under United States Law", Pavlina B. Dirom wrote that courts tend to consider two issues when looking at privacy cases.

An employer must show the context of intrusion. In other words, the intent of monitoring must be related to protecting the business.

The court will look at the content of the information in question. Companies are only allowed to intrude into electronic communications -- including phone and email -- to the point at which it is clear that the content:

  1. Is personal
  2. Does not violate any laws
  3. Does not put the company, its employees, or its customers at risk

Examples of rulings on these issues include Watkins v. L. M. Berry & Company and Smyth v. Pillsbury Co.It is important to note that workplace privacy laws can vary across local and state boundaries. An employer must understand the legal environment in which her organization operates before writing policy or monitoring employee activities.

The right way to monitor

There is a widely accepted principle that is easily applied to employee expectation of privacy -- as employee awareness of monitoring policies and practices increases, employee expectation of privacy decreases. So the first step in implementing monitoring processes is employee education.

Technology Policy / Employee manual -- which every employee should read and sign -- should contain information describing proper use of company information assets. It should further stipulate that neither Internet access nor email may be used in a way that is illegal or causes harm to the organization or its employees. Management's intent to monitor for compliance AND employee right to privacy must be included.

This communication of management's assertion of its right to search or monitor computer storage, voice mail, email, and other relevant areas of an employee's workspace is typically interpreted as enough to sufficiently lower employee expectation of privacy.

FindLaw has posted a list of DOs and DON'Ts for employers who want to protect themselves from potential liability from employee abuse of information assets while providing reasonable and appropriate privacy for their employees. The URL is: http://smallbusiness.findlaw.com/employment-employer/employment-employer-other/employment-employer-other-privacy-do-dont.html 

Summarizing that list:

  1. Provide all employees with training about the best and most efficient use of email and Internet searching
  2. Make rules about Internet and email use
  3. Prohibit access to pornography
  4. Prohibit access to Internet sites or the use of email in a way that might create a hostile work environment
  5. Prohibit or limit personal use of email
  6. Create a clear policy and make all employees aware of its content and the possible sanctions if the policy is violated -- include clear statements about the organization's position on privacy and it's right to search employee work areas when abuse or illegal activity is suspected
  7. Don't spy on your employees -- monitor for abuse only
  8. Make sure your employees know why they have Internet access -- it is a business tool

The final word

Employers have the right to protect their businesses by monitoring employee use of electronic devices. However, this right is not absolute. There is still a line between looking for abuse and browsing communications containing information considered personal and private.

Companies should establish monitoring policies that are clearly communicated to the workforce.

Companies must establish a technology that explicitly spells our employee right to privacy

Active Technologies, LLC is pleased to provide technology policy templates.

This helps reduce expectation of privacy as well as the probability of invasion of privacy litigation.

Managing: Implement a data destruction policy to keep corporate secrets safe

Takeaway: The Sarbanes-Oxley Act and other legislation have made data retention a hot topic. But about the flip side of the coin, what happens when your data has finally served its purpose?

Mike Mullins explains the importance of a data destruction policy and discusses steps you can take to prevent unauthorized access to corporate data

Over the past few years, data retention has become a critical issue for corporations as they take steps to comply with complicated legislation, particularly, the Sarbanes-Oxley Act. While companies obsess over the retention requirements and boost their storage capabilities, there seems to be a tendency to ignore the flip side of the coin: data destruction.

What happens when your data has finally served its purpose? Sooner or later, you'll need to clean out those storage devices and free up some space. In previous articles, I've discussed how to erase old hardware and wipe data from routers and switches before discarding them. But these aren't the only devices on which data resides.

How much data do you think your organization has lying around in old file cabinets or long-forgotten CDs? When it comes to old media, don't throw it away, destroy it! By destroying any media that the organization no longer needs, you deny data thieves access to corporate secrets.

In June, the U.S. Federal Trade Commission enacted legislation called FACTA (Fair and Accurate Credit Transactions Act of 2003). FACTA targets consumer information, such as the type that credit agencies and lenders collect, in hopes of fighting the growing epidemic of identity theft. However, it's a good idea to incorporate the principles of this law throughout your company as a best practice for media destruction.

FACTA requires "disposal practices that are reasonable and appropriate to prevent the unauthorized access to, or use of, information in a consumer report." But think about this in broader terms: The end result of all data destruction should be to deny unauthorized access to any information.

Of course, the method of destruction varies depending on the type of media in question. Let's look at some of the most common media types and the destruction method for each.

Paper

When it comes to policy and practice, companies often overlook paper as a form of media. However, it's vital to include this category in your overall data destruction strategy.

Stop throwing away reports and sticky notes, and start destroying them. Take steps to destroy all documents and handwritten notes produced as a part of your business as soon as they are no longer necessary to your business. The most common approach for complying with HIPAA and FACTA regulations is cross-cut shredding that yields a paper fragment of 1mm by 5mm.

CD-ROMs and DVDs

Almost every business produces CD-ROMs or DVDs, either for distribution to its clients or for internal data storage and portability. If you no longer need the information stored on that media or if you move the information to a different form of storage media, make sure you destroy the CD-ROMs or DVDs.

Several acceptable methods exist for the destruction of this type of media. Options include breaking the disks, cutting them up with scissors, and even a specialized machine that shreds CD-ROMs and DVDs.

Floppy disks – tape – flash drives

By design, magnetic media such as floppy disks and tapes are easy to erase and write to many times. Erase the media with one of the freely available programs that formats and writes 0s and 1s in a random pattern. When you're finished with formatting and overwriting, use scissors to cut the media and render it useless to prying eyes.

USB drives

These days, almost everyone has a USB drive that holds anywhere from 32 MB to a GB or more. These devices are reusable, and many keep using them until they no longer function. If you do need to destroy one of these devices and can't reformat it, just break the device in half. That will render the device unusable to someone who finds it in the trash.

Final thoughts

When implementing a data destruction policy for your organization, keep in mind that you need to balance the risk of disclosure with the cost of destruction. (I intentionally didn't cover hard drives in this article, because hard drive destruction and destroying information on a hard drive is a totally different issue from portable media.)

In addition, remember that if the data is valuable enough, someone might go to extraordinary lengths to recover that information. Regardless of the value of the data or the method you use to destroy your media, the end result should be to completely deny unauthorized access to the data.

Managing: The Cost of Slack Data Retention Policies (Data - Email - Instant Messaging)

'It is hard to believe that with all that's been written about compliance legislation in recent years, a political aide in a major city's administration would not know a little something about the rules of email retention. However, if another cautionary tale is needed on the subject, just look at the brewing political scandal in Boston:

Secretary of State William F. Galvin's office has ordered the city of Boston to immediately secure City Hall computers and hire an independent computer forensics expert to retrieve emails that were improperly deleted by Mayor Thomas M. Menino's top policy aide….

The public records law requires municipal employees to save electronic correspondence for at least two years, even if the contents are of “no informational or evidential value.” Penalties include fines of up to $500 or prison sentences of up to one year.

Apparently, the aide in question believed that despite his routine deletion of emails and trash-emptying at the end of each day, the emails would still be backed up by city servers. The message for Business Leaders should be that you can never assume too much on the part of your organization's users, no matter what their role or status.

In addition to having a clearly-stated email retention policy and requiring some sort of acknowledgement from users that they've read and understood it, it is also necessary to review the configuration of servers, backup procedures, and archiving programs to make sure that all reasonable technical measures have been taken to safeguard the organization's data from improper deletion and employee cluelessness.

A data retention policy is the first step in helping protect an organization's data and avoid financial, civil and criminal penalties that increasingly accompany poor data management practices. Local, state, federal and international laws and industry regulations not only specify the types of data organizations and businesses must retain, legislation and industry guidelines also dictate how long specific types of data must be maintained and even the manner in which the data is to be stored. But legal considerations aren't the only reason to develop and implement strong data retention practices.

Data retention policies

Data retention policies form an important foundation for helping manage an organization's data. In addition to paper documentation, corporations increasingly are creating and relying upon large streams of electronic information that often aren't cataloged or stored in traditional filing systems. Capturing customer correspondence, accounting records, financial and sales data, electronic communications and other digital business information is critical in helping ensure organization's not only remain in compliance with legislative requirements and industry regulations, but also that organization's possess sufficient data backups necessary for recovering from catastrophes. Without strong data retention policies, organizations may find it impossible to resume operations following a disaster.

Developing an effective data retention policy requires dedicated research and the assistance of a qualified legal representative. The varied and bewildering number of local, state, federal and international laws, combined with numerous industry restrictions, essentially requires that you work closely with legal counsel to ensure compliance with all laws, regulations and requirements applicable to your organization. For example, the Health Insurance Portability and Accounting Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002 and Securities and Exchange Commission rules 17a-3 and 17a-4 all place restrictions on the manner in which data is retained.

Whether you're responsible for fulfilling information technology responsibilities for a publicly traded company, a nonprofit, an educational institution, a medical facility, a financial services firm, a small business, a private partnership or even a franchise operation, a number of data retention restrictions likely apply to your business. From customer and client data to patient records, organizations face an increasing number of data retention requirements. The following are the types of information, records and data that should be covered by every organization's data retention policy:

Electronic communications

Business, client, agent and supplier correspondence

Documents

Spreadsheets

Databases

Customer records

Employee records

Supplier and partner information

Transactional data

Contracts

Sales, invoice and billing information

Accounting, banking, finance, earnings and tax data

Health care, medical and patient information

Student and educational data

Other data produced and collected in fulfilling business activities

All data retention policies should describe the types of data the organization must retain, the length of time the data should be stored and the format in which such data should be stored. Easily overlooked, another element data retention policies should cover is instructions describing which organization representatives are authorized to delete data. In addition, data retention policies should state that a specific information technology staff member should be responsible for confirming all organization data is properly destroyed before disposing of organization equipment.

The policy should clearly describe those individuals and employees covered by the policy, as well as the procedures that are to be followed in the event of a breach. Effective data retention policies must also describe the penalties that result from violations and require all covered parties to sign documentation attesting they understand the policy and pledge to uphold its tenets.

Policies must also state clearly that no organization officer, employee or other representative is to modify, delete or destroy any data in violation of local, state, federal, international or industry regulation.

Once such policies are drafted, implemented and signed, an organization's work is just beginning. Information technology departments must lead the effort of policing the policy. Only policies that are actively monitored and enforced prove successful.

Just implementing a policy doesn't ensure an organization's data retention practices change. Instead, the organization must work to ensure new routines, practices and systems are adopted to make proper data retention procedures habitual as opposed to exceptional.

Riskof Unmanaged Email & Instant Messaging

According to a recent survey, 65 percent of companies lack e-mail retention policies. Only 54 percent of the corporations surveyed conduct any kind of formal e-mail policy training. One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation.

If you need some reasons why not having an e-mail retention policy is a bad idea, just keep reading.

Baseline magazine ran a piece about companies who found out the hard way that not retaining data can hit the bottom line and hit it hard. From the piece:

Philip Morris USA was ordered by a U.S. District Court judge in Washington, D.C., to pay $2.75 million in fines when it came out during federal tobacco litigation in 2004 that 11 managers didn't save printouts of their e-mail messages, as per company policy. As an added punishment, those managers were barred from testifying at trial, according to the order from U.S. District Court Judge Gladys Kessler.

The investment bank Morgan Stanley repeatedly failed to turn over data related to a fraud suit brought in 2005 by Coleman Holdings Inc., the owner of camping gear maker Coleman Co., according to an order written by the judge in the case, Elizabeth T. Maass. One of Morgan Stanley's technology workers concealed knowledge of 1,423 backup tapes, later found in Brooklyn, N.Y., when he certified that the bank had produced all its evidence, according to court documents. At least three other times, the judge said, the bank lost or mislaid backup tapes. Maass read a three-page statement to the jury detailing the missteps-which included overwriting e-mails and using flawed search software that hampered searches of Lotus Notes messages. She told the jury to assume the bank acted with “malice or evil intent” unless it could prove otherwise.

Morgan Stanley lost the case, big: The jury awarded Coleman $1.6 billion.

Nancy Flynn, founder and executive director of The ePolicy Institute, stresses, “Employers should look at e-mail and litigation in terms of not if we someday have our employee e-mail subpoenaed but when we have our employee e-mail subpoenaed.”

Compliance regulations

With compliance regulations such as HIPAA and Sarbanes-Oxley, and SEC and NYSE regulations in the financial services arena, companies have to be extra vigilant regarding e-mail risks; they must be able to prove that they've taken appropriate measures to retain e-mail and IMs as stipulated by the applicable regulations. According to Flynn, “Regulatory commissions, such as the SEC, have issued six- and seven-figure fines to companies who are unable to turn over e-mail records that should have been retained.”

Workplace lawsuits

Companies also have to be on the lookout for e-mail that could be used in a workplace lawsuit. According to Flynn, what most companies don't realize “is the fact that e-mail and instant messages are a primary source of evidence in court cases. They are the electronic equivalent of DNA evidence.”And like it or not, there is such a thing called “vicarious liability,” which means that an employer can typically be held responsible for the actions of its employees. Flynn acknowledges that there is “no such thing as a 100 percent risk-free e-mail environment.” You can't, for example, completely control what employee A says to employee B in an instant message. But if employee B decides to sue your company for being a hostile work environment on the basis of employee A's e-mail, you need to be able to prove to the court that you took appropriate measures to prevent the action at the front of the lawsuit.

These measures are what Flynn calls the three E's of e-mail risk management:

Establish a written policy (for e-mail and IM usage, content, and retention).

Educate your workforce (”And that's everyone from the summer intern to the CIO”).

Enforce your policies.

Your policy should include details about e-mail and IM usage and content, and retention policies, and you should take strong steps to educate your workforce with presentations.

When asked about how companies can go about enforcing policies, Flynn replied, “You use discipline–up to and including termination–for anyone who violates the policy.”

If an employer practices proactive risk management such as the ones in the steps above, a court is less likely to hold it responsible for actions named in a lawsuit.

Don't forget Instant Messaging

Flynn notes that many companies don't know that retention and content policies should apply also to instant messaging, which is, “just turbo-charged e-mail. We know that only 11 percent of companies have installed software to control and manage their employees' IM use while about 78 percent of employees are IMing at the office. It's a time bomb waiting to go off.” Flynn says there is a huge misconception out there that IM is not a written business record and that you can say anything you want. “Users think that once you close your window, the message is gone, but that's not true. Even if you're not retaining the message, the person you're chatting with might be. Also, it's an enormous security issue if your employees are transmitting IMs on business issues. These messages are transmitted via the public Internet. They could include customers' social security numbers and important account information.” Employers need to find out what the business presence of IM is in their workplace and how it is used.

So what's the holdup?

One of the reasons companies hesitate to create and enforce retention policies is cost–cost of software, cost of personnel needed to manage it, etc. But Flynn says that that cost is minimal compared to paying a six-figure settlement. Also, a lawsuit can result in embarrassing headlines and loss of credibility for a company. “There have even been cases in which companies' stock valuation has dropped because of inappropriate e-mail use that has been reported by the media.”

Bottom Line for Business Leaders

One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Creating an effective e-mail retention policy should be at the top of your agenda

Massive Malware-Spreading Beebone Botnet Shut Down

 

Photo

Photo © Gunnar Assmy - Fotolia

(Jennifer Abel @ ConsumerAffairs) On Wednesday, European and American police seized a series of European-based servers behind a botnet responsible for spreading various forms of malware on computers in the United States. Cyberthieves in turn could use that malware to steal banking passwords and other illicitly valuable information from victims.

The European Cybercrime Center and the U.S. Federal Bureau of Investigation, working together, seized servers from locations across Europe, but have not yet made any arrests because they say it's too early to tell who exactly is responsible for the botnet, nicknamed Beebone.

A botnet, sometimes called a “zombie army,” is a network of private computers all infected with malware (usually without their owners' knowledge) and working toward some common goal for the malware writer — such as sending spammy emails. That malware is often called “zombie” software because it takes over your computer or device and turns it into a zombie, mindlessly obeying the malware-writers' commands.

Shape-shifting

The Beebone botnet was particularly difficult for investigators to track down because it used shape-shifting, or “polymorphic,” software that would update itself up to 19 times per day, in order to avoid detection by security programs.

Europol, the European Union's equivalent of the FBI, said that

The botnet was 'sinkholed' by registering, suspending or seizing all domain names with which the malware could communicate and traffic was then redirected. Data will be distributed to the ISPs (Internet Service Providers) and CERTs (Computer Emergency Response Teams) around the world, in order to inform the victims. The botnet does not seem the most widespread, however the malware is a very sophisticated one, allowing multiple forms of malware to compromise the security of the victims’ computers.

In other words: by botnet standards, Beebone only infected a relatively small number of computers, but those computers were infected far worse than ordinary botnet zombies, with multiple forms of malware including password stealers [especially useful for thieves seeking to drain bank accounts], ransomware, rootkits and fake antivirus software.

Even though the Beebone servers have been seized, the individual zombie computers comprising the botnet still need to be disinfected with antivirus software (the real thing, not fake antivirus software which only serves to spread more malware).

Yet that alone might not be enough. As ArsTechnicanoted:

To be fully free of the Beebone menace, infected computers still must be disinfected using AV software or, better yet, by having their hard drives wiped and operating systems reinstalled. Authorities are in the process of contacting Internet service providers and computer emergency response teams around the world to help identify and contact individual victims.

Since authorities genuinely will be contacting people – at least some people – about Beebone warnings, that means scam artists will soon start using Beebone as a pretense for sending more malware-infected spam messages. As always, ignore and delete any unsolicited text message or email asking you to click on a link or download a file attachment.

Massive Windows 10 Forced Update Failure

(OHN C. DVORAK @ pc) The recent Microsoft Windows 10 Anniversary Update ruffled more than a few feathers as many users are experiencing a reboot cycle.

These things are bound to happen when a company takes a cavalier attitude and constantly slipstreams updates. This is unlike the previous era of the neverending patch Tuesday. The difference: these Windows 10 updates are not optional.

This auto-update approach harkens back to the America Online era of the 1980s and 1990s when the service dominated the pre-Internet era. I remember Microsoft, then promoting the MSN online service designed to compete with AOL, was in awe of the AOL update system.

You would boot the AOL system and it would update the complete program whether you wanted to or not. You would often end up with a whole new version and a completely different graphical user interface. The company was not shy about changing everything.

Microsoft always held this as an ideal method for updates so it would not have to deal with the outrageous complexity of a world of half-patched versions of its OS in the wild. To make things even more complex, this hodge-podge was running on an ecosystem of computers that were also all different.

That is probably why my recent Windows 10 update worked fine on one computer, but did not "take" properly on my wife's machine, which went into endlessly rebooting. It finally stopped after a while, but now she is afraid to turn off the machine.

What annoyed me was a not-so-subtle change of the Start menu. On two of the machines, the "File explorer/settings/power/all apps" buttons are now gone, replaced by small icons with "all apps" pre-clicked and "all apps" showing in the start menu. Exactly why this change did not occur on a third machine I do not know.

If Microsoft is going to constantly toy with the UI, then I am fearful. The company was completely stubborn about the idiotic start screen with Windows 8, forcing me and others to revert to products like Classic Shell so we could get an efficient experience. Windows 10 was a compromise I thought was perfect. But now Microsoft—or factions within the company—want to slowly revert back to Windows 8, and the Anniversary Update was step one.

Of course, this is only a suspicion, but the way the company defended the huge page of massive square icons and idiotic full-screen apps obviously reflected a corporate opinion. The company refused to admit that the layout was crap, especially on a system with multiple monitors. Someone high up liked the UI and feels hurt by the Windows 10 compromise.

But Microsoft has barely dodged a bullet with this cavalier upgrade process. I do not see the corporate culture shifting enough to change the methodologies employed for these upgrades. This includes ignoring the beta reports.

So here is what we can expect, something that could easily happen in the next few years: Instead of a simple reboot issue, a patch goes out that fries the machine dead. There is no reboot problem because the machine will not boot at all and you cannot get far enough to even revert to the previous install. We are getting a glimpse into the future if Microsoft persists with forced upgrades; the company needs to rethink its strategy immediately.

McAfee Reveals Serious Threat Against US Financial Industry

(Russian cyber evildoers whose servers are based in Romania are coming closer to launching a major attack against 30 U.S. financial institutions aimed at stealing millions of dollars.

Attacks involving fraudulent transactions and targeting investment and national banks across the U.S. may launch next spring, new data from security firm McAfee show.

“McAfee Labs believes that Project Blitzkrieg is a credible threat to the financial industry and appears to be moving forward as planned,” said Ryan Sherstobitoff, McAfee Labs’ threat researcher.

The scheme, dubbed Project Blitzkrieg, will pull money from major banks and small financial institutions with less developed security protocols like credit unions over a period of time in nearly undetectable amounts, according to the report.

If Project Blitzkrieg goes full scale, it will target an unknown number of consumer accounts across 30 targeted financial institutions, Sherstobitoff said.

“The targets are all U.S. banks, with the victims dispersed across various U.S. cities,” McAfee said. “Thus this group will likely remain focused on U.S. banks and making fraudulent transactions.”

The threat, first brought to light by RSA in September, came in the form of a posting on Underweb forums by a Russian hacker who goes by the name “vorVzakone,” which translates to “thief in law.” The attacks were originally estimated to begin this fall, however McAfee’s data show they will actually occur in the spring of 2013.

The thieves have been active since April 2012 and at least 500 victims can be linked to vorVzakone, McAfee said.

“The attackers have managed to run an operation undetected for several months while infecting a few hundred,” Sherstobitoff said.

The Prinimalka Trojan associated with Project Blitzkrieg is a direct evolution of a Gozi variant seen in early 2007 that has historically focused on U.S.-based financial targets.

Figure 18. Almost 30 banks of various types have
been targeted by a single Prinimalka campaign

While the Trojan has been around for years, McAfee said the attack this spring will combine both a “technical, innovative backend with the tactics of a successful, organized cybercrime movement.”

The attacks will use a type of hijacking that essentially steals log-in data and times as well as security questions and answers. It would be a generic attack, with an extracted script capturing the victim’s balance and last log-in date/time and posting it to a file on the server.

McAfee said the target is the Internet banking platform ibanking, which is used by hundreds of financial institutions.  McAfee Labs’ initial data indicate “a simple form of data grabbing” will be used by Prinimalka to select targets for fraudulent transactions.

Citigroup (C) acknowledged the threat and said protecting the bank and its clients from criminal cyber threats is a "critical priority for us."

"We have a focused information security strategy and dedicated resources to execute it," a Citi spokesperson said. 

Other possible targets, including Bank of America (BAC), Goldman Sachs (GS), J.P. Morgan Chase (JPM) and Morgan Stanley (MS) either didn’t immediately respond to FOX Business or declined to comment.

The attacks piggyback on denial of service cyber attacks that have been intermittently occurring against major U.S. banks like Bank of America and Chase over the last few months. The unrelated attacks were responsible for downing or slowing their consumer web sites.

McAfee said the Project Blitzkrieg campaign  won’t initially target hundreds of thousands of victims but will try to stay under the radar by attacking select groups. High-wealth customers at these banks may also be targeted. 

“This strategy is necessary if the attackers hope to succeed in transferring several million dollars over the course of the project,” Sherstobitoff said. “A limited number of infections reduces the malware’s footprint and makes it hard for network defenses to detect its activities.”

According to McAfee data analyzing webinjects on the Trojan, which add malicious content tied to malware into banking websites, the security firm was able to determine that a majority of the victims will be national banks and investment banks.

“It will be interesting to see how the attackers will move money from these accounts, which are certainly targets of high value,” Sherstobitoff said.


Read More - Click Here!

Microlsoft Patch Tuesday April 2014

April’s Patch Tuesday features four bulletins: MS14-017 to MS14-020. Two bulletins are rated critical and two are rated important, All of the bulletins address “Remote Code Execution”, which is something that attackers are ultimately after.

Bulletin #1 addresses the current 0-day vulnerability (KB2953095) in Microsoft Word and is applicable to all versions of Word starting with 2003 to the latest 2013, and includes Mac OS X as well. By the way, Office 2003 together with Windows XP are going to be end-of-life after this Patch Tuesday and will stop receiving security updates.  The end of life for XP has received plenty of coverage already, but this vulnerability is a good reminder not to focus only on Windows XP, and that this Office version also deserves attention.

Bulletin #2 is a new version of Internet Explorer, applicable to all versions of IE starting with IE6 on XP to IE11 on Windows 8.1 and RT. The only version not affected is IE10 under Windows 7 and I expect it to contain the fixes for the vulnerabilities disclosed at PWN2OWN at CanSecWest.

Bulletin #3 and Bulletin #4 are the both rated “important,” but Bulletin #3 is the more urgent one. It affects all versions of Windows and can be used to gain Remote Code Execution.

Bulletin #4 addresses a problem in Publisher 2003 and 2007, which is a software package that we do not see widely installed.

Bulletins in detail:

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
May require restart Microsoft Office,
Microsoft Office Services,
Microsoft Office Web Apps
Bulletin 2 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 3 Important 
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 4 Important 
Remote Code Execution
May require restart Microsoft Office

 

Affected Software.

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
May require restart Microsoft Office,
Microsoft Office Services,
Microsoft Office Web Apps
Bulletin 2 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 3 Important 
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 4 Important 
Remote Code Execution
May require restart Microsoft Office

 

Affected Software

Windows XP
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Critical Important
Windows XP Service Pack 3 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Service Pack 3
(Important)
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows Server 2003
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Moderate Important
Windows Server 2003 Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Vista
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Critical Important
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista x64 Edition Service Pack 2
(Important)
Windows Server 2008
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Moderate Important
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Moderate)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Windows 7
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Critical Important
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 11 
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 11 
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Moderate Important
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Internet Explorer 11 
(Moderate)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Moderate)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows 8 and Windows 8.1
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Critical Important
Windows 8 for 32-bit Systems Not applicable Windows 8 for 32-bit Systems
(Important)
Windows 8 for x64-based Systems Not applicable Windows 8 for x64-based Systems
(Important)
Windows 8.1 for 32-bit Systems Internet Explorer 11 
(Critical)
Windows 8.1 for 32-bit Systems
(Important)
Windows 8.1 for x64-based Systems Internet Explorer 11 
(Critical)
Windows 8.1 for x64-based Systems
(Important)
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Moderate Important
Windows Server 2012 Not applicable Windows Server 2012
(Important)
Windows Server 2012 R2 Internet Explorer 11 
(Moderate)
Windows Server 2012 R2
(Important)
Windows RT and Windows RT 8.1
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating Critical Important
Windows RT Not applicable Windows RT
(Important)
Windows RT 8.1 Internet Explorer 11 
(Critical)
Windows RT 8.1
(Important)
Server Core installation option
Bulletin Identifier Bulletin 2 Bulletin 3
Aggregate Severity Rating None Important
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation) Not applicable Windows Server 2012 (Server Core installation)
(Important)
Windows Server 2012 R2 (Server Core installation) Not applicable Windows Server 2012 R2 (Server Core installation)
(Important)
Microsoft Office Suites and Software
Microsoft Office 2003
Bulletin Identifier Bulletin 1 Bulletin 4
Aggregate Severity Rating Critical Important
Microsoft Office 2003 Service Pack 3 Microsoft Word 2003 Service Pack 3
(Critical)
Microsoft Publisher 2003 Service Pack 3
(Important)
Microsoft Office 2007
Bulletin Identifier Bulletin 1 Bulletin 4
Aggregate Severity Rating Critical Important
Microsoft Office 2007 Service Pack 3 Microsoft Word 2007 Service Pack 3
(Critical)
Microsoft Publisher 2007 Service Pack 3
(Important)
Microsoft Office 2010
Bulletin Identifier Bulletin 1 Bulletin 4
Aggregate Severity Rating Critical None
Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Word 2010 Service Pack 1 (32-bit editions)
(Critical)
Not applicable
Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (32-bit editions)
(Critical)
Not applicable
Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Word 2010 Service Pack 1 (64-bit editions)
(Critical)
Not applicable
Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions)
(Critical)
Not applicable
Microsoft Office 2013 and Microsoft Office 2013 RT
Bulletin Identifier Bulletin 1 Bulletin 4
Aggregate Severity Rating Critical None
Microsoft Office 2013 (32-bit editions) Microsoft Word 2013 (32-bit editions)
(Critical)
Not applicable
Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (32-bit editions)
(Critical)
Not applicable
Microsoft Office 2013 (64-bit editions) Microsoft Word 2013 (64-bit editions)
(Critical)
Not applicable
Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions)
(Critical)
Not applicable
Microsoft Office 2013 RT Microsoft Word 2013 RT
(Critical)
Not applicable
Microsoft Office 2013 RT Service Pack 1 Microsoft Word 2013 RT Service Pack 1
(Critical)
Not applicable
Microsoft Office for Mac
Bulletin Identifier Bulletin 1 Bulletin 4
Aggregate Severity Rating Critical None
Microsoft Office for Mac 2011 Microsoft Office for Mac 2011
(Critical)
Not applicable
Other Office Software
Bulletin Identifier Bulletin 1 Bulletin 4
Aggregate Severity Rating Critical None
Microsoft Word Viewer Microsoft Word Viewer
(Critical)
Not applicable
Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office Compatibility Pack Service Pack 3
(Critical)
Not applicable

 

Microsoft Office Services and Web Apps
Microsoft SharePoint Server 2010
Bulletin Identifier Bulletin 1
Aggregate Severity Rating Critical
Microsoft SharePoint Server 2010 Service Pack 1 Word Automation Services
(Critical)
Microsoft SharePoint Server 2010 Service Pack 2 Word Automation Services
(Critical)
Microsoft SharePoint Server 2013
Bulletin Identifier Bulletin 1
Aggregate Severity Rating Critical
Microsoft SharePoint Server 2013 Word Automation Services
(Critical)
Microsoft SharePoint Server 2013 Service Pack 1 Word Automation Services
(Critical)
Microsoft Office Web Apps 2010
Bulletin Identifier Bulletin 1
Aggregate Severity Rating Critical
Microsoft Office Web Apps 2010 Service Pack 1 Microsoft Web Applications 2010 Service Pack 1
(Critical)
Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Web Applications 2010 Service Pack 2
(Critical)
Microsoft Office Web Apps 2013
Bulletin Identifier Bulletin 1
Aggregate Severity Rating Critical
Microsoft Office Web Apps 2013 Microsoft Office Web Apps Server 2013
(Critical)
Microsoft Office Web Apps 2013 Service Pack 1 Microsoft Office Web Apps Server 2013 Service Pack 1
(Critical)

Bottom Line:

The patches and updates are very important. Please remember to restart your Windows Servers and Workstations Wednesday Morning

Special Note for MAC users:

If you are using ANY Microsoft products on the MAC, Please make certain that they receive the update.

Special Note 2:

If you have any difficulty with this update, please give us a call

 

Microsoft Changes License Agreement to Avoid Class Actions

Company's customers give up their right to sue and agree to binding arbitration in all disputes flies in the face of the 14th Ammendment.

Microsoft, never shy about trumpeting its latest innovations whether real or just vaporware, has quietly changed its U.S. end user license agreement to forbid its customers from suing or joining in class action suits against the company.

The 14th Amendment guarantees everyone the right of due process, but when it's consumers against mighty corporations, that doesn't  mean very much.

In this and similar cases, companies have been modifying their end use license agreements -- commonly called the EULA -- to state that the consumer agrees to be bound by the conditions of the agreement.  And -- voila! -- one of those conditions is now that the consumer will not exercise the right to sue.

In other words, you still have the right. You just can't use it. What could be fairer? After all, no one is holding a gun to your head and forcing you to use Microsoft Word, right?

Read More - Click Here!

Microsoft Flawed updates cause Outlook crash

Microsoft's run of botched updates continues, this time affecting users of its Outlook 2010 productivity suite.

The company has pulled both KB4461522 and KB2863821, and notes on their respective support pages that after installing them, users "may experience crashes in Microsoft Access or other applications".

The two updates were non-security patches and affect Microsoft Office 2010 Service Pack 2. The updates were pulled on November 15.

However, Microsoft has also posted an alert about the security update KB4461529, once again because it causes Outlook to crash.

"After updating Outlook 2010 to the November 2018 Public Update KB 4461529 Outlook crashes or closes suddenly on start-up. The issue only affects 64-bit installations of Outlook 2010," Microsoft warns.

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

That patch, released on last week's November Patch Tuesday, fixed four remote code execution flaws that could be exploited via email or a malicious website.

While it does cause Outlook to crash too, because it resolves security issues that Microsoft considers are likely to be exploited, it does not recommend users remove the security update.

Until it has a fix, Microsoft is suggesting users try Outlook Web Access instead.

"Microsoft is investigating the issue and we will update this page when further details become available. As a workaround, you could try using Outlook Web Access," it said.

After finally rereleasing the Windows 10 October 2018 Update, having removed the data-destroying bug, Microsoft last week acknowledged the release had a known mapped-drives bug.

PREVIOUS AND RELATED COVERAGE

Windows 10 1809's new rollout: Mapped drives broken, AMD issues, Trend Micro clash

Steer clear of the rereleased Windows 10 October 2018 Update, IT pro warns. Meanwhile, Microsoft promises fix for buggy mapped drives at some point next year.

Microsoft resumes rollout of Windows 10 version 1809, promises quality changes

After a delay of more than five weeks, Microsoft has resumed the rollout of the Windows 10 October 2018 Update. The company also promised sweeping changes in the way it approaches quality issues, including better communication with customers.

Windows 10 1809 delay: New Arm PCs having to ship with untested Windows 1803

The $1,000 Always Connected PCs from Lenovo and Samsung could come with compatibility issues and missing features.

Windows 10 activation bug baffles, angers users

Mystery bug is telling Windows 10 users that their legitimate license is no longer activated. Microsoft is working on a fix.

Linux in Windows 10 October update: This is how we've improved WSL, says Microsoft

Microsoft makes Notepad friendlier for developers working with Linux and Unix line endings.

Windows 10 1809 ZIP bug now fixed: So will Microsoft rerelease October update today?

Microsoft rolls out a preview fix to address the Windows 10 October 2018 Update ZIP copy fail.

Windows 10 1809 ZIP copy fail: Microsoft reveals workaround, patch due November

Microsoft offers a workaround for a bug that causes the silent failure of copying from ZIP folders to regular folders.

New Windows 10 1809 bug: Zip data-loss flaw is months old but Microsoft missed it

A Feedback Hub user reported the latest Windows 10 October 2018 Update bug three months ago. Microsoft has fixed the issue in preview builds of the 19H1 version of Windows 10, so it should be fixed in 1809 soon.

Windows 10 audio problems? Intel issued buggy driver but we fixed it, says Microsoft

Intel accidentally pushed an incompatible audio driver to Windows 10 devices through Windows Update.

More Windows 10 October update woes? HP users report BSOD after Tuesday patch

Admins struggle with the latest Windows 10 1809 patch on some HP systems.

Windows 10 1809 bungle: We won't miss early problem reports again, says Microsoft

Microsoft makes changes to its Feedback Hub after failing to notice early reports flagging up data losses caused by the Windows 10 October 2108 Update.

Windows 10 October update problems: Wiped docs, plus Intel driver warning

Back up files before upgrading to Windows 10 1809, and if you get a warning about Intel drivers, do not proceed.

Microsoft begins rolling out Windows 10 October 2018 Update

Microsoft is starting to roll out the Windows 10 October 2018 Update today, starting with Insiders and those ready to proactively grab the new bits.

Windows 10 October 2018 Update: 5 new features business users will loveTechRepublic

Windows 10 is getting a big update in its next release. Here are some of the enterprise-centered features to expect in the Windows 10 October 2018 Update.

Surface Pro 6, Surface Laptop 2, Surface Studio 2 and Surface Headphones: Everything Microsoft just announced CNET

Microsoft Flawed updates cause Outlook crash

Microsoft's run of botched updates continues, this time affecting users of its Outlook 2010 productivity suite.

The company has pulled both KB4461522 and KB2863821, and notes on their respective support pages that after installing them, users "may experience crashes in Microsoft Access or other applications".

The two updates were non-security patches and affect Microsoft Office 2010 Service Pack 2. The updates were pulled on November 15.

However, Microsoft has also posted an alert about the security update KB4461529, once again because it causes Outlook to crash.

"After updating Outlook 2010 to the November 2018 Public Update KB 4461529 Outlook crashes or closes suddenly on start-up. The issue only affects 64-bit installations of Outlook 2010," Microsoft warns.

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

That patch, released on last week's November Patch Tuesday, fixed four remote code execution flaws that could be exploited via email or a malicious website.

While it does cause Outlook to crash too, because it resolves security issues that Microsoft considers are likely to be exploited, it does not recommend users remove the security update.

Until it has a fix, Microsoft is suggesting users try Outlook Web Access instead.

"Microsoft is investigating the issue and we will update this page when further details become available. As a workaround, you could try using Outlook Web Access," it said.

After finally rereleasing the Windows 10 October 2018 Update, having removed the data-destroying bug, Microsoft last week acknowledged the release had a known mapped-drives bug.

PREVIOUS AND RELATED COVERAGE

Windows 10 1809's new rollout: Mapped drives broken, AMD issues, Trend Micro clash

Steer clear of the rereleased Windows 10 October 2018 Update, IT pro warns. Meanwhile, Microsoft promises fix for buggy mapped drives at some point next year.

Microsoft resumes rollout of Windows 10 version 1809, promises quality changes

After a delay of more than five weeks, Microsoft has resumed the rollout of the Windows 10 October 2018 Update. The company also promised sweeping changes in the way it approaches quality issues, including better communication with customers.

Windows 10 1809 delay: New Arm PCs having to ship with untested Windows 1803

The $1,000 Always Connected PCs from Lenovo and Samsung could come with compatibility issues and missing features.

Windows 10 activation bug baffles, angers users

Mystery bug is telling Windows 10 users that their legitimate license is no longer activated. Microsoft is working on a fix.

Linux in Windows 10 October update: This is how we've improved WSL, says Microsoft

Microsoft makes Notepad friendlier for developers working with Linux and Unix line endings.

Windows 10 1809 ZIP bug now fixed: So will Microsoft rerelease October update today?

Microsoft rolls out a preview fix to address the Windows 10 October 2018 Update ZIP copy fail.

Windows 10 1809 ZIP copy fail: Microsoft reveals workaround, patch due November

Microsoft offers a workaround for a bug that causes the silent failure of copying from ZIP folders to regular folders.

New Windows 10 1809 bug: Zip data-loss flaw is months old but Microsoft missed it

A Feedback Hub user reported the latest Windows 10 October 2018 Update bug three months ago. Microsoft has fixed the issue in preview builds of the 19H1 version of Windows 10, so it should be fixed in 1809 soon.

Windows 10 audio problems? Intel issued buggy driver but we fixed it, says Microsoft

Intel accidentally pushed an incompatible audio driver to Windows 10 devices through Windows Update.

More Windows 10 October update woes? HP users report BSOD after Tuesday patch

Admins struggle with the latest Windows 10 1809 patch on some HP systems.

Windows 10 1809 bungle: We won't miss early problem reports again, says Microsoft

Microsoft makes changes to its Feedback Hub after failing to notice early reports flagging up data losses caused by the Windows 10 October 2108 Update.

Windows 10 October update problems: Wiped docs, plus Intel driver warning

Back up files before upgrading to Windows 10 1809, and if you get a warning about Intel drivers, do not proceed.

Microsoft begins rolling out Windows 10 October 2018 Update

Microsoft is starting to roll out the Windows 10 October 2018 Update today, starting with Insiders and those ready to proactively grab the new bits.

Windows 10 October 2018 Update: 5 new features business users will loveTechRepublic

Windows 10 is getting a big update in its next release. Here are some of the enterprise-centered features to expect in the Windows 10 October 2018 Update.

Surface Pro 6, Surface Laptop 2, Surface Studio 2 and Surface Headphones: Everything Microsoft just announced CNET

Microsoft Forces You To Accept Binding Arbitration

An old trick is to release unfavorable news on a Friday afternoon, hoping it gets lost over the weekend. Microsoft went that one better, emailing some of its customers Saturday, Sept. 1, to tell them about its new Microsoft Services Agreement, which goes into effect Oct. 19 and covers such things as Office.com, Windows Mail, MSN, Bing and so forth.

What's different about it?  

"We have modified the agreement to make it easier to read and understand, including using a question and answer format that we believe makes the terms much clearer," Microsoft gushed in an email that was quickly copied by hackers who sent out identical versions with links to malicious pages that could infect their Windows computers with harmful software.

If you get one of the emails, don't click on any of the links. 

Oh, and by the way, Microsoft added, "We have added a binding arbitration clause and class action waiver that affects how disputes with Microsoft will be resolved in the United States."

In plain English, the binding arbitration clause says that if you have a beef with Microsoft, you can't sue the company. Nor can you join or institute any class action suits against the company. All you can do is submit to binding arbitration, which pretty ensures you will spend a lot of time, travel to an inconvenient location at your expense, and get nothing out of it.

This is not totally unexpected, by the way. Microsoft announced its intentions in a blog posting just before the Memorial Day weekend and is now getting around to telling consumers about it.

Go elsewhere

But don't get us wrong. Just because it's called "binding arbitration" doesn't mean you're bound to accept it. After all, no one is forcing you to use Microsoft services.

As the Microsoft email cheerily puts it, "If you continue to use our services after October 19th, you agree to the terms of the new agreement or, of course you can cancel your service at any time."

Take it or leave it, in other words.

Microsoft seems pretty confident consumers won't actually vote with their feet, and probably with some justification. When we wrote about this in July, readers responded with comments suggesting that Microsoft customers abandon Microsoft customers and switch to Apple.

This isn't much of an option. Most consumers aren't in a position to dump their existing computer and pony up $1,100 or so for a new Apple machine.  A much better option, which has never quite caught on in the U.S., is to switch to open-source Linux, the rock-solid system that powers the Internet and many industrial-grade systems.

Ubuntu is an excellent Linux operating system designed for consumers who are not technically minded. It is completely free, easy to install and includes a full suite of programs -- Firefox Web browser, Thunderbird email client, Open Office word processor, spreadsheet, etc.

Perhaps the trouble with Ubuntu and other outstanding Linux systems is that they sound too good to be true? 

Bringing up the rear

Microsoft, of course, is not alone and, as usual, is not even out in front. Companies have been falling over themselves to unilaterally rewrite their contracts even since an infamous 2011 U.S. Supreme Court ruling in theAT&T v. Concepcion case handed corporations the right to simply remove, demolish, diminish and destroy consumers' rights simply by inserting a few sentences in their contracts. 

Not everyone thinks this is a great idea. U.S. Sen. Richard Blumenthal (D, Conn.) has called teh clause "highly objectionable" and has said that Microsoft seems to be "following Sony’s tack and attempting to prevent preemptively any liability in case it experiences a security breach.”

“Microsoft is refusing to allow consumers to opt-out of the new clause in their terms of service,” Blumenthal added in a blog posting late last year. “This blatant corporate strong-arming indicates that Microsoft is trying to force its customers to waive their right to hold Microsoft accountable for any future injuries they sustain.”

Read More - Click Here!

Microsoft Freudian Slip - Admits Spying On You

(Gordon Kelly @ Forbes) "...In an attempt to illustrate just how much Windows 10 users love the new operating system, Microsoft rolled out stat after stat about growing adoption and momentum (Black Friday and Christmas play their part here). But then things got weird:

“One of the ways we measure our progress with Windows 10 is looking at how people are using Windows,” explained Microsoft Senior Vice President Yusuf Mehdi. “Recently we reached another milestone – people have spent over 11 billion hours on Windows 10 in December alone, spending more time on Windows than ever before.”

That’s a crazy amount, but what is even crazier is the revelation that Microsoft is tracking exactly how long every single user is using Windows 10. Then things got ever weirder as Mehdi announced: “Here are a few fun facts on what people have been doing on Windows 10”. They are as follows:

  1. Over 44.5 billion minutes spent in Microsoft Edge across Windows 10 devices in just the last month
  2. Over 2.5 billion questions asked of Cortana since launch
  3. Over 82 billion photos viewed within the Windows 10 Photo app
  4. In 2015 gamers spent over 4 billion hours playing PC games on Windows 10
  5. Gamers streamed over 6.6 million hours of Xbox One games to Windows 10 PCs

Yes, Microsoft admitted it not only logs its users time on Windows 10 but also their time using Microsoft Edge… and gaming… and streaming games… and counting your search queries… and every single time a user opens a photo.

Conspiracy theorists are welcome to go wild here, but I have a simpler end goal: Microsoft needs to come clean and state everything it tracks, exactly what can and cannot be stopped by users and why. Now let’s be clear: Windows 10 is Microsoft’s product so it has the right to do whatever it likes with it, but only after a full disclosure to customers of its practices so they can make an informed choice about whether or not they wish to be a part of this data gathering process.

None of this is too much to ask given Microsoft’s self admission that it is pushing Windows 7 and Windows 8 customers hard to upgrade. This includes some outrageous scaremongering and malware-style UI tricks. Contrary to common perception, Windows 10 also is no charity as Mehdi’s 200M celebratory post reveals the ‘free’ operating system actually generates 4.5x more revenue per device (presumably from the Windows Store) than Windows 8.

But the time for transparency is running out. By 2018 Microsoft aims to have one billion devices running Windows 10 and with that comes truly global reach and insight. The world deserves to know exactly what it is signing up for…"

 

Microsoft June 2012 Patch Tuesday

Tomorrow is June 2012 Microsoft Patch Tuesday and Microsoft says it will deliver seven security updates, three listed as critical, patching 28 bugs in Windows, Internet Explorer, Office and other programs in its portfolio.

In addition, Microsoft promises to start pushing an update to Windows Update as part of its response to the Flame espionage malware. Some experts warn that the “Update” update could disrupt this month's patching security patch process, and may require a second workstation and server restart.

This month's Patch Tuesday will fix the largest number of vulnerabilities, 28.

Of the seven updates, Microsoft tagged three as "critical," the highest threat ranking in its four-step scoring, and the other four as "important," the next-most serious rating.

One update will address all supported versions of IE, ranging from the 11-year-old IE6 to last year's IE9; four will affect Windows; and the remaining pair will tackle vulnerabilities in all versions of Office on Windows and Dynamics AX 2012, an enterprise resource planning (ERP) product. Good thing because IE Browser exploits provide the most “bang for the buck" for hackers and malware.

In addition, this month’s patch will also address the Vupen zero-days exploit.

Bottom line is, be prepared to restart your workstations and servers Tuesday or Wednesday morning. Be sure to read your screen because this patch may require two restarts.

Microsoft Patch July 8 2014

Microsoft today released six security bulletins and updates to address the vulnerabilities disclosed in them. The updates address a total of 29 vulnerabilities.

Update at 2:20 pm ET: This story is updated below to clarify the exploitability of MS14-042.

  • MS14-037: Cumulative Security Update for Internet Explorer (2975687) — This update fixes 24 vulnerabilities, all of them memory corruption vulnerabilities, in every supported version of Internet Explorer. Ironically, the only IE version for which there are no critical vulnerabilities in this update is IE6 on Windows Server 2003. None of the vulnerabilities had been publicly disclosed or exploited.
     
  • MS14-038: Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) — A user who opens a specially-crafted Journal file can be exploited in their user context. All versions of Windows since Vista are affected and the vulnerability is critical on all of them. Running as a standard user limits the potential damage.
     
  • MS14-039: Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685) — When the on-screen keyboard is triggered by a malicious low-integrity process, that process could load and execute programs with the privileges of the current user. This vulnerability is rated important.
     
  • MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) — An attacker who has rights to log on locally could run a malicious program that would elevate privileges to kernel mode. This vulnerability is rated important.
     
  • MS14-041: Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681) — A user could elevate privilege by running a malicious program from a low-integrity process. Running IE in immersive mode with Enhanced Protected Mode helps to mitigate this problem. This vulnerability is rated important.
     
  • MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) — A remote authenticated attacker could create and run a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system, triggering a denial of service. This vulnerability is rated moderate.

The Microsoft Exploitability Index this month's updates says that successful exploit code for 28 of the 29 vulnerabilities is "likely." The 29th is rated Moderate and therefore not rated as to exploitability. 

As is usually the case, Microsoft will also release a new version of the Windows Malicious Software Removal Tool and a large collection of non-security updates to various Windows versions.

Executive Summary: 

Bulletin ID

Maximum Severity Rating and Vulnerability Impact

Restart Requirement

Affected Software

Bulletin 1

Critical 
Remote Code Execution

Requires restart

Microsoft Windows, 
Internet Explorer

Bulletin 2

Critical 
Remote Code Execution

May require restart

Microsoft Windows

Bulletin 3

Important 
Elevation of Privilege

Requires restart

Microsoft Windows

Bulletin 4

Important 
Elevation of Privilege

Requires restart

Microsoft Windows

Bulletin 5

Important 
Elevation of Privilege

May require restart

Microsoft Windows

Bulletin 6

Moderate 
Denial of Service

Does not require restart

Microsoft Server Software

Windows Operating System and Components

Windows Server 2003

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Moderate

None

None

Important

None

Windows Server 2003 Service Pack 2

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Not applicable

Not applicable

Windows Server 2003 Service Pack 2
(Important)

Not applicable

Windows Server 2003 x64 Edition Service Pack 2

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Not applicable

Not applicable

Windows Server 2003 x64 Edition Service Pack 2
(Important)

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Not applicable

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems
(Important)

Not applicable

Windows Vista

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Critical

Critical

Important

Important

Important

Windows Vista Service Pack 2

Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Windows Vista Service Pack 2
(Critical)

Windows Vista Service Pack 2
(Important)

Windows Vista Service Pack 2
(Important)

Windows Vista Service Pack 2
(Important)

Windows Vista x64 Edition Service Pack 2

Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Windows Vista x64 Edition Service Pack 2
(Critical)

Windows Vista x64 Edition Service Pack 2
(Important)

Windows Vista x64 Edition Service Pack 2
(Important)

Windows Vista x64 Edition Service Pack 2
(Important)

Windows Server 2008

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Moderate

Critical

Important

Important

Important

Windows Server 2008 for 32-bit Systems Service Pack 2

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Windows Server 2008 for 32-bit Systems Service Pack 2 
(Critical)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Windows Server 2008 for x64-based Systems Service Pack 2
(Critical)

Windows Server 2008 for x64-based Systems Service Pack 2
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2
(Important)

Windows Server 2008 for Itanium-based Systems Service Pack 2

Internet Explorer 7
(Moderate)

Not applicable

Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)

Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)

Not applicable

Windows 7

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Critical

Critical

Important

Important

Important

Windows 7 for 32-bit Systems Service Pack 1

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Internet Explorer 10
(Critical)

Internet Explorer 11
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Important)

Windows 7 for 32-bit Systems Service Pack 1
(Important)

Windows 7 for 32-bit Systems Service Pack 1
(Important)

Windows 7 for x64-based Systems Service Pack 1

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Internet Explorer 10
(Critical)

Internet Explorer 11
(Critical)

Windows 7 for x64-based Systems Service Pack 1 
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(Important)

Windows 7 for x64-based Systems Service Pack 1
(Important)

Windows 7 for x64-based Systems Service Pack 1
(Important)

Windows Server 2008 R2

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Moderate

Critical

Important

Important

Important

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Internet Explorer 10
(Moderate)

Internet Explorer 11
(Moderate)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Critical)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Internet Explorer 8
(Moderate)

Not applicable

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)

Not applicable

Windows 8 and Windows 8.1

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Critical

Critical

Important

Important

Important

Windows 8 for 32-bit Systems

Internet Explorer 10
(Critical)

Windows 8 for 32-bit Systems 
(Critical)

Windows 8 for 32-bit Systems
(Important)

Windows 8 for 32-bit Systems
(Important)

Windows 8 for 32-bit Systems
(Important)

Windows 8 for x64-based Systems

Internet Explorer 10
(Critical)

Windows 8 for x64-based Systems 
(Critical)

Windows 8 for x64-based Systems
(Important)

Windows 8 for x64-based Systems
(Important)

Windows 8 for x64-based Systems
(Important)

Windows 8.1 for 32-bit Systems

Internet Explorer 11
(Critical)

Windows 8.1 for 32-bit Systems 
(Critical)

Windows 8.1 for 32-bit Systems
(Important)

Windows 8.1 for 32-bit Systems
(Important)

Windows 8.1 for 32-bit Systems
(Important)

Windows 8.1 for x64-based Systems

Internet Explorer 11
(Critical)

Windows 8.1 for x64-based Systems 
(Critical)

Windows 8.1 for x64-based Systems
(Important)

Windows 8.1 for x64-based Systems
(Important)

Windows 8.1 for x64-based Systems
(Important)

Windows Server 2012 and Windows Server 2012 R2

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Moderate

Critical

Important

Important

Important

Windows Server 2012

Internet Explorer 10
(Moderate)

Windows Server 2012 
(Critical)

Windows Server 2012
(Important)

Windows Server 2012
(Important)

Windows Server 2012
(Important)

Windows Server 2012 R2

Internet Explorer 11
(Moderate)

Windows Server 2012 R2 
(Critical)

Windows Server 2012 R2
(Important)

Windows Server 2012 R2
(Important)

Windows Server 2012 R2
(Important)

Windows RT and Windows RT 8.1

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

Critical

Critical

Important

Important

None

Windows RT

Internet Explorer 10
(Critical)

Windows RT
(Critical)

Windows RT
(Important)

Windows RT
(Important)

Not applicable

Windows RT 8.1

Internet Explorer 11
(Critical)

Windows RT 8.1
(Critical)

Windows RT 8.1
(Important)

Windows RT 8.1
(Important)

Not applicable

Server Core installation option

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Bulletin 4

Bulletin 5

Aggregate Severity Rating

None

None

Important

Important

None

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 
(Important)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)

Not applicable

Windows Server 2012 (Server Core installation)

Not applicable

Not applicable

Windows Server 2012 (Server Core installation)
(Important)

Windows Server 2012 (Server Core installation)
(Important)

Not applicable

Windows Server 2012 R2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2012 R2 (Server Core installation) 
(Important)

Windows Server 2012 R2 (Server Core installation)
(Important)

Not applicable

 

Windows Server Software

Microsoft Server Bus for Windows Server

Bulletin Identifier

Bulletin 6

Aggregate Severity Rating

Moderate

Microsoft Service Bus for Windows Server

Microsoft Service Bus for Windows Server
(Moderate)

The Bottom Line: Restart Your Window Computers and Servers first thing Wednesday Morning!

Apple MAC and Linux users - no need

 

Microsoft Patch Tues April 2015

This bulletin summary lists security bulletins released for April 2015.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

The good news is that this month's collection of security bulletins includes only four rated Critical. The balance are four security issues rated Important, with the usual smattering of mysterious performance and reliability updates whose documentation hasn't yet been published.

First up is a Cumulative Security Update for Internet Explorer (3038314) (MS15-032). This update addresses 10 separate vulnerabilities and is rated Critical for every supported version of Internet Explorer on desktop versions of Windows and Important for IE on servers (where the default configuration makes exploits more difficult).

MS15-033 blocks a "use after free" vulnerability that could lead to remote code exploitation when opening a "specially crafted" (i.e., booby-trapped) Office document. It's rated Critical for Word 2007 and Word 2010 but Important for Office 2013. Microsoft says it is "aware of limited attacks that attempt to exploit this vulnerability" in the wild.

Interestingly, the bulletin is also applicable to Office on the Mac, with Office 201l and the new Outlook for Mac for Office 365 on the list of affected software.

Executive Summaries

 

The following table summarizes the security bulletins for this month in order of severity.

For details on affected software, see the next section, Affected Software.

Bulletin ID

Bulletin Title and Executive Summary

Maximum Severity Rating
and Vulnerability Impact

Restart Requirement

Known
Issues

Affected
Software

MS15-032

Cumulative Security Update for Internet Explorer (3038314) 
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical 
Remote Code Execution

Requires restart

---------

Microsoft Windows,
Internet Explorer

MS15-033

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019) 
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical 
Remote Code Execution

May require restart

---------

Microsoft Office

MS15-034

Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)  
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.

Critical 
Remote Code Execution

Requires restart

---------

Microsoft Windows

MS15-035

Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306) 
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.

Critical 
Remote Code Execution

May require restart

---------

Microsoft Windows

MS15-036

Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044) 
This security update resolves vulnerabilities in Microsoft Office server and productivity software. The vulnerabilities could allow elevation of privilege if an attacker sends a specially crafted request to an affected SharePoint server. An attacker who successfully exploited the vulnerabilities could read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the victim’s browser.

Important 
Elevation of Privilege

May require restart

---------

Microsoft Server Software,
Productivity Software

MS15-037

Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (3046269)  
This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited the vulnerability could leverage a known invalid task to cause Task Scheduler to run a specially crafted application in the context of the System account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Important 
Elevation of Privilege

Does not require restart

---------

Microsoft Windows

MS15-038

Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576) 
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. To exploit these vulnerabilities, an attacker would first have to log on to the system.

Important 
Elevation of Privilege

Requires restart

---------

Microsoft Windows

MS15-039

Vulnerability in XML Core Services Could Allow Security Feature Bypass (3046482) 
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a user clicks a specially crafted link. In all cases, however, an attacker would have no way to force users to click a specially crafted link; an attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message. 

Important 
Security Feature Bypass

May require restart

---------

Microsoft Windows

MS15-040

Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3045711) 
This security update resolves a vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off.

Important 
Information Disclosure

May require restart

---------

Microsoft Windows

MS15-041

Vulnerability in .NET Framework Could Allow Information Disclosure (3048010) 
This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if an attacker sends a specially crafted web request to an affected server that has custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.

Important 
Information Disclosure

May require restart

---------

Microsoft Windows, 
Microsoft .NET Framework

MS15-042

Vulnerability in Windows Hyper-V Could Allow Denial of Service (3047234)  
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an authenticated attacker runs a specially crafted application in a virtual machine (VM) session. Note that the denial of service does not allow an attacker to execute code or elevate user rights on other VMs running on the Hyper-V host; however, it could cause other VMs on the host to not be manageable in Virtual Machine Manager.

Important 
Denial of Service

Requires restart

---------

Microsoft Windows

Exploitability Index

 

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

How do I use this table?

Use this table to learn about the likelihood of code execution and denial of service exploits within 30 days of security bulletin release, for each of the security updates that you may need to install. Review each of the assessments below, in accordance with your specific configuration, to prioritize your deployment of this month's updates. For more information about what these ratings mean, and how they are determined, please see Microsoft Exploitability Index.

In the columns below, "Latest Software Release" refers to the subject software, and "Older Software Releases" refers to all older, supported releases of the subject software, as listed in the "Affected Software" and "Non-Affected Software" tables in the bulletin.

Bulletin ID

Vulnerability Title

CVE ID              

Exploitability Assessment for
Latest Software Release

Exploitability Assessment for
Older Software Release

Denial of Service
Exploitability Assessment

Key Notes

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1652

1 - Exploitation More Likely

1 - Exploitation More Likely

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1657

1 - Exploitation More Likely

1 - Exploitation More Likely

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1659

1 - Exploitation More Likely

4 - Not Affected

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1660

4 - Not Affected

1 - Exploitation More Likely

Not Applicable

(None)

MS15-032

Internet Explorer ASLR Bypass Vulnerability

CVE-2015-1661

2 - Exploitation Less Likely

2 - Exploitation Less Likely

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1662

1 - Exploitation More Likely

4 - Not Affected

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1665

1 - Exploitation More Likely

4 - Not Affected

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1666

1 - Exploitation More Likely

1 - Exploitation More Likely

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1667

1 - Exploitation More Likely

1 - Exploitation More Likely

Not Applicable

(None)

MS15-032

Internet Explorer Memory Corruption Vulnerability

CVE-2015-1668

1 - Exploitation More Likely

1 - Exploitation More Likely

Not Applicable

(None)

MS15-033

Microsoft Outlook App for Mac XSS Vulnerability

CVE-2015-1639

2 - Exploitation Less Likely

4 - Not Affected

Not Applicable

(None)

MS15-033

Microsoft Office Memory Corruption Vulnerability

CVE-2015-1641

0- Exploitation Detected

0- Exploitation Detected

Not Applicable

This vulnerability has been publicly disclosed.

MS15-033

Microsoft Office Component Use After Free Vulnerability

CVE-2015-1649

4 - Not Affected

1 - Exploitation More Likely

Not Applicable

(None)

MS15-033

Microsoft Office Component Use After Free Vulnerability

CVE-2015-1650

1 - Exploitation More Likely

1 - Exploitation More Likely

Not Applicable

(None)

MS15-033

Microsoft Office Component Use After Free Vulnerability

CVE-2015-1651

4 - Not Affected

1 - Exploitation More Likely

Not Applicable

(None)

MS15-034

HTTP.sys Remote Code Execution Vulnerability

CVE-2015-1635

1 - Exploitation More Likely

1 - Exploitation More Likely

Permanent

(None)

MS15-035

EMF Processing Remote Code Execution Vulnerability

CVE-2015-1645

4 - Not Affected

2 - Exploitation Less Likely

Not Applicable

(None)

MS15-036

Microsoft SharePoint XSS Vulnerability

CVE-2015-1640

2 - Exploitation Less Likely

2 - Exploitation Less Likely

Not Applicable

This is an elevation of privilege vulnerability.

MS15-036

Microsoft SharePoint XSS Vulnerability

CVE-2015-1653

3 - Exploitation Unlikely

4 - Not Affected

Not Applicable

This is an elevation of privilege vulnerability.

MS15-037

Task Scheduler Elevation of Privilege Vulnerability

CVE-2015-0098

4 - Not Affected

1 - Exploitation More Likely

Not Applicable

This is an elevation of privilege vulnerability.

MS15-038

NtCreateTransactionManager Type Confusion Vulnerability

CVE-2015-1643

2 - Exploitation Less Likely

2 - Exploitation Less Likely

Permanent

This is an elevation of privilege vulnerability.

MS15-038

Windows MS-DOS Device Name Vulnerability

CVE-2015-1644

2 - Exploitation Less Likely

2 - Exploitation Less Likely

Not Applicable

This is an elevation of privilege vulnerability.

MS15-039

MSXML3 Same Origin Policy SFB Vulnerability

CVE-2015-1646

4 - Not Affected

2 - Exploitation Less Likely

Not Applicable

This is a security feature bypass vulnerability.

MS15-040

Active Directory Federation Services Information Disclosure Vulnerability

CVE-2015-1638

3 - Exploitation Unlikely

4 - Not Affected

Not Applicable

This is an information disclosure vulnerability.

MS15-041

ASP.NET Information Disclosure Vulnerability

CVE-2015-1648

2 - Exploitation Less Likely

2 - Exploitation Less Likely

Not Applicable

This is an information disclosure vulnerability.

MS15-042

Windows Hyper-V DoS Vulnerability

CVE-2015-1647

2 - Exploitation Less Likely

4 - Not Affected

Permanent

This is a denial of service vulnerability.

Affected Software

 

The following tables list the bulletins in order of major software category and severity.

Use these tables to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates pertain to your installation. If a software program or component is listed, then the severity rating of the software update is also listed.

Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system.

Windows Operating System and Components (Table 1 of 2)

Windows Server 2003

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Moderate                                             

None                                               

Critical

None

Important

Windows Server 2003 Service Pack 2                

Internet Explorer 6
(3038314)
(Moderate) 

Internet Explorer 7
(3038314)
(Moderate)

Internet Explorer 8
(3038314)
(Moderate)

Not applicable

Windows Server 2003 Service Pack 2
(3046306)
(Critical)

Not applicable

Windows Server 2003 R2 Service Pack 2 
(3045685)
(Important)

Windows Server 2003 Service Pack 2
(3045999)
(Important)

Windows Server 2003 x64 Edition Service Pack 2

Internet Explorer 6
(3038314)
(Moderate)

Internet Explorer 7
(3038314)
(Moderate)

Internet Explorer 8
(3038314)
(Moderate)

Not applicable

Windows Server 2003 x64 Edition Service Pack 2
(3046306)
(Critical)

Not applicable

Windows Server 2003 R2 x64 Edition Service Pack 2 
(3045685)
(Important)

Windows Server 2003 x64 Edition Service Pack 2 
(3045999)
(Important)

Windows Server 2003 with SP2 for Itanium-based Systems

Internet Explorer 6
(3038314)
(Moderate)

Internet Explorer 7
(3038314)
(Moderate)

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems
(3046306)
(Critical)

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems
(3045999)
(Important)

Windows Vista

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Critical

None

Critical

None

Important

Windows Vista Service Pack 2

Internet Explorer 7
(3038314)
(Critical)

Internet Explorer 8
(3038314)
(Critical)

Internet Explorer 9
(3038314)
(Critical)

Not applicable

Windows Vista Service Pack 2 
(3046306)
(Critical)

Not applicable

Windows Vista Service Pack 2 
(3045685)
(Important)

Windows Vista Service Pack 2 
(3045999)
(Important)

Windows Vista x64 Edition Service Pack 2

Internet Explorer 7
(3038314)
(Critical)

Internet Explorer 8
(3038314)
(Critical)

Internet Explorer 9
(3038314)
(Critical)

Not applicable

Windows Vista x64 Edition Service Pack 2
(3046306)
(Critical)

Not applicable

Windows Vista x64 Edition Service Pack 2
(3045685)
(Important)

Windows Vista x64 Edition Service Pack 2
(3045999)
(Important)

Windows Server 2008

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Moderate

None

Critical

None

Important

Windows Server 2008 for 32-bit Systems Service Pack 2

Internet Explorer 7
(3038314)
(Moderate)

Internet Explorer 8
(3038314)
(Moderate)

Internet Explorer 9
(3038314)
(Moderate)

Not applicable

Windows Server 2008 for 32-bit Systems Service Pack 2
(3046306)
(Critical)

Not applicable

Windows Server 2008 for 32-bit Systems Service Pack 2
(3045685)
(Important)

Windows Server 2008 for 32-bit Systems Service Pack 2
(3045999)
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2

Internet Explorer 7
(3038314)
(Moderate)

Internet Explorer 8
(3038314)
(Moderate)

Internet Explorer 9
(3038314)
(Moderate)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2
(3046306)
(Critical)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2
(3045685)
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2
(3045999)
(Important)

Windows Server 2008 for Itanium-based Systems Service Pack 2

Internet Explorer 7
(3038314)
(Moderate)

Not applicable

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3046306)
(Critical)

Not applicable

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3045685)
(Important)

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3045999)
(Important)

Windows 7

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Critical

Critical

Critical

Important

Important

Windows 7 for 32-bit Systems Service Pack 1

Internet Explorer 8
(3038314)
(Critical)

Internet Explorer 9
(3038314)
(Critical)

Internet Explorer 10
(3038314)
(Critical)

Internet Explorer 11
(3038314)
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(3042553)
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(3046306)
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(3046269)
(Important)

Windows 7 for 32-bit Systems Service Pack 1
(3045685)
(Important)

Windows 7 for 32-bit Systems Service Pack 1
(3045999)
(Important)

Windows 7 for x64-based Systems Service Pack 1

Internet Explorer 8
(3038314)
(Critical)

Internet Explorer 9
(3038314)
(Critical) 

Internet Explorer 10
(3038314)
(Critical)

Internet Explorer 11
(3038314)
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(3042553)
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(3046306)
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(3046269)
(Important)

Windows 7 for x64-based Systems Service Pack 1
(3045685)
(Important)

Windows 7 for x64-based Systems Service Pack 1
(3045999)
(Important)

Windows Server 2008 R2

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Moderate

Critical

Critical

Important

Important

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Internet Explorer 8
(3038314)
(Moderate)

Internet Explorer 9
(3038314)
(Moderate) 

Internet Explorer 10
(3038314)
(Moderate)

Internet Explorer 11
(3038314)
(Moderate)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3042553)
(Critical)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3046306)
(Critical)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3046269)
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3045685)
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3045999)
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Internet Explorer 8
(3038314)
(Moderate)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3042553)
(Critical)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3046306)
(Critical)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3046269)
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3045685)
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3045999)
(Important)

Windows 8 and Windows 8.1

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Critical

Critical

None

None

Important

Windows 8 for 32-bit Systems

Internet Explorer 10
(3038314)
(Critical)

Windows 8 for 32-bit Systems
(3042553)
(Critical)

Not applicable

Not applicable

Windows 8 for 32-bit Systems
(3045685)
(Important)

Windows 8 for 32-bit Systems
(3045999)
(Important)

Windows 8 for x64-based Systems

Internet Explorer 10
(3038314)
(Critical)

Windows 8 for x64-based Systems
(3042553)
(Critical)

Not applicable

Not applicable

Windows 8 for x64-based Systems
(3045685)
(Important)

Windows 8 for x64-based Systems
(3045999)
(Important)

Windows 8.1 for 32-bit Systems

Internet Explorer 11
(3038314)
(Critical)

Windows 8.1 for 32-bit Systems
(3042553)
(Critical)

Not applicable

Not applicable

Windows 8.1 for 32-bit Systems
(3045685)
(Important)

Windows 8.1 for 32-bit Systems
(3045999)
(Important)

Windows 8.1 for x64-based Systems

Internet Explorer 11
(3038314)
(Critical)

Windows 8.1 for x64-based Systems
(3042553)
(Critical)

Not applicable

Not applicable

Windows 8.1 for x64-based Systems
(3045685)
(Important)

Windows 8.1 for x64-based Systems
(3045999)
(Important)

Windows Server 2012 and Windows Server 2012 R2

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Moderate

Critical

None

None

Important

Windows Server 2012

Internet Explorer 10
(3038314)
(Moderate)

Windows Server 2012
(3042553)
(Critical)

Not applicable

Not applicable

Windows Server 2012
(3045685)
(Important)

Windows Server 2012
(3045999)
(Important)

Windows Server 2012 R2

Internet Explorer 11
(3038314)
(Moderate)

Windows Server 2012 R2
(3042553)
(Critical)

Not applicable

Not applicable

Windows Server 2012 R2
(3045685)
(Important)

Windows Server 2012 R2
(3045999)
(Important)

Windows RT and Windows RT 8.1

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

Critical

None

None

None

Important

Windows RT

Internet Explorer 10
(3038314)
(Critical)

Not applicable

Not applicable

Not applicable

Windows RT
(3045685)
(Important)

Windows RT
(3045999)
(Important)

Windows RT 8.1

Internet Explorer 11
(3038314)
(Critical)

Not applicable

Not applicable

Not applicable

Windows RT 8.1
(3045685)
(Important)

Windows RT 8.1
(3045999)
(Important)

Server Core installation option

Bulletin Identifier

MS15-032

MS15-034

MS15-035

MS15-037

MS15-038

Aggregate Severity Rating

None

Critical

Critical

Important

Important

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3046306)
(Critical)

Not applicable

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3045685)
(Important)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3045999)
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3046306)
(Critical)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3045685)
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3045999)
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3042553)
(Critical)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3046306)
(Critical)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3046269)
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3045685)
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3045999)
(Important)

Windows Server 2012 (Server Core installation)

Not applicable

Windows Server 2012 (Server Core installation)
(3042553)
(Critical)

Not applicable

Not applicable

Windows Server 2012 (Server Core installation)
(3045685)
(Important)

Windows Server 2012 (Server Core installation)
(3045999)
(Important)

Windows Server 2012 R2 (Server Core installation)

Not applicable

Windows Server 2012 R2 (Server Core installation)
(3042553)
(Critical)

Not applicable

Not applicable

Windows Server 2012 R2 (Server Core installation)
(3045685)
(Important)

Windows Server 2012 R2 (Server Core installation)
(3045999)
(Important)

Note for MS15-032 and MS15-034

Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the updates via Windows Update. 

 

Windows Operating System and Components (Table 2 of 2)

Windows Server 2003

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

Important                                 

None                                             

Important                                      

None                                             

Windows Server 2003 Service Pack 2

Windows Server 2003 Service Pack 2
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 1.1 Service Pack 1 
(3037572)
(Important)

Microsoft .NET Framework 2.0 Service Pack 2
(3037577)
(Important)

Microsoft .NET Framework 4 
(3037578)
(Important)

Not applicable

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 2.0 Service Pack 2
(3037577)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Server 2003 with SP2 for Itanium-based Systems
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 2.0 Service Pack 2
(3037577)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Not applicable

Windows Vista

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

Important

None

Important

None

Windows Vista Service Pack 2

Windows Vista Service Pack 2 
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 2.0 Service Pack 2
(3037573)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows Vista x64 Edition Service Pack 2

Windows Vista x64 Edition Service Pack 2
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 2.0 Service Pack 2
(3037573)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows Server 2008

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

Important

None

Important

None

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 2.0 Service Pack 2
(3037573)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 2.0 Service Pack 2
(3037573)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 2.0 Service Pack 2
(3037573)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Not applicable

Windows 7

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

Important

None

Important

None

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 3.5.1
(3037574)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 3.5.1
(3037574)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows Server 2008 R2

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

Important

None

Important

None

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 3.5.1
(3037574)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 3.5.1
(3037574)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Not applicable

Windows 8 and Windows 8.1

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

None

None

Important

Important

Windows 8 for 32-bit Systems

Not applicable

Not applicable

Microsoft .NET Framework 3.5
(3037575)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037580)
(Important)

Not applicable

Windows 8 for x64-based Systems

Not applicable

Not applicable

Microsoft .NET Framework 3.5
(3037575)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037580)
(Important)

Not applicable

Windows 8.1 for 32-bit Systems

Not applicable

Not applicable

Microsoft .NET Framework 3.5
(3037576)
(Important)

Microsoft .NET Framework 4.5.1/4.5.2
(3037579)
(Important)

Not applicable

Windows 8.1 for x64-based Systems

Not applicable

Not applicable

Microsoft .NET Framework 3.5
(3037576)
(Important)

Microsoft .NET Framework 4.5.1/4.5.2
(3037579)
(Important)

Windows 8.1 for x64-based Systems
(3047234)
(Important)

Windows Server 2012 and Windows Server 2012 R2

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

None

Important

Important

Important

Windows Server 2012

Not applicable

Not applicable

Microsoft .NET Framework 3.5
(3037575)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037580)
(Important)

Not applicable

Windows Server 2012 R2

Not applicable

Active Directory Federation Services 3.0 
(3045711)
(Important)

Microsoft .NET Framework 3.5
(3037576)
(Important)

Microsoft .NET Framework 4.5.1/4.5.2
(3037579)
(Important)

Windows Server 2012 R2
(3047234)
(Important)

Windows RT and Windows RT 8.1

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

None

None

Important

None

Windows RT

Not applicable

Not applicable

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037580)
(Important)

Not applicable

Windows RT 8.1

Not applicable

Not applicable

Microsoft .NET Framework 4.5.1/4.5.2
(3037579)
(Important)

Not applicable

Server Core installation option

Bulletin Identifier

MS15-039

MS15-040

MS15-041

MS15-042

Aggregate Severity Rating

Important

Important

Important

Important

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3046482)
(Important)

Not applicable

Not applicable

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3046482)
(Important)

Not applicable

Not applicable

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3046482)
(Important)

Not applicable

Microsoft .NET Framework 3.5.1
(3037574)
(Important)

Microsoft .NET Framework 4
(3037578)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037581)
(Important)

Not applicable

Windows Server 2012 (Server Core installation)

Not applicable

Not applicable

Microsoft .NET Framework 3.5
(3037575)
(Important)

Microsoft .NET Framework 4.5/4.5.1/4.5.2
(3037580)
(Important)

Not applicable

Windows Server 2012 R2 (Server Core installation)

Not applicable

Active Directory Federation Services 3.0 
(3045711)
(Important)

Microsoft .NET Framework 3.5
(3037576)
(Important)

Microsoft .NET Framework 4.5.1/4.5.2
(3037579)
(Important)

Windows Server 2012 R2 (Server Core installation)
(3047234)
(Important)

Note for MS15-040 and MS15-042:

Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the updates via Windows Update.

 

Microsoft Server Software

Microsoft SharePoint Server 2013

Bulletin Identifier

MS15-036

Aggregate Severity Rating

Important

Microsoft SharePoint Server 2013 Service Pack 1

Microsoft SharePoint Foundation 2013 Service Pack 1 
(2965219) 
(Important)

Microsoft SharePoint Server 2013 Service Pack 1 
(2965219) 
(Important)

Note for MS15-036

This bulletin spans more than one software category. See the other tables in this section for additional affected software. 

 

Microsoft Office Suites and Software

Microsoft Office 2007

Bulletin Identifier

MS15-033

Aggregate Severity Rating

Critical

Microsoft Office 2007 Service Pack 3

Microsoft Word 2007 Service Pack 3 
(2965284)
(Critical)

Microsoft Office 2010

Bulletin Identifier

MS15-033

Aggregate Severity Rating

Critical

Microsoft Office 2010 Service Pack 2 (32-bit editions)

Microsoft Office 2010 Service Pack 2 (32-bit editions) 
(2965236)
(Critical)

Microsoft Word 2010 Service Pack 2 (32-bit editions) 
(2553428)
(Critical)

Microsoft Office 2010 Service Pack 2 (64-bit editions)

Microsoft Office 2010 Service Pack 2 (64-bit editions) 
(2965236)
(Critical)

Microsoft Word 2010 Service Pack 2 (64-bit editions) 
(2553428)
(Critical)

Microsoft Office 2013 and Microsoft Office 2013 RT

Bulletin Identifier

MS15-033

Aggregate Severity Rating

Important

Microsoft Office 2013 Service Pack 1 (32-bit editions)

Microsoft Word 2013 Service Pack 1 (32-bit editions) 
(2965224)
(Important)

Microsoft Office 2013 Service Pack 1 (64-bit editions)

Microsoft Word 2013 Service Pack 1 (64-bit editions) 
(2965224)
(Important)

Microsoft Office 2013 RT Service Pack 1

Microsoft Office 2013 RT Service Pack 1
(2965224)
(Important)

Microsoft Office for Mac

Bulletin Identifier

MS15-033

Aggregate Severity Rating

Important

Microsoft Outlook for Mac for Office 365

Microsoft Outlook for Mac for Office 365
(3055707)
(Important)

Microsoft Office for Mac 2011

Microsoft Office for Mac 2011
(3051737) 
(Important)

Microsoft Word for Mac 2011
(3051737)
(Important)

Other Office Software

Bulletin Identifier

MS15-033

Aggregate Severity Rating

Critical

Microsoft Word Viewer

Microsoft Word Viewer
(2965289)
(Critical)

Microsoft Office Compatibility Pack Service Pack 3

Microsoft Office Compatibility Pack Service Pack 3 
(2965210)
(Critical)

Note for MS15-033

This bulletin spans more than one software category. See the other tables in this section for additional affected software. 

 

Microsoft Office Services and Web Apps

Microsoft SharePoint Server 2010

Bulletin Identifier

MS15-033

MS15-036

Aggregate Severity Rating

Critical

Important

Microsoft SharePoint Server 2010 Service Pack 2

Word Automation Services 
(2553164) 
(Critical)

Microsoft Project Server 2010 Service Pack 2 
(2965302)
(Important)

Microsoft SharePoint Server 2013

Bulletin Identifier

MS15-033

MS15-036

Aggregate Severity Rating

Important

Important

Microsoft SharePoint Server 2013 Service Pack 1

Word Automation Services 
(2965215) 
(Important)

Microsoft Project Server 2013 Service Pack 1 
(2965278)
(Important)

Microsoft Office Web Apps 2010

Bulletin Identifier

MS15-033

MS15-036

Aggregate Severity Rating

Critical

None

Microsoft Office Web Apps 2010 Service Pack 2

Microsoft Office Web Apps Server 2010 Service Pack 2 
(2965238) 
(Critical)

Not applicable

Microsoft Office Web Apps 2013

Bulletin Identifier

MS15-033

MS15-036

Aggregate Severity Rating

Important

None

Microsoft Office Web Apps 2013 Service Pack 1

Microsoft Office Web Apps Server 2013 Service Pack 1 
(2965306) 
(Important)

Not applicable

Note for MS15-033 and MS15-036

This bulletin spans more than one software category. See the other tables in this section for additional affected software.

Detection and Deployment Tools and Guidance

 

Several resources are available to help administrators deploy security updates.

Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations.

Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager help administrators distribute security updates.

The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications.

For information about these and other tools that are available, see Security Tools for IT Pros

Acknowledgments

 

Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure. See Acknowledgments for more information.

Other Information

 

Microsoft Windows Malicious Software Removal Tool

For the bulletin release that occurs on the second Tuesday of each month, Microsoft has released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. No updated version of the Microsoft Windows Malicious Software Removal Tool is available for out-of-band security bulletin releases.

Non-Security Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft Update, please see:

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners listed in Microsoft Active Protections Program (MAPP) Partners.

Security Strategies and Community

Update Management Strategies

Security Guidance for Update Management provides additional information about Microsoft’s best-practice recommendations for applying security updates.

Obtaining Other Security Updates

Updates for other security issues are available from the following locations:

  • Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for "security update".
  • Updates for consumer platforms are available from Microsoft Update.
  • You can obtain the security updates offered this month on Windows Update, from Download Center on Security and Critical Releases ISO CD Image files. For more information, see Microsoft Knowledge Base Article 913086.

IT Pro Security Community

Learn to improve security and optimize your IT infrastructure, and participate with other IT Pros on security topics in IT Pro Security Community.

Support

The affected software listed has been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Bottom Line Is: Please leave your Windows computers and file servers turned on tonight to receive the updates, and restart your equipment Wednesday morning. Follow the directions closely.

Microsoft Patch Tuesday April 2013

Microsoft just released its advance notification for next week's security updates. It looks like we can expect nine bulletins -- two rated "critical," the rest rated "important -- to deal with flaws in Windows, Office, Internet Explorer as well as server and security software.

Whilst only two of the announced patches are actually listed as critical, the sheer volume of patches is noteworthy.

Bulletin 1, which is applicable to all Windows desktops, making it very much the bulls-eye for would be attackers.

Bulletin 8 may also represent one of the first reported vulnerabilities for Microsoft Office Web Apps 2010,  which would be significant in and of itself.





Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical  Requires restart Microsoft Windows, 
Remote Code Execution Internet Explorer
Bulletin 2 Critical  May require restart Microsoft Windows
Remote Code Execution
Bulletin 3 Important  May require restart Microsoft Office, 
Information Disclosure Microsoft Server Software
Bulletin 4 Important  Requires restart Microsoft Windows
Elevation of Privilege
Bulletin 5 Important  Requires restart Microsoft Windows
Denial of Service
Bulletin 6 Important  Requires restart Microsoft Windows
Elevation of Privilege
Bulletin 7 Important  Requires restart Microsoft Security Software
Elevation of Privilege
Bulletin 8 Important  May require restart Microsoft Office, 
Elevation of Privilege Microsoft Server Software
Bulletin 9 Important  Requires restart Microsoft Windows
Elevation of Privilege

Bottom Line: Remember to restart your Windows Servers and Workstations Wednesday April 10.

Microsoft Patch Tuesday August 12 2014

The Microsoft Patch Tuesday of August 12, 2014 is set to address nine bulletins affecting a wide variety of Microsoft products, including Internet Explorer, Windows, Office, SQL Server, and Sharepoint. 

Two of the bulletins are rated Critical, the company's highest rated label, as they allow for Remote Code Execution. Seven of the updates are rated Important.

Researchers at Qualys suggest that the most important critical security patch is Bulletin #1, which affects all versions of Internet Explorer (IE). This means IE6 to IE11 are affected, on both Windows 8.1 and Windows RT. 

"Since browsers are the attackers favorite targets, this patch should be top of your list. An attacker would exploit this vulnerability on your users through a malicious webpage. These pages can be on sites that are either set up specifically for this purpose, requiring him or her to attract your users to the site or are on sites that are already under control of the attacker with an established user community, such as blogs and forums," Qualys told WinBeta.

Bulletin #2 is a critical update for Windows, and it affects Windows 8 and Windows 8.1, along with the Media Center TV pack for Windows Vista. This update addresses bugs in the graphics processing pipeline allowing an attacker to trick you into opening a malicious file.

Bulletin #3 affects OneNote in Office 2007 and deals with a file format vulnerability as well as Remote Code Execution. "An attacker would have to convince your users to open a malicious file, most likely with a targeted email. Of course if you do not have OneNote installed or are on a newer version of Microsoft Office (you really should be, as 2007 lacks many of the newer security features) you are not affected," Qualys explains.

Bulletins 4-9 deal with elevation of privileges in Windows, SQL Server, and SharePoint Server. Windows 8.1 is slated to receive two critical updates, and four important updates. Microsoft recommends that customers apply Critical updates immediately, while the company recommends that customers apply Important updates at the earliest opportunity. 

Aside from security updates, Microsoft is set to roll out Windows 8.1 Update 2, now known as Windows 8.1 August Update. Originally planned to feature the returning Start Menu, Update 2 will now feature precision touchpad improvements, Miracast Receive support, and various other minor fixes.

Bulletins by the numbers:

Bulletin ID

Maximum Severity Rating and Vulnerability Impact

Restart Requirement

Affected Software

Bulletin 1

Critical 
Remote Code Execution

Requires restart

Microsoft Windows, 
Internet Explorer

Bulletin 2

Critical 
Remote Code Execution

May require restart

Microsoft Windows

Bulletin 3

Important 
Remote Code Execution

May require restart

Microsoft Office

Bulletin 4

Important 
Elevation of Privilege

May require restart

Microsoft SQL Server

Bulletin 5

Important 
Elevation of Privilege

Requires restart

Microsoft Windows

Bulletin 6

Important 
Elevation of Privilege

Requires restart

Microsoft Windows

Bulletin 7

Important 
Elevation of Privilege

May require restart

Microsoft Server Software

Bulletin 8

Important 
Security Feature Bypass

May require restart

Microsoft Windows,
Microsoft .NET Framework

Bulletin 9

Important 
Security Feature Bypass

Requires restart

Windows Operating System and Components

Microsoft Windows

Affected Software and Operating Systems

Windows Server 2003

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Moderate

None

Important

Important

None

None

Windows Server 2003 Service Pack 2

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Not applicable

Windows Server 2003 Service Pack 2
(Important)

Windows Server 2003 Service Pack 2
(Important)

Not applicable

Not applicable

Windows Server 2003 x64 Edition Service Pack 2

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8 (Moderate)

Not applicable

Windows Server 2003 x64 Edition Service Pack 2 
(Important)

Windows Server 2003 x64 Edition Service Pack 2 
(Important)

Not applicable

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems 
(Important)

Windows Server 2003 with SP2 for Itanium-based Systems 
(Important)

Not applicable

Not applicable

Windows Vista

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Critical

None

Important

Important

Important

None

Windows Vista Service Pack 2

Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Not applicable

Windows Vista Service Pack 2 
(Important)

Windows Vista Service Pack 2 
(Important)

Microsoft .NET Framework 2.0 Service Pack 2
(Important)

Microsoft .NET Framework 3.0 Service Pack 2
(Important)

Not applicable

Windows Vista x64 Edition Service Pack 2

Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Not applicable

Windows Vista x64 Edition Service Pack 2
(Important)

Windows Vista x64 Edition Service Pack 2
(Important)

Microsoft .NET Framework 2.0 Service Pack 2
(Important)

Microsoft .NET Framework 3.0 Service Pack 2
(Important)

Not applicable

Windows Server 2008

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Moderate

None

Important

Important

Important

None

Windows Server 2008 for 32-bit Systems Service Pack 2

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Not applicable

Windows Server 2008 for 32-bit Systems Service Pack 2 
(Important)

Windows Server 2008 for 32-bit Systems Service Pack 2 
(Important)

Microsoft .NET Framework 2.0 Service Pack 2
(Important)

Microsoft .NET Framework 3.0 Service Pack 2
(Important)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2 
(Important)

Microsoft .NET Framework 2.0 Service Pack 2
(Important)

Microsoft .NET Framework 3.0 Service Pack 2
(Important)

Not applicable

Windows Server 2008 for Itanium-based Systems Service Pack 2

Internet Explorer 7
(Moderate)

Not applicable

Windows Server 2008 for Itanium-based Systems Service Pack 2 
(Important)

Windows Server 2008 for Itanium-based Systems Service Pack 2 
(Important)

Microsoft .NET Framework 2.0 Service Pack 2
(Important)

Microsoft .NET Framework 3.0 Service Pack 2
(Important)

Not applicable

Windows 7

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Critical

Critical

Important

Important

Important

Important

Windows 7 for 32-bit Systems Service Pack 1

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Internet Explorer 10
(Critical)

Internet Explorer 11
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(all editions except Starter and Home Basic editions) 
(Critical)

Windows 7 for 32-bit Systems Service Pack 1 
(Important)

Windows 7 for 32-bit Systems Service Pack 1 
(Important)

Microsoft .NET Framework 3.5.1
(Important)

Windows 7 for 32-bit Systems Service Pack 1 
(Important)

Windows 7 for x64-based Systems Service Pack 1

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Internet Explorer 10
(Critical)

Internet Explorer 11
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(all editions except Starter and Home Basic editions)
(Critical)

Windows 7 for x64-based Systems Service Pack 1 
(Important)

Windows 7 for x64-based Systems Service Pack 1 
(Important)

Microsoft .NET Framework 3.5.1
(Important)

Windows 7 for x64-based Systems Service Pack 1 
(Important)

Windows Server 2008 R2

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Moderate

None

Important

Important

Important

Important

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Internet Explorer 10
(Moderate)

Internet Explorer 11
(Moderate)

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Important)

Microsoft .NET Framework 3.5.1
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Internet Explorer 8
(Moderate)

Not applicable

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 
(Important)

Microsoft .NET Framework 3.5.1
(Important)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 
(Important)

Windows 8 and Windows 8.1

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Critical

Critical

Important

Important

Important

Important

Windows 8 for 32-bit Systems

Internet Explorer 10
(Critical)

Windows 8 for 32-bit Systems
(Professional edition only)
(Critical)

Windows 8 for 32-bit Systems 
(Important)

Windows 8 for 32-bit Systems 
(Important)

Microsoft .NET Framework 3.5
(Important)

Windows 8 for 32-bit Systems 
(Important)

Windows 8 for x64-based Systems

Internet Explorer 10
(Critical)

Windows 8 for x64-based Systems
(Professional edition only)
(Critical)

Windows 8 for x64-based Systems 
(Important)

Windows 8 for x64-based Systems 
(Important)

Microsoft .NET Framework 3.5
(Important)

Windows 8 for x64-based Systems 
(Important)

Windows 8.1 for 32-bit Systems

Internet Explorer 11
(Critical)

Windows 8.1 for 32-bit Systems
(Professional edition only)
(Critical)

Windows 8.1 for 32-bit Systems
(Important)

Windows 8.1 for 32-bit Systems
(Important)

Microsoft .NET Framework 3.5
(Important)

Windows 8.1 for 32-bit Systems
(Important)

Windows 8.1 for x64-based Systems

Internet Explorer 11
(Critical)

Windows 8.1 for x64-based Systems
(Professional edition only)
(Critical)

Windows 8.1 for x64-based Systems
(Important)

Windows 8.1 for x64-based Systems
(Important)

Microsoft .NET Framework 3.5
(Important)

Windows 8.1 for x64-based Systems
(Important)

Windows Server 2012 and Windows Server 2012 R2

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Moderate

None

Important

Important

Important

Important

Windows Server 2012

Internet Explorer 10
(Moderate)

Not applicable

Windows Server 2012 
(Important)

Windows Server 2012 
(Important)

Microsoft .NET Framework 3.5
(Important)

Windows Server 2012 
(Important)

Windows Server 2012 R2

Internet Explorer 11
(Moderate)

Not applicable

Windows Server 2012 R2
(Important)

Windows Server 2012 R2
(Important)

Microsoft .NET Framework 3.5
(Important)

Windows Server 2012 R2
(Important)

Windows RT and Windows RT 8.1

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

Critical

None

Important

Important

None

Important

Windows RT

Internet Explorer 10
(Critical)

Not applicable

Windows RT
(Important)

Windows RT
(Important)

Not applicable

Windows RT
(Important)

Windows RT 8.1

Internet Explorer 11
(Critical)

Not applicable

Windows RT 8.1
(Important)

Windows RT 8.1
(Important)

Not applicable

Windows RT 8.1
(Important)

Server Core installation option

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 5

Bulletin 6

Bulletin 8

Bulletin 9

Aggregate Severity Rating

None

None

Important

Important

Important

Important

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)

Not applicable

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 
(Important)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 
(Important)

Not applicable

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Not applicable

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Important)

Microsoft .NET Framework 3.5.1 (Server Core installation)
(Important)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Important)

Windows Server 2012 (Server Core installation)

Not applicable

Not applicable

Windows Server 2012 (Server Core installation) 
(Important)

Windows Server 2012 (Server Core installation) 
(Important)

Microsoft .NET Framework 3.5 (Server Core installation)
(Important)

Windows Server 2012 (Server Core installation) 
(Important)

Windows Server 2012 R2 (Server Core installation)

Not applicable

Not applicable

Windows Server 2012 R2 (Server Core installation) 
(Important)

Windows Server 2012 R2 (Server Core installation) 
(Important)

Microsoft .NET Framework 3.5 (Server Core installation)
(Important)

Windows Server 2012 R2 (Server Core installation) 
(Important)

 

The Bottom Line: Be sure to leave your Windows Computers and Servers turned on Tuesday Night to receive the updates, then restart them first thing Wednesday morning!

Special note for Linux and Apple Users: No updates are necessary!

Microsoft Patch Tuesday December 11, 2012

Microsoft has announced seven bulletins that will be released December 11, 2012. The bulletins affect ALL Windows operating systems beginning with Windows XP and ending with Windows 8 and RT. Windows RT (tablet) users are not used to receiving patches on tablets, and this aspect makes it very unusual. Who knows, future patches may affect SmartPhones.

Five of the bulletins are rated critical, two are important. These bulletins will affect all currently supported Operating Systems, including Windows 8 and Windows RT.

Bulletin 1, rated critical, impacts Internet Explorer 9 and 10 on all platforms that support IE 9 and IE10, starting with Windows Vista, including Windows 7 and the new Windows 8 and RT.

Bulletin 2, rated critical, affects All versions of Windows, including Windows 8 and Windows RT.

Bulletin 3, rated critical, affects Microsoft Office. The main targets appears to be Microsoft Outlook and Microsoft Word.

Bulletin 4, rated critical, fixes a number of Microsoft server software products, including Microsoft Exchange and SharePoint. It also includes an update for Microsoft Office Web Apps 2010 Service Pack 1, which contain cloud versions of Microsoft Word, Excel, ....

Bulletin 5, rated important, covers a remote code execution issue in the Windows file handling component, affecting Windows XP through Windows 7. Fortunately, Windows 8 is not affected here. Essentially, when Windows Explorer parses a file name, it hits this vulnerability.

Bulletin 6, rated important, affects a vulnerability in Direct Play, affecting all versions of Windows from XP through Windows 8. If you use Direct Play to parse content in Office documents or things embedded in Office documents, this vulnerability will come into play. The Office documents will act as a vector, but it is a Windows level vulnerability.

Finally, bulletin 7, rated important, is a vulnerability in IP HTTPS, a component in Direct Access. Direct Access is a common VPN. Essentially, this is a bug that doesn’t honor the revocation of time stamp. This vulnerability would allow someone with a revoked certificate to log in and access corporate assets.

Bottom Line: Leave your Windows computers, servers, and Tablets turned on Tuesday night, and remember to reboot them Wednesday morning.

(If you use Linux or MAC operating systems, there are no updates)

Read More - Click Here!

What Is Microsoft Patch Tuesday

Patch Tuesday occurs on the second Tuesday of each month, on which Microsoft regularly releases security updates and patches for Microsoft Products. Starting with Windows 98, Microsoft includes a "Windows Update" system that checks for Microsoft generated patches for all Windows versions and all Microsoft products like Microsoft Office, Visual Studio and SQL Server. Patch Tuesday usually begins at 6:00pm EST.

At times there is a need for other updates, calling for “an extraordinary Patch Tuesday”, that can occur 14 days after the regular Patch Tuesday. In addition, Microsoft provides constant updates to security products on a daily basis, that is, products like Windows Defender and Microsoft Security Essentials).

The patches are also called bulletins, because patches generally contain information along with the patch itself. Microsoft does not supply specific patch information within the advance bulletin that may allow spammers and hackers to circumvent the patch before it arrives.

Microsoft only patches it's own products. Adobe reader, Adobe Flash, and Java has their own monthly update system.

Linux and Apple operating systems do not require as much maintenance, meaning that you might only see one or two updates a year for these systems.

Unless you are running a program that is not compatible with a particular patch, Microsoft recommends that you install each and every patch so that you are protected against the Microsoft vulnerabilities.

 

Microsoft Patch Tuesday December 2013

Microsoft has announced this month’s Patch Tuesday release.  There are 11 total patches – 5 Critical and 6 Important – expected to be released on Tuesday, December 10. Here is the breakdown for this month:

Security Bulletins:

  • Five bulletins are rated as Critical.
  • Six bulletins are rated as Important.

Vulnerability Impact:

  • Six bulletins address vulnerabilities that could allow Remote Code Execution.
  • One bulletin addresses a vulnerability that could lead to Information Disclosure.
  • Three bulletins address vulnerability that could allow Elevation of Privileges.
  • One bulletin addresses a vulnerability which could lead to a Security Feature Bypass.

Affected Products:

  • All supported Windows operating systems
  • All versions of Office
  • Office Web Apps 2013
  • Lync 2010 and 2013
  • SharePoint Server 2010 and 2013
  • Exchange Server 2007, 2010, and 2013
  • ASP.NET SignalR
  • Visual Studio Team Foundation Server

Affected Software.

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Microsoft Office,
Microsoft Lync
Bulletin 2 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 3 Critical 
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 4 Critical 
Remote Code Execution
May require restart Microsoft Windows
Bulletin 5 Critical 
Remote Code Execution
Does not require restart Microsoft Exchange
Bulletin 6 Important 
Remote Code Execution
May require restart Microsoft Office,
Microsoft Server Software
Bulletin 7 Important 
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 8 Important 
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 9 Important 
Elevation of Privilege
Does not require restart Microsoft Developer Tools
Bulletin 10 Important 
Information Disclosure
May require restart Microsoft Office
Bulletin 11 Important 
Security Feature Bypass
May require restart

Microsoft Office

The Bottom Line: Please reboot your Windows Computers and Servers Wednesday Morning

PS: If you use Linux, Unix, or Mac Operating systems, please disregard this message.

Microsoft Patch Tuesday February 11, 2014

On Tuesday February 11, 2014 Microsoft will release its it's monthly Patch Tuesday security bulletins. This month we will receive five bulletins. Two bulletins are listed as two critical and three bulletins are listed as important).

Bulletins 1 and 2 concern critical vulnerabilities affecting only the newer Windows 7 and 8 operating systems. "The first patches a remote code execution vulnerability that affects Windows 7 through to Windows 8.1, including 8.1 RT.  The second, also a remote code execution, is actually an issue in Forefront Protection for Exchange Server (2010)," explains Ross Barrett, senior manager of security engineering at Rapid7.

On bulletin 2, Ken Pickering, director of engineering at CORE Security, points out the irony that "a product (Forefront for Exchange) that is a designed to protect a service actually allows a remote code execution and weakens the security posture of the target system." His colleague Tommy Chin, a technical support engineer, CORE Security suggests that this should make bulletin 2 the priority: "It would be tragic to let the Forefront software protecting your Exchange Server be part of the attack path an attacker uses as the open door."

Barrett agrees with this interpretation. "Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month." He adds that the next priority is "not surprisingly, the critical [bulletin 1] in Windows 7 and later."

"Bulletins #3 and #4 are local vulnerabilities for all versions of Windows, and address an elevation of privilege and an information disclosure vulnerability respectively," writes Wolfgang Kandek, CTO at Qualys. "Bulletin #5 addresses a Denial of Service condition in Windows 8."

These last three can be given a slightly lower priority. "The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege," says Barrett. They're "not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”

Both Pickering and Chin, however, suggest that bulletin 3 should be the next priority after bulletins 1 and 2. "An elevation of Privilege (Bulletin 3) on .NET is always interesting, warns Pickering, "since if you’re running in a Microsoft shop, you’re also likely running .NET applications. People running .NET applications on machines with reduced permissions (a great policy to have) should make this update as soon as possible." Chin points out that "it can compromise all operating systems via privilege escalation except Windows Server 2008 SP2 Server Core," and adds, "I would pay close attention to patching this one."

Ziv Mador, director of security research at Trustwave, points out that even though it's a light Patch Tuesday this month, nearly everyone will be affected somewhere. "Since the three 'Important' Windows bulletins combined affect a widespread of Windows versions, it’s likely that this security release will affect you. Only one bulletin will require a system restart. Unfortunately this is a Windows patch mitigating a denial-of-service vulnerability affecting all versions of Windows from XP to Windows 8.1.  To keep a long story short, plan on grabbing a cup of coffee sometime next Tuesday while these systems restart after the patch install."

Executive Sumary​

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
May require restart Microsoft Windows
Bulletin 2 Critical 
Remote Code Execution
May require restart Microsoft Security Software
Bulletin 3 Important 
Elevation of Privilege
May require restart Microsoft Windows, 
Microsoft .NET Framework
Bulletin 4 Important 
Information Disclosure
May require restart Microsoft Windows
Bulletin 5 Important 
Denial of Service
Requires restart Microsoft Windows
 

Windows Operating System and Components

Windows XP
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Important None
Windows XP Service Pack 3 Not applicable Windows XP Service Pack 3 
(Important)
Windows XP Service Pack 3 
(Important)
Not applicable
Windows XP Professional x64 Edition Service Pack 2 Not applicable Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows XP Professional x64 Edition Service Pack 2 
(Important)
Not applicable
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Low None
Windows Server 2003 Service Pack 2 Not applicable Windows Server 2003 Service Pack 2 
(Important)
Windows Server 2003 Service Pack 2 
(Low)
Not applicable
Windows Server 2003 x64 Edition Service Pack 2 Not applicable Windows Server 2003 x64 Edition Service Pack 2 
(Important)
Windows Server 2003 x64 Edition Service Pack 2 
(Low)
Not applicable
Windows Server 2003 with SP2 for Itanium-based Systems Not applicable Windows Server 2003 with SP2 for Itanium-based Systems 
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems 
(Low)
Not applicable
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Important None
Windows Vista Service Pack 2 Not applicable Windows Vista Service Pack 2 
(Important)
Windows Vista Service Pack 2
(Important)
Not applicable
Windows Vista x64 Edition Service Pack 2 Not applicable Windows Vista x64 Edition Service Pack 2 
(Important)
Windows Vista x64 Edition Service Pack 2 
(Important)
Not applicable
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Low None
Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2 
(Low)
Not applicable
Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 
(Low)
Not applicable
Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2 
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 
(Low)
Not applicable
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Important None
Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for 32-bit Systems Service Pack 1 
(Critical)
Windows 7 for 32-bit Systems Service Pack 1 
(Important)
Windows 7 for 32-bit Systems Service Pack 1 
(Important)
Not applicable
Windows 7 for x64-based Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 
(Critical)
Windows 7 for x64-based Systems Service Pack 1 
(Important)
Windows 7 for x64-based Systems Service Pack 1 
(Important)
Not applicable
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Low None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Low)
Not applicable
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 
(Low)
Not applicable
Windows 8 and Windows 8.1
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Important Important
Windows 8 for 32-bit Systems Windows 8 for 32-bit Systems 
(Critical)
Windows 8 for 32-bit Systems 
(Important)
Windows 8 for 32-bit Systems 
(Important)
Windows 8 for 32-bit Systems 
(Important)
Windows 8 for x64-based Systems Windows 8 for x64-based Systems 
(Critical)
Windows 8 for x64-based Systems 
(Important)
Windows 8 for x64-based Systems 
(Important)
Windows 8 for x64-based Systems 
(Important)
Windows 8.1 for 32-bit Systems Windows 8.1 for 32-bit Systems 
(Critical)
Windows 8.1 for 32-bit Systems 
(Important)
Windows 8.1 for 32-bit Systems 
(Important)
Not applicable
Windows 8.1 for x64-based Systems Windows 8.1 for x64-based Systems 
(Critical)
Windows 8.1 for x64-based Systems 
(Important)
Windows 8.1 for x64-based Systems 
(Important)
Not applicable
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Low Important
Windows Server 2012 Windows Server 2012 
(Critical)
Windows Server 2012 
(Important)
Windows Server 2012 
(Low)
Windows Server 2012 
(Important)
Windows Server 2012 R2 Windows Server 2012 R2
(Critical)
Windows Server 2012 R2 
(Important)
Windows Server 2012 R2 
(Low)
Not applicable
Windows RT and Windows RT 8.1
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Important Important
Windows RT Windows RT
(Critical)
Windows RT
(Important)
Windows RT
(Important)
Windows RT
(Important)
Windows RT 8.1 Windows RT 8.1
(Critical)
Windows RT 8.1
(Important)
Windows RT 8.1
(Important)
Not applicable
Server Core installation option
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Low Important
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 
(Low)
Not applicable
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 
(Low)
Not applicable
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Low)
Not applicable
Windows Server 2012 (Server Core installation) Not applicable Windows Server 2012 (Server Core installation) 
(Important)
Windows Server 2012 (Server Core installation) 
(Low)
Windows Server 2012 (Server Core installation) 
(Important)
Windows Server 2012 R2 (Server Core installation) Not applicable Windows Server 2012 R2 (Server Core installation) 
(Important)
Windows Server 2012 R2 (Server Core installation) 
(Low)
Not applicable
         

Bottom Line:

If you are using Apple or Linux, this bulletin is not for you.

Everyone else, make sure you restart your Windows Computers and Servers Wednesday Morning!

Microsoft Patch Tuesday February 11, 2014

On Tuesday February 11, 2014 Microsoft will release its it's monthly Patch Tuesday security bulletins. This month we will receive five bulletins. Two bulletins are listed as two critical and three bulletins are listed as important).

Bulletins 1 and 2 concern critical vulnerabilities affecting only the newer Windows 7 and 8 operating systems. "The first patches a remote code execution vulnerability that affects Windows 7 through to Windows 8.1, including 8.1 RT.  The second, also a remote code execution, is actually an issue in Forefront Protection for Exchange Server (2010)," explains Ross Barrett, senior manager of security engineering at Rapid7.

On bulletin 2, Ken Pickering, director of engineering at CORE Security, points out the irony that "a product (Forefront for Exchange) that is a designed to protect a service actually allows a remote code execution and weakens the security posture of the target system." His colleague Tommy Chin, a technical support engineer, CORE Security suggests that this should make bulletin 2 the priority: "It would be tragic to let the Forefront software protecting your Exchange Server be part of the attack path an attacker uses as the open door."

Barrett agrees with this interpretation. "Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month." He adds that the next priority is "not surprisingly, the critical [bulletin 1] in Windows 7 and later."

"Bulletins #3 and #4 are local vulnerabilities for all versions of Windows, and address an elevation of privilege and an information disclosure vulnerability respectively," writes Wolfgang Kandek, CTO at Qualys. "Bulletin #5 addresses a Denial of Service condition in Windows 8."

These last three can be given a slightly lower priority. "The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege," says Barrett. They're "not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”

Both Pickering and Chin, however, suggest that bulletin 3 should be the next priority after bulletins 1 and 2. "An elevation of Privilege (Bulletin 3) on .NET is always interesting, warns Pickering, "since if you’re running in a Microsoft shop, you’re also likely running .NET applications. People running .NET applications on machines with reduced permissions (a great policy to have) should make this update as soon as possible." Chin points out that "it can compromise all operating systems via privilege escalation except Windows Server 2008 SP2 Server Core," and adds, "I would pay close attention to patching this one."

Ziv Mador, director of security research at Trustwave, points out that even though it's a light Patch Tuesday this month, nearly everyone will be affected somewhere. "Since the three 'Important' Windows bulletins combined affect a widespread of Windows versions, it’s likely that this security release will affect you. Only one bulletin will require a system restart. Unfortunately this is a Windows patch mitigating a denial-of-service vulnerability affecting all versions of Windows from XP to Windows 8.1.  To keep a long story short, plan on grabbing a cup of coffee sometime next Tuesday while these systems restart after the patch install."

Executive Sumary​

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
May require restart Microsoft Windows
Bulletin 2 Critical 
Remote Code Execution
May require restart Microsoft Security Software
Bulletin 3 Important 
Elevation of Privilege
May require restart Microsoft Windows, 
Microsoft .NET Framework
Bulletin 4 Important 
Information Disclosure
May require restart Microsoft Windows
Bulletin 5 Important 
Denial of Service
Requires restart Microsoft Windows
 

Windows Operating System and Components

Windows XP
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Important None
Windows XP Service Pack 3 Not applicable Windows XP Service Pack 3 
(Important)
Windows XP Service Pack 3 
(Important)
Not applicable
Windows XP Professional x64 Edition Service Pack 2 Not applicable Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows XP Professional x64 Edition Service Pack 2 
(Important)
Not applicable
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Low None
Windows Server 2003 Service Pack 2 Not applicable Windows Server 2003 Service Pack 2 
(Important)
Windows Server 2003 Service Pack 2 
(Low)
Not applicable
Windows Server 2003 x64 Edition Service Pack 2 Not applicable Windows Server 2003 x64 Edition Service Pack 2 
(Important)
Windows Server 2003 x64 Edition Service Pack 2 
(Low)
Not applicable
Windows Server 2003 with SP2 for Itanium-based Systems Not applicable Windows Server 2003 with SP2 for Itanium-based Systems 
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems 
(Low)
Not applicable
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Important None
Windows Vista Service Pack 2 Not applicable Windows Vista Service Pack 2 
(Important)
Windows Vista Service Pack 2
(Important)
Not applicable
Windows Vista x64 Edition Service Pack 2 Not applicable Windows Vista x64 Edition Service Pack 2 
(Important)
Windows Vista x64 Edition Service Pack 2 
(Important)
Not applicable
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Low None
Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2 
(Low)
Not applicable
Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 
(Low)
Not applicable
Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2 
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 
(Low)
Not applicable
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Important None
Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for 32-bit Systems Service Pack 1 
(Critical)
Windows 7 for 32-bit Systems Service Pack 1 
(Important)
Windows 7 for 32-bit Systems Service Pack 1 
(Important)
Not applicable
Windows 7 for x64-based Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 
(Critical)
Windows 7 for x64-based Systems Service Pack 1 
(Important)
Windows 7 for x64-based Systems Service Pack 1 
(Important)
Not applicable
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Low None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 
(Low)
Not applicable
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 
(Low)
Not applicable
Windows 8 and Windows 8.1
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Important Important
Windows 8 for 32-bit Systems Windows 8 for 32-bit Systems 
(Critical)
Windows 8 for 32-bit Systems 
(Important)
Windows 8 for 32-bit Systems 
(Important)
Windows 8 for 32-bit Systems 
(Important)
Windows 8 for x64-based Systems Windows 8 for x64-based Systems 
(Critical)
Windows 8 for x64-based Systems 
(Important)
Windows 8 for x64-based Systems 
(Important)
Windows 8 for x64-based Systems 
(Important)
Windows 8.1 for 32-bit Systems Windows 8.1 for 32-bit Systems 
(Critical)
Windows 8.1 for 32-bit Systems 
(Important)
Windows 8.1 for 32-bit Systems 
(Important)
Not applicable
Windows 8.1 for x64-based Systems Windows 8.1 for x64-based Systems 
(Critical)
Windows 8.1 for x64-based Systems 
(Important)
Windows 8.1 for x64-based Systems 
(Important)
Not applicable
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Low Important
Windows Server 2012 Windows Server 2012 
(Critical)
Windows Server 2012 
(Important)
Windows Server 2012 
(Low)
Windows Server 2012 
(Important)
Windows Server 2012 R2 Windows Server 2012 R2
(Critical)
Windows Server 2012 R2 
(Important)
Windows Server 2012 R2 
(Low)
Not applicable
Windows RT and Windows RT 8.1
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating Critical Important Important Important
Windows RT Windows RT
(Critical)
Windows RT
(Important)
Windows RT
(Important)
Windows RT
(Important)
Windows RT 8.1 Windows RT 8.1
(Critical)
Windows RT 8.1
(Important)
Windows RT 8.1
(Important)
Not applicable
Server Core installation option
Bulletin Identifier Bulletin 1 Bulletin 3 Bulletin 4 Bulletin 5
Aggregate Severity Rating None Important Low Important
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 
(Low)
Not applicable
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 
(Low)
Not applicable
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
(Low)
Not applicable
Windows Server 2012 (Server Core installation) Not applicable Windows Server 2012 (Server Core installation) 
(Important)
Windows Server 2012 (Server Core installation) 
(Low)
Windows Server 2012 (Server Core installation) 
(Important)
Windows Server 2012 R2 (Server Core installation) Not applicable Windows Server 2012 R2 (Server Core installation) 
(Important)
Windows Server 2012 R2 (Server Core installation) 
(Low)
Not applicable
         

Bottom Line:

If you are using Apple or Linux, this bulletin is not for you.

Everyone else, make sure you restart your Windows Computers and Servers Wednesday Morning!

Microsoft Patch Tuesday February 14 2012

Microsoft announced that it will release nine bulletins, addressing 21 vulnerabilities in Microsoft Windows, Office, Internet Explorer, .NET framework and Silverlight. The patch release date is scheduled to be released February. 14.

According to the Advanced Notification, four of the bulletins are listed as “critical”.  Three will affect Windows and require a restart. The critical bulletins address errors in Windows, Internet Explorer and server-side software, and they address vulnerabilities that would allow remote code execution.

The remaining five bulletins are listed as “important” and deal with both remote code execution and elevation of privileges, involving Microsoft Widows, Office and Server Software. Only one of those will require a computer or server restart.

In addition,  the Microsoft Windows Malicious Software Removal Tool would be updated on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Microsoft’s Trustworthy Computing Security Response Communications Manager, Angela Gunn, said details about risk, impact analysis, deployment guidance and a video overview of the release would be available Tuesday on their blog.

Make sure that you restart your computers Wednesday Morning!

Microsoft Patch Tuesday February 2013

Microsoft published the Advanced Notification for February 12, 2013 This Patch Tuesday is considered "Very Heavy" as Microsoft issued twelve Bulletins, five rated "critical" and the remaining six rated "important", addressing  a wopping 57 vulnerabilities.

Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 - 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month's Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

Bulletins 1 and 2 affects vulnerabilities in all versions of Internet Explorer. It is marked critical, and could lead to malicious code exploitation without any user interaction via drive-by downloading and exploit kits. Users of IE 10 will be updated automatically; but all other users should update ASAP. As an aside, it appears that this bulletin includes a number of updates to impact the Microsoft / Java issue.

Bulletin 3 labeled critical, affects XP and Vista, and Windows Server 2003 and 2008

Bulletin 4 [critical],” suggests Wolfgang Kandek, CTO at Qualys, “is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month's Critical Patch Update (CPU).”

Bulletin 5 can lead to remote code execution and affects Office and Server software. The main difference between the critical and important labels is that ‘important’ requires some user interaction – such as accepting a warning pop-up – while ‘critical’ requires none. Where end-user software is concerned, such as Office, this can be an academic rather than effective distinction. Some users automatically click ‘OK’ on OS warnings without any conscious interaction. Admins may generally be advised, then, to consider important end-user bulletins with the same urgency as critical bulletins.

Bulletins 6 and 10 address vulnerabilities that can lead to denial of serviThe remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle's update of the Outside In libraries that are used by Microsoft for document conversion processes. ce against Windows Server 2008 and 2012 (both), and also Vista and Windows (Bulletin 10). The remaining bulletins all address vulnerabilities that can lead to an escalation of privilege; “Meaning,” notes Kandek, “that one already has to be on the targeted computer to be able to attack them.” The problem with the modern advanced threat is that this may have already happened – possibly via the critical vulnerabilities that are dealt with in Bulletins 1 and 2.

Bulletin 12 (critical) affects XP SP3 only.

Special Notice: Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows, Linux,  and Mac OS X. Update your Flash installations as quickly as possible - Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Bottom Line: Make sure your computers and servers run updates Tuesday night, and please reboot your equipment Wednesday morning!

 

Microsoft Patch Tuesday January 2014

Microsoft plans to release four bulletins as part of the January 14 Patch Tuesday security update.

One bulletin is related "Critical" and three rated "Important".

Affected Products:
    All supported Windows operating systems
    All versions of Office
    Office Web Apps 2010 and 2013
    SharePoint Server 2010 and 2013
    Dynamics AX 4.0, 2009, 2012, and 2012 R2

Bulletin #1, rated Important, affects Microsoft Office Compatibility Pack Service Pack 3, Microsoft Word Viewer, Word Automation Services in SharePoint Server 2013 and 2010 – Service Packs 1 and 2 – as well as  Microsoft Office Web Apps 2010 – Service Packs 1 and 2 – and Office Web Apps Server 2013.

Bulletin #2, rated Critical, address the 0-day vulnerability CVE-2013-5065 in Windows XP and 2003, which has seen limited attacks since the end of November of last year. These attacks have been coming in through PDF documents using an already fixed vulnerability of Adobe Reader and users of updated versions, i.e post APSB13-15 from May of 2013 should be immune to this attack vector.

Bulletin #3, rated Important, covers an elevation of privilege vulnerability in Windows 7 and Windows Server 2008 R2.

Bulletin #4, rated Important, addresses a denial of service vulnerability in Microsoft Dynamics AX 4.0 Service Pack 2, 2009 Service Pack 1, 2012, and 2012 R2.

The biggest surprise, however, is that there is no Internet Explorer patch this month. "This must be an indication that the IE team was finally allowed to take some time off over the holidays in light of the grueling 2013 they put in," comments Ross Brewer, senior manager of security engineering at Rapid7. But he doesn't think it's because IE has become suddenly secure: "Expect them back in February," he adds.

According to Sean Michael Kerner at eWeek, "The fact that Microsoft has not identified an IE fix in its advance notification for the January Patch Tuesday update also does not absolutely mean that Microsoft won't include a fix that will impact IE either. It is possible that the security bulletins labeled as affecting Microsoft Windows will, in fact, have an impact that relates to IE. In the modern world, the browser is the key window to the connected Web that is the Internet, and IE is on the front line in the battle against attackers."

Now, the fact that I don't know about any IE zero day flaws, doesn't mean that some do in fact likely exist. The fact that Microsoft has not identified an IE fix in its advance notification for the January Patch Tuesday update also does not absolutely mean that Microsoft won't include a fix that will impact IE either.

It is possible that the security bulletins labeled as affecting Microsoft Windows will, in fact, have an impact that relates to IE.

In the modern world, the browser is the key window to the connected Web that is the Internet, and IE is on the front line in the battle against attackers.

- See more at: http://www.eweek.com/blogs/security-watch/microsofts-first-patch-tuesday...

Now, the fact that I don't know about any IE zero day flaws, doesn't mean that some do in fact likely exist. The fact that Microsoft has not identified an IE fix in its advance notification for the January Patch Tuesday update also does not absolutely mean that Microsoft won't include a fix that will impact IE either.

It is possible that the security bulletins labeled as affecting Microsoft Windows will, in fact, have an impact that relates to IE.

In the modern world, the browser is the key window to the connected Web that is the Internet, and IE is on the front line in the battle against attackers.

- See more at: http://www.eweek.com/blogs/security-watch/microsofts-first-patch-tuesday...

Windows XP

Bulletin #2 is a must for Windows XP users. “If you’re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.” as "Microsoft will end support for XP in April” said Russ Ernst, a director of product management at Lumension.

Additional Updates

In addition to Microsoft patches, expect a fresh batch of Adobe patches (reader and flash).

Oracle (Java) will also release the first of its quarterly Critical Patch Updates for 2014.

Wolfgang Kandek, CTO of Qualys, said: “These quarterly releases typically address over 100 vulnerabilities in their large software line. Analysing the applicability of these flaws to one’s software infrastructure and addressing them are a major concern for any organisation that uses Oracle products.”

Mac and Linux users should apply updates from Oracle and Adobe. However, none of the Microsoft updates apply to your operating system.

Bottom Line: Restart your Microsoft Windows Computers and Servers Wednesday Morning!

Microsoft Patch Tuesday January 8 2013

Microsoft published the Advanced Notification January 8, 2013, the first Patch Tuesday of 2013. Microsoft issued seven Bulletins, two rated "critical" and the remaining five rated "important", addressing 12 vulnerabilities.

The Bulletins affect a wide variety of software will be updated including ALL versions of Windows (Windows RT is affected by four bulletins), ALL versions of Internet Explorer, Microsoft Office, .Net, SharePoint and System Center Operations Manager.

How do the vulnerabilities impact our systems? 2 vulnerabilities can lead to Remote Code Execution, 3 vulnerability can lead to Elevation of Privilege, 1 vulnerability can lead to Security Feature Bypass, and 1 vulnerability can lead to Denial of Service.

Bulletin 1, rated Critical addresses Remote Code Execution ALL Windows Operating Systems. This Bulletin requires restart.

Bulletin 2, rated Critical impacts Remote Code Execution in ALL Microsoft Windows versions, Microsoft Office, Microsoft Developer Tools, Microsoft Server Software. This Bulletin may require a restart.

Bulletin 3, rated Important, addresses Elevation of Privilege in Microsoft Server Software.

Bulletin 4, rated Important, addresses Elevation of Privilege in Microsoft Windows and .NET Framework, and may require a restart.

Bulletin 5, designated as Important, affects Elevation of Privilege in Microsoft Windows and requires a restart.

Bulletin 6, listed as Important, impacts Security Feature Bypass in Microsoft Windows and requires a restart.

Bulletin 7, rated Important, addresses Denial of Service Microsoft Windows, and .NET Framework, and may require a restart.

If you are running Apple or Linux Operating System, this notice does not apply. Linux and Apple do not require patches.

Please remember to restart your computers and servers tomorrow morning.

Microsoft Patch Tuesday July 2013

This month’s updates affect various versions of Windows, Office, Visual Studio, Lync, Internet Explorer, and Windows Defender, as well as the .NET Framework and Silverlight. All but one may require a restart of the computer after installation.

MS13-052/KB2861561 - Vulnerabilities in .NET Framework and Silverlight

(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Server 2003, 2008, 2008 R2 and 2012, including Server Core installations; Microsoft Silverlight 5 and Silverlight 5 Developer Runtime when installed on Windows clients, Windows servers and Mac systems). This update addresses seven vulnerabilities in the .NET Framework and Silverlight on all supported versions of Windows, which could allow remote code execution if a trusted application uses a particular code pattern. It is rated critical for later versions of .NET Framework and important for some earlier versions. A restart may be required after installation.

MS13-053/KB2850851 - Vulnerabilities in Windows Kernel-Mode Drivers

(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 and 2012, including Server Core installations). This update is rated critical and affects all supported versions and editions of Microsoft Windows. It addresses eight vulnerabilities, based on the way Windows handles True Type Font (TTF) files and objects in memory. An exploit could result in remote code execution if a user views shared content with embedded TTF files. A restart may be required after installation.

MS13-054/KB2848295 - Vulnerability in GDI+

(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 and 2012, including Server Core installations; Microsoft Office 2003, 2007 and 2010, Visual Studio .NET 2003 and Lync 2010 and 2013). This update addresses one vulnerability in Windows, Office, Visual Studio, and Lync, which could allow remote code execution if a user views shared content that embeds True Type Font (TTF) files. It’s rated critical for Windows and Lync, and important for Office and Visual Studio. It does not affect Office 2013/2013 RT, nor Visual Studio versions 2005 and later. It also does not affect Communicator, Live Communications Server, Speech Server, Live Meeting Console, Lync 2010, Lync Web Access, or Lync for Mac 2011. A restart may be required after installation.

MS13-055/KB2846071 - Cumulative Security Update for Internet Explorer

(Internet Explorer 6, 7, 8, 9 and 10 running on all supported versions and editions of Microsoft Windows). This update addresses seventeen vulnerabilities that impact all supported versions of IE, the most severe of which could allow remote code execution upon viewing of a specially crafted web page in IE. It needs to be applied on all machines except those running Server Core installations. Rating is critical for Windows clients and moderate for Windows servers. A restart is required after installation.

MS13-056/KB2845187 - Vulnerability in Microsoft DirectShow

(Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008, 2008 R2 SP1 and 2012). This update addresses one vulnerability in the way the DirectShow component opens GIF files, which could allow remote code execution if a specially crafted GIF image file is opened. This vulnerability does not affect Windows RT, Windows Server 2008, and 2008 R2 for Itanium-based systems, or Server Core installations. A restart may be required after installation.

MS13-057/KB2847883 - Vulnerability in Windows Media Format Runtime

(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 SP1 and 2012). This update addresses one vulnerability in the way Windows Media Player opens certain media files, which could allow remote code execution if a specially crafted media file is opened. This vulnerability does not affect Windows Server 2008 and 2008 R2 for Itanium-based systems, or Server Core installations. A restart may be required after installation.

MS13-058/KB2847927 - Vulnerabilities in Windows Defender

(Windows 7 and Windows Server 2008 R2). This update addresses one vulnerability in Windows Defender running on Windows 7 or Windows Server 2008 R2 and the way it uses pathnames, which could allow elevation of privilege by which an attacker could take control of the system. However, the attacker must obtain valid logon credentials in order to exploit the vulnerability, thus it’s rated important. No restart is required.

Other Updates/Releases

July brings us far fewer non-security updates than last month, which should come as a bit of a relief.

KB2607607 - Language packs for Windows 8 and Windows RT. New language packs are available for Windows 8/RT for the following languages: Turkmen, Maori, Kannada, Norwegian, Konkani, Irish, Maltese, Urdu, Tatar, Assamese, Bangla.

KB2829104 - Teluga characters not displayed correctly in Nirmala UI font. (Windows 7 and Windows Server 2008 R2). This update addresses a problem of incorrect character display in Word 2013 on a computer running Windows 7 or Server 2008 R2.

KB2836945 - Update for .NET Framework 2.0 SP2. (Windows Server 2008 SP2). This update resolves two issues with ASP.NET based web pages.

KB2855336 - Update Rollup. (Windows 8, Windows RT and Server 2012). This update addresses an issue that can result in SD cards no longer being detected if the system transitions between different power states, along with nineteen other issues affecting these operating systems.

KB2859541 - Update to support new camera models. (Windows 8, Windows RT). This update adds codecs to provide support for seventeen new models of cameras from Canon, Epson, Nikon, Olympus, Panasonic, Pentax and Sony.

KB890830 - Windows Malicious Software Removal Tool - July 2013 (Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008, 2008 R2, and 2012). This is the regular monthly updated version of the Malicious Software Removal Tool (MSRT).

Bottom Line: Make sure you restart your Windows Workstations and Servers This Morning.

If you us a MAC or Linux, no need!

Microsoft Patch Tuesday June 10 2014

There are 7 total patches expected to be released on Tuesday, June 10, 2014. Here is the breakdown for this month:

Security Bulletins:

  • 2 bulletins are rated as Critical.

  • 5 bulletins are rated as Important.

Vulnerability Impact:

  • 3 bulletins address vulnerabilities that could allow Remote Code Execution.

  • 2 bulletins address vulnerabilities that could allow Information Disclosure.

  • 1 bulletin addresses a vulnerability that could lead to Denial of Service.

  • 1 bulletin addresses a vulnerability that could lead to Tampering.

Affected Products:

  • All supported Windows operating systems

  • All supported Internet Explorer versions

  • Office 2007 and 2010

  • Live Meeting 2007

  • Lync 2010 and 2013​

One of the patches, number seven, is a security hole of a type you don't see announced very often in Microsoft bulletins: Tampering. 

You're probably used to seeing vulnerability tags like RCE (remote code execution), EoP (elevation of privilege, where a regular user can get unauthorized administrative or system powers), DoS (denial of service, where an outsider can crash software that you rely on), and Information Disclosure (where data that should stay private can be accessed without authorization). So what is "Tampering"?

Tampering explained by Sophos Naked Security

"Tampering is another sort of security hole that may help crooks, either by allowing them to initiate their attack more easily, or by making things worse for you once they have broken in.

Very loosely, tampering means that you can make a security-related change that should raise an alarm, but doesn't.

For example, you might be able to add malware to someone else's digitally signed software and have the system still accept it as trusted.

You might be able to make your own digital certificate, for example for a fake web page, but pass it off as someone else's.

Or you might be able to tamper with a protected configuration file, thus altering the settings and behavior of software such as a web server, without being noticed.

One well-known example of a tampering exploit is last year's MasterKey malware for Android, which bypassed Google's Android Package (APK) cryptographic verifier, making the malware look legitimate.

This didn't just allow the malware to get the blessing of Google's compulsory install-time security check, but also allowed the crooks to put the blame on a innocent vendor, whose digitally signed package they started with.

Another famous tampering exploit is the announcement by security researchers in 2008 that they had succeeded in creating a fake Certification Authority web certificate by finding a collision in the MD5 hashing algorithm.

Their home-made certificate appeared to have been signed by one of the top-level "root authorities" that almost every browser trusts by default, and would have allowed them to sign apparently-trusted certificates for any website they liked.

→ Don't use MD5 in any new project. We knew it was cryptographically flawed before 2008, but the above mentioned certificate crack made it quite clear that it was dangerously unsafe in real life, not just in the lab.

We can't yet say exactly what form this latest Windows tampering vulnerability takes, but it affects Windows 7; 8 and 8.1; Server 2008 R2 (not Itanium, and not Server Core); and all supported flavors of Server 2012, including Server Core.

Watch this space: we'll tell you more after we've spoken officially to Microsoft on Patch Tuesday itself."

Bottom Line: On Wednesday morning, first thing, please restart all of your Windows Servers and Computers

Exceptions: Windows XP, Apple, Linux

 

Microsoft Patch Tuesday March 12 2013

Software giant Microsoft plans to ship seven bulletins in the March 2013 edition of Patch Tuesday. Four of the bulletins are receiving high-severity, critical ratings.

Three of the four critically rated bulletins that affect Microsoft Windows, Internet Explorer, Silverlight, Office, and Server Software could lead to remote code execution while the final critically rated bulletin could allow for privilege elevations. The less severe, important-rated bulletins affect Office, Server Software, and Windows and could lead to information disclosures and privilege escalations.

Qualsys Chief Technical Officer, Wolfgang Kandek told Threatpost in an email interview that he would prioritize the first bulletin on Patch Tuesday because it fixes a bug that could be exploited to perform a complete machine takeover in all versions of IE from 6-10.

Kandek also expressed concerns regarding the second bulletin, which will address critical vulnerabilities in Microsoft Silverlight on Windows and Mac OS X, because it is widely deployed on end-user machines to run media applications like Netflix.

The third bulletin will fix a vulnerability in Visio and the Microsoft Office Filter Pack. Kandek said he was puzzled by the fact that this fix recieved a critical rating, because exploitation would require that users open an infected file, and that he would be interested to see if this vulnerability’s attack vector ends up warranting the high-severity rating.

Lastly, Kandek noted that the fourth and final critically-rated bulletin arose from a problem in Sharepoint server.

Recap:





Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical  Requires restart Microsoft Windows,
  Remote Code Execution   Internet Explorer
Bulletin 2 Critical  Does not require restart Microsoft Silverlight
  Remote Code Execution    
Bulletin 3 Critical  May require restart Microsoft Office
  Remote Code Execution    
Bulletin 4 Critical  May require restart Microsoft Office,
  Elevation of Privilege   Microsoft Server Software
Bulletin 5 Important  May require restart Microsoft Office
  Information Disclosure    
Bulletin 6 Important  Does not require restart Microsoft Office
  Information Disclosure    
Bulletin 7 Important  Requires restart Microsoft Windows
  Elevation of Privilege    

Microsoft Patch Tuesday March 13, 2012

The Microsoft Security Bulletin Advanced Notification for March 2012, known as “Patch Tuesday”,  covers six bulletins. One is listed as “critical”, four are listed as “important”, and one bulletin is listed as “moderate”.

Bulletin 1, critical,  affects “ALL” organizations AND consumers. Specifically, if affects  Windows XP Service Pack 3, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

The patch for bulletins 1-3  actually changes the Windows Kernel, meaning that a Reboot is required.

Bulletin 4, labeled important, impacts Microsoft Visual Studio 2008 Service Pack 1, Microsoft Visual Studio 2010, and Microsoft Visual Studio 2010 Service Pack 1. This bulletin addresses Visual Studio flaw which can result in a privilege escalation.

Bulletin 5,  labeled important,  addresses remote code execution in Microsoft Expression Design, which is a vector graphics editor that competes with Adobe Photoshop and Adobe Illustrator. This issue is probably related to malicious file formats that could result in a compromise of system running the software

Bulletin 6, labeled moderate, only affects Windows operating systems post Windows 2003 Server. This means Bulletin 6 addresses issues which were introduced with Windows Vista.

Bottom line: Make sure you reboot your windows computers and servers Wednesday morning.

Read More – Click Here!

Greg Allen
Active Technologies, LLC
www.active-technologies.com
gallen@active-technologies.com
843-225-5648

Microsoft Patch Tuesday March 2014

This month's Patch Tuesday, which is on March 11,  contains five bulletins, two are marked critical and three are marked important.

One of the critical bulletins addresses Internet Explorer, and is believed to include a fix for the zero-day vulnerability highlighted by FireEye last month. Three fixes require a computer restart.

Bulletin 1 involves Internet Explorer versions 6 through 11. Since the zero-day vulnerability highlighted by FireEye in February being used in the watering hole attack it dubbed Operation Snowman affects only IE 9 and 10, other vulnerabilities are also being fixed. IE versions 10 and 11 will be fixed automatically. Any company using any other version should treat this as the priority and patch as soon as possible. 

Bulletin 2 is also marked critical and should be given the second highest priority. It affects most versions of Windows from XP to 8.1, excluding only Windows RT. Like bulletin 1, the vulnerability could lead to remote code execution. "These two are where we should focus our patching efforts," comments Ross Barrett, senior manager of security engineering at Rapid7.

Bulletin 3 addresses an elevation of privilege issue. It's "probably going to be a kernel or kernel driver patch," comments Barrett; "never something to ignore but less important than a critical/remote issue."

The remaining two, he said, are "probably the same issue being patched in Windows and in Silverlight.  We will have to wait and see how exploitable this turns out to be.  If it turns out that some of these issues are “in the wild” and under exploitation, then that will be change the circumstances of what to prioritize.”

It is bulletin 5 that specifically addresses Silverlight. Tyler Reguly, manager of security research at Tripwire suggests the best way to patch Silverlight would be for developers to stop using it. "Given the limited adoption of Silverlight and the implied support Microsoft gave Flash when they bundled it in IE 11, it's surprising that Silverlight has not been shelved yet. In a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight."

If you are a MAC user running Siverlight, should'nt this program be patched?????

But there's an unstated bulletin that we should perhaps include: any user still using XP should not just consider, but should be actively planning to upgrade to a newer version – at least 7 or 8. There are now less than 30 days until Microsoft's general support for XP will be withdrawn: there will be only one more Patch Tuesday that might include a security patch for XP. After that time, new vulnerabilities will not be addressed; and hackers will have free reign with them.

Writing on GFI Software's blog, Deb Shinder warns that it's not just the visible XPs could be a problem: a company may not have XP on the premises, but needs to be sure that no employee is using XP at home and connecting to the corporate network. "On that basis alone," she says, "it is advisable that businesses update their policies and set up technological safeguards to prevent telecommuters and mobile workers from accessing mission critical network resources with their home computers and laptops until they’ve upgraded to an OS that is still supported.”

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 2 Critical 
Remote Code Execution
May require restart Microsoft Windows
Bulletin 3 Important 
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 4 Important 
Security Feature Bypass
Requires restart Microsoft Windows
Bulletin 5 Important 
Security Feature Bypass
Does not require restart Microsoft Silverlight

 

Windows Operating System and Components
Windows XP
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important Important
Windows XP Service Pack 3 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Service Pack 3
(Critical)
Windows XP Service Pack 3
(Important)
Windows XP Service Pack 3
(Important)
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Professional x64 Edition Service Pack 2
(Critical)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2003 Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 Service Pack 2
(Critical)
Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 x64 Edition Service Pack 2
(Critical)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Windows Server 2003 with SP2 for Itanium-based Systems
(Critical)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important Important
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista Service Pack 2
(Critical)
Windows Vista Service Pack 2
(Important)
Windows Vista Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista x64 Edition Service Pack 2
(Critical)
Windows Vista x64 Edition Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2
(Important)
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Critical)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for x64-based Systems Service Pack 2
(Critical)
Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Moderate)
Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Not applicable
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important None
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Internet Explorer 11 
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Critical)
Windows 7 for 32-bit Systems Service Pack 1
(Important)
Not applicable
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Internet Explorer 11 
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(Critical)
Windows 7 for x64-based Systems Service Pack 1
(Important)
Not applicable
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Internet Explorer 10 
(Moderate)

Internet Explorer 11 
(Moderate)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Moderate)
Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Not applicable
Windows 8 and Windows 8.1
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important None
Windows 8 for 32-bit Systems Internet Explorer 10 
(Critical)
Windows 8 for 32-bit Systems
(Critical)
Windows 8 for 32-bit Systems
(Important)
Not applicable
Windows 8 for x64-based Systems Internet Explorer 10 
(Critical)
Windows 8 for x64-based Systems
(Critical)
Windows 8 for x64-based Systems
(Important)
Not applicable
Windows 8.1 for 32-bit Systems Internet Explorer 11 
(Critical)
Windows 8.1 for 32-bit Systems
(Critical)
Windows 8.1 for 32-bit Systems
(Important)
Not applicable
Windows 8.1 for x64-based Systems Internet Explorer 11 
(Critical)
Windows 8.1 for x64-based Systems
(Critical)
Windows 8.1 for x64-based Systems
(Important)
Not applicable
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2012 Internet Explorer 10 
(Moderate)
Windows Server 2012
(Critical)
Windows Server 2012
(Important)
Windows Server 2012
(Important)
Windows Server 2012 R2 Internet Explorer 11 
(Moderate)
Windows Server 2012 R2
(Critical)
Windows Server 2012 R2
(Important)
Windows Server 2012 R2
(Important)
Windows RT and Windows RT 8.1
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical None Important None
Windows RT Internet Explorer 10 
(Critical)
Not applicable Windows RT
(Important)
Not applicable
Windows RT 8.1 Internet Explorer 11 
(Critical)
Not applicable Windows RT 8.1
(Important)
Not applicable
Server Core installation option
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating None None Important Important
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation) Not applicable Not applicable Windows Server 2012 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation)
(Important)
Windows Server 2012 R2 (Server Core installation) Not applicable Not applicable Windows Server 2012 R2 (Server Core installation)
(Important)
Windows Server 2012 R2 (Server Core installation)
(Important)

Bottom Line:

1. If you are a MAC or Linux user and use Silverlight, you may need to patch Silverlight

2. Be sure to restart your Windows Servers and Computers Wednesday morning

3. If you are still using Windows XP, Let's talk about a plan as April ends support for Windows XP

 

 

 

Microsoft Patch Tuesday March 2015 Continued

( @ ZDNET) This month's Patch Tuesday was not supposed to be one of the biggest in recent memory, but it is, with 14 separate security-related updates going out via Microsoft's update channels. All but two of the updates are for Windows. (Depending on your OS, you'll find a large number of non-security-related updates as well. More details on those when I get them.)

Five updates (four for Windows and one for Office) are rated Critical. The remaining nine are rated Important, all for Windows except for a lone Exchange Server patch.

Two of the fixes are for vulnerabilities that have already been publicly disclosed. The good news for Microsoft's Security Response team is that they've cleared all open issues from the Google Project Zero list.

Here's a rundown of the security-related updates in this month's super-sized collection.

MS15-018 is a Cumulative Security Update that addresses an even dozen vulnerabilities and affects all supported versions of Internet Explorer. It includes the fix for a cross-site scripting vulnerabilitythat was publicly disclosed prior to February's Patch Tuesday but didn't make last month's fixes . Another fix is in response to a memory corruption vulnerability that has also been publicly disclosed, although the official CVE page hasn't yet been updated with details.

MS15-019 repairs a scripting vulnerability in some older Windows versions; it doesn't affect Windows 7 and later desktop versions or the equivalent server versions, Windows Server 2012 and 2012 R2.

 

MS15-020 fixes a flaw in the way Microsoft Text Services handles objects in memory and how Microsoft Windows handles the loading of DLL files. MS15-021 addresses an issue with the Adobe Font Driver. Both vulnerabilities could theoretically allow remote code execution, although Microsoft's summaries say that possibility is unlikely.

MS15-022 applies to all supported Microsoft Office versions (2007, 2010, and 2013), as well as the server-based Office Web Apps and SharePoint Server products. It fixes three known vulnerabilities in Office document formats as well as multiple cross-site scripting issues for SharePoint Server. The worst outcome allows remote code execution.

Eight of the remaining nine updates affect Microsoft Windows, with the exception being a fix for an issue in Microsoft Exchange Server.

One update resolves a problem with Windows Task Schedulerthat could allow a local user to bypass file access controls and run privileged executables. Another fixes a possible denial of service issue that only affects systems where Remote Desktop Protocol (RDP) is enabled. (By default, RDP is off on all Windows versions.)

And then there's MS15-031, which fixes the widely publicized (and cross-platform) Schannel vulnerability, more popularly known as the FREAK technique . This update (for all Windows versions) means Microsoft and Apple platforms are secured, while vulnerable Android versions have yet to be patched.

Systems with Internet Explorer 11 (which includes all Windows 8.1 installations) are also receiving an update to the built-in Flash Player code. The security issues fixed by this update are addressed in a separate bulletin, not yet available from Adobe.

In addition to the large number of security-related updates, you'll find a large number of Recommended updates. On a Windows 8.1 installation, I counted 16 separate updates, most of them small. As is customary (and frustrating), most of the associated Knowledge Base articles that explain the reason for each fix were not available hours after the updates themselves appeared on Windows Update.

Bottom line: Make sure you restart your computers and workstations this morning.

Microsoft Patch Tuesday May 2013

The May 14, 2013 Microsoft patch will be comprise of 10 bulletins: 2 critical and 8 important. The two critical updates involve Internet Explorer and are thought to fix the vulnerabilities used in the recent Labor Department water-hole attack, and the successful attack employed at Pwn2Own earlier this year.

Microsoft’s habit of releasing previews without details allows system administrators to prepare their patch schedule without giving away too many pre-patch vulnerability details to potential hackers. This month, although there are ten separate bulletins, Lumension’s security and forensic analyst Paul Henry doesn’t believe the stress level will be too high since 8 of the 10 are rated important rather than critical. He notes that this latest batch of bulletins brings the total this year to 45 this year, “or 10 more bulletins than last year at this time. This tells me,” he says, “Microsoft is continuing to dig deeper into their code base to uncover lower level vulnerabilities. This is good news and I believe the trend toward higher numbers of important bulletins will continue given Microsoft’s apparent commitment to proactively discovering and patching security issues in their code.”

It is worth noting that Microsoft issued a separate security advisory on 8 May: Vulnerability in Internet Explorer 8 could allow remote code execution, and provided a temporary Fix it. “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” warns the advisory. This is probably the vulnerability used with the Labor Department water hole attack discovered at the beginning of the month (early reports claimed the vulnerability had already been patched, but it was subsequently found to be a new zero-day flaw in Internet Explorer 8). Since it is being actively exploited, Microsoft took the responsible route and issued an emergency Fix it. If you use IE8, don’t wait for the official patch but Fix it immediately – just make sure you have already applied the April patches from last month.

Only two of the 10 bulletins are critical and both impact Microsoft Windows and Internet Explorer. One is believed to be the Labor Department flaw, which, suggests Andrew Storms, director of security operations at Tripwire, is “record time turn around speed for Microsoft and will be sweet music to everyone's ears.” That issue is being actively exploited in the wild, “and has an exploit module available from Metasploit,” warns Ross Barrett, senior manager of security engineering at Rapid7. “This should be the top patching priority for anyone or any organization using Internet Explorer 8.” 

The other critical vulnerability is thought to be the Pwn2Own vulnerability that took down IE at CanSecWest earlier this year. “Usually Microsoft releases Pwn2Own bug fixes in April, but this year other bug fixes must have been higher priority,” said Storms.

Since the two critical vulnerabilities both affect Internet Explorer, and the latest version 10 gets updated automatically, Henry suggests, “If your system is compatible with IE 10 and you’re not running it already, upgrade now.” However, IE 10 has been known to have issues with online banking system, used for bill payment and check deposit systems.

For the remaining bulletins he believes that admins’ patch schedule should reflect the programs most used. He notes that Bulletin 4 is a spoofing issue that affects all versions of Windows from XP onwards. Bulletin 3 is a denial of service issue affecting only the newest versions of Windows products – “inconvenient”, he says, “but likely not damaging to systems in the long-term.” Nevertheless, it bothers him when only the current code is affected by a flaw, showing that flaws can and probably always will affect all new software.

“Bulletins 5, 6, and 7 are all rated Important and all three result in remote code execution in parts of Microsoft Office – specifically Communicator and Lync, Publisher and Word in that order,” notes Ziv Mador, director of security research at Trustwave.

Bulletins 8 and 9 are information disclosure issues. “These are always a little concerning,” comments Henry, “since they might allow an attacker insight into sensitive company information or documents. However, if they’re ranked important that generally means that there’s an element of the vulnerability that makes it difficult to achieve: a physical access requirement or additional steps required to execute the vulnerability successfully.”

Bulletin 10 is a privilege elevation issue. “Elevation of privilege vulnerabilities are almost always ranked important and this one is no different,” he says. “It’s likely a kernel mode driver issue that might allow for a low-rights user to be elevated to moderate or admin-level.”

Here is the breakdown:

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 2 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 3 Important 
Denial of Service
Requires restart Microsoft Windows
Bulletin 4 Important 
Spoofing
May require restart Microsoft Windows,
.NET Framework
Bulletin 5 Important 
Remote Code Execution
May require restart Microsoft Lync
Bulletin 6 Important 
Remote Code Execution
May require restart Microsoft Office
Bulletin 7 Important 
Remote Code Execution
May require restart Microsoft Office
Bulletin 8 Important 
Information Disclosure
May require restart Microsoft Office
Bulletin 9 Important 
Information Disclosure
May require restart Microsoft Windows Essentials
Bulletin 10 Important 
Elevation of Privilege
Requires restart Microsoft Windows

Bottom line is, leave your computers and servers turned on tonight and make sure you restart them in the morning.

Microsoft Patch Tuesday May 2013

This month Patch Tuesday is May 13, just one week after releasing an out-of-band patch for an Internet Explorer zero day, Microsoft has provided Patch Tuesday security updates that will include another critical patch for the Internet Explorer browser.

However, even though the vulnerabilities affect Windows XP, Microsoft is holding the line on WinXP updates: “Our existing policy remains in place, and as such, Microsoft no longer supports Windows XP. We continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1,” a Microsoft spokesman said.

What Microsoft failed to mention is that Windows XP users have other choices, I.E. Apple and Linux, as most users dislike Windows 8. In fact, I have heard the descriptor "Hate" many times used in conjunction with Windows 8.

Back to Patch Tuesday:

8 Bulletins - Two are rated Critical, and 6 are rated as important.

Bulletin 1, rated Critical is aimed at Microsoft Windows (all actively supported versions) Internet Explorer. Bulletin 1 requires a reboot on the system.

Bulletin 2, rated Critical affects all supported Microsoft Server Software, Productivity Software, including Microsoft Office, to prevent remote execution of code.

Bulletin 3, rated Important, is specifically for Microsoft Office, to prevent remote execution of code.

Bulletin 4, rated Important, impacts Microsoft Windows, to prevent remote Elevation of Privilege.

Bulletin 5, rated Important, targets Microsoft Windows and Microsoft .NET Framework, to prevent remote Elevation of Privilege.

Bulletin 6, rated Important, affects Microsoft Windows, to prevent remote Elevation of Privilege.

Bulletin 7, rated Important, targets Microsoft Windows, to prevent remote Denial of Service attacks.

Bulletin 8, rated Important, targets Microsoft Windows, to prevent remote Security Feature Bypass.

Bottom Line: If you are using Apple or Linux, you don't have to do anything - this email is not for you.

Windows Users: Be sure to restart your Windows computers and servers Wednesday morning

Microsoft Patch Tuesday November 2013

November 12, 2013 (today) is Microsoft Patch Tuesday.  Microsoft announced that it will contain eight security bulletins covering both the Windows operating system and Microsoft Office software.

In addition, it is reported to include a high priority item with the current 0-day vulnerability in a graphics library that is used by Microsoft Office and older versions of Windows.

The 0-day vulnerability is detailed in security advisory KB2896666 as a weakness in the TIFF graphics format parser and with reports of attacks from the Middle East and South Asia. The observed attacks are through Microsoft Word documents and the vulnerability is present in Microsoft Office.

Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis. TIFF is a format used frequently when scanning documents and in the publishing industry.

Microsoft's security toolkit EMET (Enhanced Mitigation Experience Toolkit) prevents the attack from executing, as it has in all of the recent 0-days in Internet Explorer as well.

The November Patch includes ‘critical’ bulletins affecting the Internet Explorer Web Browser (IE), and Windows

Five 'important' bulletins impact  Office and Windows.

The focus is on patching the critical update for Internet Explorer, because the recent Microsoft SIR report points out on page 116 that, in 2013, the majority of attacks not delivered through email, have been delivered through the Internet Explorer.

All of the critical bulletins and one of the important bulletins result in a remote code execution and should be prioritized higher. The rest of the important bulletins result in the elevation of privileges or a denial of service condition.

If you are using Apple iOS or Linux, no update is necessary.

Bottom line, leave your computers and servers turned on tonight, and reboot your equipment tomorrow morning.

 

Microsoft Patch Tuesday November 2013 What was not fixed

 

What was fixed by this Patch Tuesday:
This month, Microsoft released eight bulletins, with four Critical updates and four Important updates. One of the Critical updates fixes a serious flaw in Internet Explorer that hackers have been using to take over computers.

The other updates block similar problems in Windows and other Microsoft products. That's why you need to make sure these security updates installed properly.

If you have automatic updates turned on, your computer will install the Windows updates the next time you shut down. If the updates still need to be applied, you should see a yellow security notification on the red shut down button in your Start menu.

Click the button to turn off your computer and install the security updates. This could take a little bit of time, so make sure you don't need to use your computer in the mean time.

What was not fixed by this Patch Tuesday:
Zero Day! For this new threat, hackers have found a way to bypass Windows' security measures to take control of your computer - even if you have security software installed. The danger can come as an email attachment or from a malicious website. You need to know what to look for so you can be on your guard.

Pass this on to your friends and family so they can take steps to protect themselves.

The flaw centers around the way Windows and Office handle TIFF image files.

You might open a Word document containing a malicious TIFF image or visit a website that has a malicious TIFF image loaded. Hackers can use the image to bypass your security and take control of your computer.

Microsoft will probably release a fix in next week's Patch Tuesday, but that might not be soon enough to save your computer. Until then, here are some ways you can stay safe.

You can use Microsoft's Fix It tool to stop Windows from loading TIFF images. TIFF images aren't widely used anymore, so this shouldn't affect your life that much. Click here to visit the Fix it page. Then click the image under Enable this Fix it and follow the directions. But that isn't all.

Don't download email attachments from people you don't know, and be extra suspicious of Word files. You also don't want to click any suspicious links in email or on social media sites. Click here to learn more about avoiding phishing email and websites.

Make sure you're using a Standard Windows account instead of an Administrator account. Even if a hacker takes over your system, they won't be able to do as much with a Standard account.

Adobe:
Adobe products, PDF Reader and Flash, were not included in the Microsoft Update because they are not Microsoft. Many people have turned off Adobe updates because the impact is usually minor compared to the nuisance created by their relentless screen messages. However, this time, I recommend performing Adobe updates.

Bottom Line: Make sure you restart your Windows Computers and Servers first thing this morning.

Of course, if you are running Apple iOS or Linux, none of this is necessary.

(Credit: Most of this information came from the kim Komando website)

 

Microsoft Patch Tuesday October 2013

Tomorrow, Tuesday October 8, 2013, Microsoft plans to issue eight bulletins, including four critical, addressing vulnerabilities in Microsoft Windows, Internet Explorer (IE), Microsoft Office and its other products.

The first four bulletins will patch critical vulnerabilities in Microsoft Windows, Internet Explorer and the Microsoft .NET Framework, according to a Microsoft Advanced Notification issued on Oct. 3.

Bulletins 1-4, deemed "critical" could allow for remote code execution. The first, second and fourth bulletins will definitely require a restart, while the third may require one.

Particular attention is being paid to the first bulletin, which may contain a permanent fix for a high-profile IE zero-day vulnerability that was discovered within the last month. Security firm FireEye, who initially uncovered the IE vulnerability, has since learned that at least three separate attack campaigns are actively exploiting the zero-day.

Though Microsoft issued a temporary "Fix it" in September for the vulnerability, pressure to provide a permanent patch increased on Monday when the popular penetration-testing tool Metasploit released a module for the zero-day. As for whether Bulletin 1 does indeed resolve the IE zero-day, Ross Barrett, senior manager of security engineering at Boston-based Rapid7, is hopeful.

"The answer is, we won't know for sure until Tuesday, but it could and it should," Barrett said. "This is definitely where I would focus my patching efforts."

Bulletins 2, 3 and 4 address vulnerabilities on a wide range of Microsoft products, including Windows XP, 7 and 8, and Windows Server 2003, 2008 and 2012.

In addition to the critical bulletins, Microsoft has marked four more bulletins as "important." Of these bulletins, three may require a restart and one does not.

Bulletins 5, 6 and 7 address vulnerabilities that could allow for remote code execution.

The bulletins will be released on Oct. 8.

Separately, Adobe Systems Inc. is currently preparing to patch critical vulnerabilities in two of its products, Reader and Acrobat. The vulnerabilities were assigned a "priority rating" of 2, which signals that the products have historically been at elevated risk, according to Adobe's rating system. The patches should go live on Oct. 8 too.

Executive Summary

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 2 Critical 
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 3 Critical 
Remote Code Execution
May require restart Microsoft Windows,
Microsoft .NET Framework
Bulletin 4 Critical 
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 5 Important 
Remote Code Execution
May require restart Microsoft Office,
Microsoft Server Software
Bulletin 6 Important 
Remote Code Execution
May require restart Microsoft Office
Bulletin 7 Important 
Remote Code Execution
May require restart Microsoft Office
Bulletin 8 Important 
Information Disclosure
Does not require restart Microsoft Silverlight
Windows Operating System and Components
Windows XP
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Critical Critical
Windows XP Service Pack 3 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Service Pack 3
(Critical)
Windows XP Service Pack 3
(Critical)
Not applicable
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Professional x64 Edition Service Pack 2
(Critical)
Windows XP Professional x64 Edition Service Pack 2
(Critical)
Windows XP Professional x64 Edition Service Pack 2
(Critical)
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Critical Critical
Windows Server 2003 Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 Service Pack 2
(Critical)
Windows Server 2003 Service Pack 2
(Critical)
Windows Server 2003 Service Pack 2
(No severity rating)
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 x64 Edition Service Pack 2
(Critical)
Windows Server 2003 x64 Edition Service Pack 2
(Critical)
Windows Server 2003 x64 Edition Service Pack 2
(Critical)
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Windows Server 2003 with SP2 for Itanium-based Systems
(Critical)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems
(Critical)
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Critical Critical
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista Service Pack 2
(Critical)
Windows Vista Service Pack 2
(Critical)
Windows Vista Service Pack 2
(No severity rating)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista x64 Edition Service Pack 2
(Critical)
Windows Vista x64 Edition Service Pack 2
(Critical)
Windows Vista x64 Edition Service Pack 2
(Critical)
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Critical Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Critical)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Critical)
Windows Server 2008 for 32-bit Systems Service Pack 2
(No severity rating)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for x64-based Systems Service Pack 2
(Critical)
Windows Server 2008 for x64-based Systems Service Pack 2
(Critical)
Windows Server 2008 for x64-based Systems Service Pack 2
(Critical)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Moderate)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Critical)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Critical)
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Critical Critical
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Critical)
Windows 7 for 32-bit Systems Service Pack 1
(Critical)
Windows 7 for 32-bit Systems Service Pack 1
(No severity rating)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(Critical)
Windows 7 for x64-based Systems Service Pack 1
(Critical)
Windows 7 for x64-based Systems Service Pack 1
(Critical)
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Critical Critical
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Internet Explorer 10 
(Moderate)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Critical)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Moderate)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Critical)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Critical)
Windows 8
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Critical Critical
Windows 8 for 32-bit Systems Internet Explorer 10 
(Critical)
Windows 8 for 32-bit Systems
(Critical)
Windows 8 for 32-bit Systems
(Critical)
Windows 8 for 32-bit Systems
(No severity rating)
Windows 8 for 64-bit Systems Internet Explorer 10 
(Critical)
Windows 8 for 64-bit Systems
(Critical)
Windows 8 for 64-bit Systems
(Critical)
Windows 8 for 64-bit Systems
(Critical)
Windows Server 2012
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Critical Critical
Windows Server 2012 Internet Explorer 10 
(Moderate)
Windows Server 2012
(Critical)
Windows Server 2012
(Critical)
Windows Server 2012
(Critical)
Windows RT
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important None
Windows RT Internet Explorer 10 
(Critical)
Windows RT
(Critical)
Windows RT
(Important)
Windows RT
(No severity rating)
Windows 8.1
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical None None None
Windows 8.1 for 32-bit Systems Internet Explorer 11 
(Critical)
Not applicable Not applicable Not applicable
Windows 8.1 for 64-bit Systems Internet Explorer 11 
(Critical)
Not applicable Not applicable Not applicable
Windows Server 2012 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate None None None
Windows Server 2012 R2 Internet Explorer 11 
(Moderate)
Not applicable Not applicable Not applicable
Windows RT 8.1
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical None None None
Windows RT 8.1 Internet Explorer 11 
(Critical)
Not applicable Not applicable Not applicable
Server Core installation option
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating None Critical Critical Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Critical)
Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(No severity rating)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Critical)
Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Critical)
Windows Server 2012 (Server Core installation) Not applicable Windows Server 2012 (Server Core installation)
(Critical)
Windows Server 2012 (Server Core installation)
(Critical)
Windows Server 2012 (Server Core installation)

(Critical)

Windows Server 2012 R2 (Server Core installation) Not applicable Not applicable Not applicable Not applicable

Bottom Line: Leave your Microsoft Windows Computers and Servers on Tuesday Night and Re-start them first thing Wednesday morning.

Special Note: If you are running Apple or Linux, you did not have to read this article.

If you have any questions, Please give me a call or send an email

Many Thanks

Greg Allen

 

 

Microsoft Patch Tuesday September 2013

As part of Microsoft's monthly Patch Tuesday, the devices and services giant will be rolling out fourteen patches for various vulnerabilities. Four of those patches are for Windows 8 and three are for Windows RT. These security patches are part of September 2013's Patch Tuesday, which rolls out today.

Windows 8 will see one critical update affecting Internet Explorer 10 and three important updates dealing with Remote Code Execution and Elevation of Privileges. Windows RT, on the other hand, will see the same critical update addressing Internet Explorer 10, along with two important updates.

The rest of the security patches affect Office 2007 and Office 2010, while Office 2013 is unaffected. Windows Server 2003 and Windows XP both receive updates as well, along with Windows 7 and Windows Vista.

Microsoft will be rolling out these security fixes later today, so keep an eye on Windows Update! Microsoft is also expected to roll out a firmware update for the Surface RT and/or Surface Pro later today. If you feel that you need assistance with these devices, please send us an email.

The following is a detailed breakdown of each patch:

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
May require restart Microsoft Office,
Microsoft Server Software
Bulletin 2 Critical 
Remote Code Execution
May require restart Microsoft Office
Bulletin 3 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 4 Critical 
Remote Code Execution
May require restart Microsoft Windows
Bulletin 5 Important 
Remote Code Execution
May require restart Microsoft Windows
Bulletin 6 Important 
Remote Code Execution
May require restart Microsoft Office
Bulletin 7 Important 
Remote Code Execution
May require restart Microsoft Office
Bulletin 8 Important 
Remote Code Execution
May require restart Microsoft Office
Bulletin 9 Important 
Elevation of Privilege
May require restart Microsoft Office
Bulletin 10 Important 
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 11 Important 
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 12 Important 
Information Disclosure
May require restart Microsoft Office
Bulletin 13 Important 
Denial of Service
May require restart Microsoft Windows,
Microsoft .NET Framework
Bulletin 14 Important 
Denial of Service
May require restart

Microsoft Windows

Impact by Operating System

Windows XP

Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Critical Critical Important Important None Important None
Windows XP Service Pack 3 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Service Pack 3
(Critical)
Windows XP Service Pack 3
(Important)
Windows XP Service Pack 3
(Important)
Not applicable Windows XP Service Pack 3
(Important)
Not applicable
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Professional x64 Edition Service Pack 2
(Critical)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Not applicable Windows XP Professional x64 Edition Service Pack 2
(Important)
Not applicable
Windows Server 2003
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Moderate Critical Important Important None Important None
Windows Server 2003 Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 Service Pack 2
(Critical)
Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 Service Pack 2
(Important)
Not applicable Windows Server 2003 Service Pack 2
(Important)
Not applicable
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 x64 Edition Service Pack 2
(Critical)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Not applicable Windows Server 2003 x64 Edition Service Pack 2
(Important)
Not applicable
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Windows Server 2003 with SP2 for Itanium-based Systems
(Critical)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Not applicable Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Not applicable
Windows Vista
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Critical None None Important None Important Important
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Not applicable Windows Vista Service Pack 2
(No severity rating)
Windows Vista Service Pack 2
(Important)
Not applicable Windows Vista Service Pack 2
(Important)
Windows Vista Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Not applicable Windows Vista x64 Edition Service Pack 2
(No severity rating)
Windows Vista x64 Edition Service Pack 2
(Important)
Not applicable Windows Vista x64 Edition Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2
(Important)
Windows Server 2008
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Moderate None None Important None Important Important
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2
(No severity rating)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Not applicable Windows Server 2008 for x64-based Systems Service Pack 2
(No severity rating)
Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Not applicable Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Moderate)
Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(No severity rating)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Not applicable
Windows 7
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Critical None None Important Important Important Important
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Not applicable Not applicable Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Not applicable Not applicable Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Moderate None None Important Important Important Important
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Internet Explorer 10 
(Moderate)

Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Moderate)
Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Not applicable
Windows 8
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Critical None None Important None Important Important
Windows 8 for 32-bit Systems Internet Explorer 10 
(Critical)
Not applicable Not applicable Windows 8 for 32-bit Systems
(Important)
Not applicable Windows 8 for 32-bit Systems
(Important)
Windows 8 for 32-bit Systems
(Important)
Windows 8 for 64-bit Systems Internet Explorer 10 
(Critical)
Not applicable Not applicable Windows 8 for 64-bit Systems
(Important)
Not applicable Windows 8 for 64-bit Systems
(Important)
Windows 8 for 64-bit Systems
(Important)
Windows Server 2012
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Moderate None None Important None Important Important
Windows Server 2012 Internet Explorer 10 
(Moderate)
Not applicable Not applicable Windows Server 2012
(Important)
Not applicable Windows Server 2012
(Important)
Windows Server 2012
(Important)
Windows RT
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating Critical None None Important None Important None
Windows RT Internet Explorer 10 
(Critical)
Not applicable Not applicable Windows RT
(Important)
Not applicable Windows RT
(Important)
Not applicable
Server Core installation option
Bulletin Identifier Bulletin 3 Bulletin 4 Bulletin 5 Bulletin 10 Bulletin 11 Bulletin 13 Bulletin 14
Aggregate Severity Rating None None None Important Important Important Important
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation) Not applicable Not applicable Not applicable Windows Server 2012 (Server Core installation)
(Important)
Not applicable Windows Server 2012 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation)
(Important)

Bottom line is, if your computer or server is running a Microsoft product, please leave your computer on tonight and restart it in the morning.

If you are using Apple or Linux, no worries, you don't have to do anything

 

Microsoft Patch Tuesday September 2014

Microsoft Patch Tuesday is September 9, 2014. It will provide four updates designed to make your computers and servers more secure.

One of the bulletins, rated critical, is pointed at Internet Explorer to address a number of remote code execution vulnerabilities in the browser. Since the Windows operating systems is dependent on Internet Explorer, it is imperative that this patch is applied. However, even after the patch, we recommend that you use Chrome as you primary browser.

The three remaining bulletins, all rated important by Microsoft, include a privilege-escalation bug in Windows 8 and 8.1 as well as Windows Server 2012 and RT. 

Another bulletin patches a .NET denial-of-service vulnerability in Windows Server 2003, 2008 and 2012, and on the client side OS back to Vista.

Another denial-of-service bug is expected to be patched in Microsoft’s Lync instant messaging and collaboration software.

In August, Microsoft shipped nine fixes in total for 37 bugs in its software. Of note, one of the two critical fixes last month remediated 26 bugs in IE, of which the most severe could allow remote code execution (RCE).

Microsoft was also forced to reissue a problematic update patch (MS14-045) to fix a release last month that caused some user systems to crash. 

Microsoft will also release a new version of the Windows Malicious Software Removal Tool and probably some as-yet undisclosed number of non-security updates to various Windows versions. It has also become popular for other companies, most prominently Adobe, to release security updates for their own products on that day.

The final update will fix a denial of service bug in Lync Server 2010 and 2013 and is rated Important.

Bulletin Details

Bulletin ID

Maximum Severity Rating and Vulnerability Impact

Restart Requirement

Affected Software

Bulletin 1

Critical 
Remote Code Execution

Requires restart

Microsoft Windows, 
Internet Explorer

Bulletin 2

Important 
Denial of Service

May require restart

Microsoft Windows, 
Microsoft .NET Framework

Bulletin 3

Important 
Elevation of Privilege

Requires restart

Microsoft Windows

Bulletin 4

Important 
Denial of Service

Does not require restart

Microsoft Lync Server

 

Windows Operating System and Components

Windows Server 2003

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Moderate

Important

None

Windows Server 2003 Service Pack 2

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 Service Pack 2
(Important)

Not applicable

Windows Server 2003 x64 Edition Service Pack 2

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8 (Moderate)

Windows Server 2003 x64 Edition Service Pack 2
(Important)

Not applicable

Windows Server 2003 with SP2 for Itanium-based Systems

Internet Explorer 6
(Moderate)

Internet Explorer 7
(Moderate)

Windows Server 2003 with SP2 for Itanium-based Systems
(Important)

Not applicable

Windows Vista

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Critical

Important

None

Windows Vista Service Pack 2

Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Windows Vista Service Pack 2
(Important)

Not applicable

Windows Vista x64 Edition Service Pack 2

Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Windows Vista x64 Edition Service Pack 2
(Important)

Not applicable

Windows Server 2008

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Moderate

Important

None

Windows Server 2008 for 32-bit Systems Service Pack 2

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Windows Server 2008 for x64-based Systems Service Pack 2
(Important)

Not applicable

Windows Server 2008 for Itanium-based Systems Service Pack 2

Internet Explorer 7
(Moderate)

Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)

Not applicable

Windows 7

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Critical

Important

None

Windows 7 for 32-bit Systems Service Pack 1

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Internet Explorer 10
(Critical)

Internet Explorer 11
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Important)

Not applicable

Windows 7 for x64-based Systems Service Pack 1

Internet Explorer 8
(Critical)

Internet Explorer 9
(Critical)

Internet Explorer 10
(Critical)

Internet Explorer 11
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(Important)

Not applicable

Windows Server 2008 R2

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Moderate

Important

None

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Internet Explorer 8
(Moderate)

Internet Explorer 9
(Moderate)

Internet Explorer 10
(Moderate)

Internet Explorer 11
(Moderate)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)

Not applicable

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Internet Explorer 8
(Moderate)

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)

Not applicable

Windows 8 and Windows 8.1

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Critical

Important

Important

Windows 8 for 32-bit Systems

Internet Explorer 10
(Critical)

Windows 8 for 32-bit Systems
(Important)

Windows 8 for 32-bit Systems 
(Important)

Windows 8 for x64-based Systems

Internet Explorer 10
(Critical)

Windows 8 for x64-based Systems
(Important)

Windows 8 for x64-based Systems 
(Important)

Windows 8.1 for 32-bit Systems

Internet Explorer 11
(Critical)

Windows 8.1 for 32-bit Systems
(Important)

Windows 8.1 for 32-bit Systems
(Important)

Windows 8.1 for x64-based Systems

Internet Explorer 11
(Critical)

Windows 8.1 for x64-based Systems
(Important)

Windows 8.1 for x64-based Systems
(Important)

Windows Server 2012 and Windows Server 2012 R2

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Moderate

Important

Important

Windows Server 2012

Internet Explorer 10
(Moderate)

Windows Server 2012
(Important)

Windows Server 2012 
(Important)

Windows Server 2012 R2

Internet Explorer 11
(Moderate)

Windows Server 2012 R2
(Important)

Windows Server 2012 R2
(Important)

Windows RT and Windows RT 8.1

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

Critical

Important

Important

Windows RT

Internet Explorer 10
(Critical)

Windows RT
(Important)

Windows RT
(Important)

Windows RT 8.1

Internet Explorer 11
(Critical)

Windows RT 8.1
(Important)

Windows RT 8.1
(Important)

Server Core installation option

Bulletin Identifier

Bulletin 1

Bulletin 2

Bulletin 3

Aggregate Severity Rating

None

Important

Important

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Not applicable

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Not applicable

Not applicable

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Not applicable

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)

Not applicable

Windows Server 2012 (Server Core installation)

Not applicable

Windows Server 2012 (Server Core installation)
(Important)

Windows Server 2012 (Server Core installation) 
(Important)

Windows Server 2012 R2 (Server Core installation)

Not applicable

Windows Server 2012 R2 (Server Core installation)
(Important)

Windows Server 2012 R2 (Server Core installation) 
(Important)

 

Bottom Line: Please leave your computers and servers turned on Tuesday night, and be sure to reboot them Wednesday morning.

If you have any difficulty, please contact us immediately.

In addition: If you are using Linux or Apple, this notice does not apply.

Please remember to restart your Windows Servers and Computers tomorrow morning!

Note: This update takes a considerable amount of time. I started the update at about 5:00am this morning. It is now 8:48am and it is still running.

The best way I found to do Microsoft updates is to leave your computers turned on at night to automatically receive the updates, the reboot the device the next morning. That way you can greatly minimize the downtime.

http://active-technologies.com/content/microsoft-patch-tuesday-september-2014

Many thanks and have a good day,

-- 
Greg Allen
Active Technologies
active-technologies.com
gallen@active-technologies.com
Web Design - Hosting - Internet Search
843-225-5648

Microsoft Patches Critical IE Vulnerabilities February 2013

(Michael Mimoso @ Michael Mimoso) Internet Explorer continues to dominate Microsoft’s 2013 security updates. Among the 12 bulletins and 57 vulnerabilities patched in today’s release was a cumulative update for the maligned browser and another fix for a bug being exploited in the wild.

Last month, an out-of-band fix for IE 6-8 patched zero-day flaws being exploited in a series of watering hole attacks against government, telecommunications, manufacturing and human rights sites. Today, vulnerabilities in IE 6-10 were patched, including critical bugs that could allow an attacker to remotely execute code or leak information; one of which is being exploited in limited targeted attacks, Microsoft said.

The IE patches should be applied immediately, experts said.

MS13-010 is being exploited in the wild; it covers a vulnerability in Microsoft’s implementation of Vector Markup Language (VML). While most renderings of two-dimensional vector graphics are based on Scalable Vector Graphics (SVG), Microsoft long ago chose VML as its de facto standard. VML has been implemented in IE since version 5. The vulnerability addressed today is in the VML DLL ActiveX control, and occurs in the way the browser handles objects in memory, Microsoft said. Users browsing with IE who are lured to a website hosting a malicious VML graphic could be exploited. Microsoft said specially crafted data could corrupt memory allowing an attacker to remotely execute code.

“VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing,” said Qualys CTO Wolfgang Kandek.

The cumulative update (MS13-009), meanwhile, patches an information-disclosure vulnerability in Shift JIS character encoding, as well as a dozen remote code execution use-after free vulnerabilities.

Microsoft said IE does not properly handle encoding for Shift JIS auto selection; this could allow an attacker using a drive-by download attack to access content from another domain or IE zone. Shift JIS is character encoding for Japanese.

“That type of attack is common and is easily accomplished by surreptitiously installing malware on a Web surfer's computer when he or she visits a page with malicious code on it,” Kandek said.

Twelve use-after-free flaws are also addressed; the remote code execution bugs were found in the way IE accesses objects that have been deleted in memory, the advisory said. Use-after-free vulnerabilities can be exploited in buffer overflow attacks, for example. Workstations and terminals are at a higher risk than servers Microsoft said, because Windows Server runs in restricted mode since Windows Server 2003 and this mitigates the vulnerability.

Three other critical bulletins were released today.

Microsoft patched a remote code execution vulnerability (MS13-011) in the way Microsoft DirectShow decompresses media files such as .mpg files, or Office documents such as large Power Point files. Users would have to open a malicious attachment or visit a website hosting malicious content to be exploited.  DirectShow is used for streaming media on Windows systems; it is located within DirectX.

Two critical remote code execution vulnerabilities in Microsoft Exchange Server (MS013-012) were also patched. The flaws are in the Exchange WebReady Document Viewing feature. The more serious vulnerability can be exploited if a user views a malicious file through Outlook Web Access in a browser, Microsoft said. Attackers would be able to run code on Exchange only as the LocalService account, which has minimum privileges. The other vulnerability could cause the server to crash.

The other critical remote code execution vulnerability (MS013-020) was reported in Windows Object Linking and Embedding (OLE) Automation; the patch fixes how OLE Automation parses files. OLE is a Window protocol that enables applications to share data; OLE Automation is a standard used by apps to expose OLE objects to development tools and more, Microsoft said. Users would have to open a malicious RTF email message in Outlook with Word as the email viewer, or a malicious RTF attachment, to trigger an exploit.  Users could also be exploited by landing on a website hosting a malicious file.

The remaining bulletins were rated important, and include a host of privilege escalation, denial of service and remote code execution vulnerabilities.

  • MS13-013 patches remote execution vulnerabilities in SharePoint’s FAST Search Server 2010.
  • MS13-014 fixes a denial of service bug in NFS on Windows servers with NFS enabled.
  • MS13-015 repairs a privilege escalation vulnerability in .NET that can allow .NET apps to bypass Code Access Security restrictions.
  • MS13-016 handles flaws in Windows Kernel-Mode Driver where an attacker with valid credentials could elevate privileges.
  •  MS13-017 also patches a privilege escalation flaw in Windows Kernel with valid credentials.
  • MS13-018 addresses a denial of service vulnerability in TCP/IP that could occur if an attacker is able to send a malicious connection termination packet to a server.
  • MS13-019 patches a privilege escalation flaw in Windows Client-Server Runtime Subsystem.

Read More - Click Here!

Microsoft Responds to Windows 10 User Spying

(Jacob Siegal @ BGR) Ever since Windows 10 launched back in July, one topic of conversation has overshadowed everything the new operating system does right: privacy concerns. Everyone with a Windows device is (rightfully) terrified that Microsoft is monitoring everything they do, so on Monday, Microsoft decided to finally issue an official response in order to clear the air.

In a blog post on Windows.com, Microsoft executive VP Terry Myerson has taken the first step to earning back the trust of the individuals who are concerned about their privacy in regards to Windows 10.

He noted that the data Microsoft collects “is encrypted in transit to our servers, and then stored in secure facilities.” He then went on to list the three ways that Microsoft thinks about this data.

First up is data used for safety and reliability, such as anonymous device ID, device type and crash logs. No content or files from your computer are included in this data, and Myerson says that company takes pains to ensure that none of the data could be used to identify a user.

Next is personalization data, which is how the system learns about your interests and habits in order to cater the experience to specifically to you. Cortana is part of this equation, but as Microsoft notes, you have the ability to tell the OS what you are and aren’t comfortable with it collecting.

Finally, Microsoft wants users to know that “no matter what privacy options you choose, neither Windows 10 nor any other Microsoft software scans the content of your email or other communications, or your files, in order to deliver targeted advertising to you.”

It’s not everything we wanted to hear, but I’m happy to see that Microsoft is dealing with the unfortunate Family Settings that sent automatically sent activity reports to parents. On the other hand, the company still hasn’t explained why we aren’t able to see patch notes after major updates to the software.

It’s great to see that Microsoft has heard the complaints from its user base and is still open to suggestions thought the Windows Feedback app, but I’m not sure this will be enough to convince cautious Windows 7 or Windows 8 users to upgrade to Windows 10 right away.

It’s a step in the right direction, but not nearly far enough. Hopefully this is just the first of many transmissions from Microsoft regarding privacy and the future of Windows 10

Microsoft Says Expect exploits for critical Windows worm hole

There’s a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.

Attention Microsoft Windows administrators: Stop what you’re doing and apply the new — and very critical — MS12-020 update.

Microsoft is warning that there’s a remote, pre-authentication, network-accessible code execution vulnerability in its implementation of the RDP protocol.

From the bulletin:

A remote code execution vulnerability exists in the way that the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted. An attacker who successfully exploited this vulnerability could run abitrary code on the target system. An attacker could then install programs; view,change, or delete data; or create new accounts with full user rights.

The vulnerability, which affects all versions of Windows, was privately reported to Microsoft’s via the ZDI vulnerability broker service and the company said it was not yet aware of any attacks in the wild.

Although RDP is disabled by default, Microsoft is urging all Window users to treat this issue with the utmost priority.

“Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Microsoft said.

Read More - Click Here!

Microsoft Skype pressured to offer privacy reports

Microsoft is under fresh pressure to disclose information about how confidential its Skype user data is.

Reporters Without Borders, the Electronic Frontier Foundation and 43 other campaign groups have signed a letter asking the firm to reveal details about what information is stored and government efforts to access it.

Google, Twitter and others already provide such transparency reports.

Microsoft is to consider the request.

"We are reviewing the letter," a spokeswoman said. "Microsoft has an ongoing commitment to collaborate with advocates, industry partners and 2,112 governments worldwide to develop solutions and promote effective public policies that help protect people's online safety and privacy."

Report request

More than 600 million people use Skype to make voice and video calls and send text and audio messages. Microsoft is currently in the process of migrating users from its Windows Live Messenger product to the service.

The US firm took control of Skype in 2011. Since then, the letter alleges, it has issued "persistently unclear and confusing" details about how confidential conversations on the service were.

Among the details the campaign groups want Microsoft to provide are:

  • Details of how many requests for data each country's government has made and the percentage that the firm complies with.
  • Information about exactly what information Microsoft keeps itself.
  • The firm's own analysis about the current ability of third-parties to intercept conversations.
  • The policy its staff has for dealing with disclosure requests.

Privacy policies

Skype last commented in detail about privacy issues in a blog post last July.

It said that Skype-to-Skype calls between two participants did not flow through its data centres meaning it would not have access to the video or audio.

It also noted that calls made between two devices using its software would be encrypted - limiting the ability of anyone to make sense of the data even if they could listen in.

However, Microsoft acknowledged that group calls using more than two computers did pass through its servers which were used to "aggregate the media streams", and that text-based messages were also stored on its computers for up to 30 days in order to make sure they were synchronised across users' various devices.

Skype group call graphic Microsoft acknowledges that group calls do pass through its servers

"If a law enforcement entity follows the appropriate procedures and we are asked to access messages stored temporarily on our servers, we will do so," it added.

Microsoft also noted that calls which linked Skype to mobile or landline telephone networks would flow through the relevant networks' equipment, potentially offering an opportunity to tap in.

Furthermore it recognised that a China-only version of its service involved certain chats being stored and uploaded to the local authorities in compliance with the country's laws.

Surveillance efforts

Beyond China, several governments have signalled they want to have access to Skype data.

The UK's draft Communications Data Bill suggests internet service providers retain information about their subscribers' use of Skype and other internet communications tools.

The Cnet news site reported last year that the FBI had drafted an amendment to US law which would require Microsoft and other net chat tool providers to create surveillance backdoors in their products.

More recently the netzpolitik.org blog published what it said was a leaked document from Germany's government stating that its Federal Criminal Police Office was working on surveillance software to allow it to track Skype and other data communications. It said the agency hoped to have it ready by 2014.

An expenditure report by the country's Ministry of Home Affairs suggests the local authorities have already spent money to try to monitor Skype using third-party software.

Read More - Click Here!

Microsoft Tips to Protect Your Online Image

Microsoft encourages individuals to examine their online reputation and offers tips to start the new year with the best digital foot forward. As such, Microsoft commissioned a survey* of 5,000 people that revealed a wide variance of online behaviors and attitudes and explored the resulting impact to people's overall online profiles and reputations. With respondents from the U.S., Canada, Germany, Ireland and Spain, the research shows that although 91 percent of people have done something to manage their overall online profile at some point, a smaller percentage feel in control of their online reputation (67 percent) and fewer than half actively think about the long-term consequences of their online activities (44 percent). Further details on this survey and Microsoft's commitment to privacy and involvement in Data Privacy Day can be found at http://www.microsoft.com/privacy/dpd.

"Your online reputation is shaped by your interactions in the online world and spans the disparate and varied data about you, whether created and posted by you or others. This information can have a lasting presence online, and can affect your life in many ways — from maintaining friendships to helping you keep or land a new job," said Brendon Lynch, chief privacy officer, Microsoft. "Our research reinforces the fact that people want a range of privacy options. Microsoft is committed to offering meaningful choices and helping to ensure that people have the tools to make informed choices online to better manage their privacy and online reputations."

To help people put their best digital foot forward, Microsoft is offering the following tips to help cultivate and maintain a positive online reputation:

Read More - Click Here!

Microsoft To XP Users - No Internet Explorer 9 For You!

Microsoft says NO to Windows XP users – No Explorer 9!

I’m not very surprised to hear that Internet Explorer 9 (IE9), will not run on Windows XP, not now or when the IE9 code goes RTM. Redmond confirmed this last Tuesday. XP is still the largest OS on the planet in numbers.

So what is Microsoft’s excuse for not IE9 not running on XP?

They say “Internet Explorer 9 requires the modern graphics and security underpinnings that have come since 2001, and is intended to be run on a modern operating system in order to build on the latest hardware and operating system innovations," a company spokeswoman said in an e-mail reply to Computerworld's questions Tuesday morning.

I don’t believe it for one moment! I think Microsoft is trying to force customers into moving to Windows7,  PERIOD!

Technically, IE9 in an attempt to compete with super-fast Chrome, taps your PC's GPU so it boosts text and graphics rendering speeds via Direct2D and DirectWrite APIs. WinXP does not have that API. (yet chrome runs on WinXP)


This stinks. Is it meant to be the stick to get off XP? Users who choose to stay on XP will be stuck with IE8, which, from a security perspective, is becoming the new IE6. Exploits waiting to happen.


You can download the IE9 Platform Preview from Microsoft's IE site. But it only runs on Win7, Vista SP2, W2K8 or W2K8 R2.

Full Article: http://ie.microsoft.com/testdrive/

Grrr. Petition anyone?

Microsoft will not call you at home Scam Continues

Photo(Jennifer Abel @ ConsumerAffairs) Computer owners beware: you might take time off work to celebrate the holiday, but scammers don’t. You already know to be on guard against phishing attempts sent to your e-mail, but it looks like the old dormant “phone call from Microsoft” scam has been revived, and a friend of ours almost got caught in it.

 

What’s that, you say? You’ve never heard of the “Microsoft phone call” scam? To be honest, neither had I (although Mark Huffman wrote about it a few months ago) until a couple days ago, when our friend “Sammy” (not his real name) posted this on his Facebook page:

I just nearly got scammed. Phishy phone call from "Microsoft Technical Support Security Team" alerting me to possible malware and viruses being spread from my computer every time I logged onto the web. Sounded scammy, but also possible... dude had me run a few simple commands to "prove" he was legit and I fell for them. I'm ashamed to admit I went so far as to download and run a remote connection application and watch as they took total control of my PC. I finally said no and pulled my LAN cable out of my router when they claimed my OS was out of warranty and they could update me remotely for a fee. I'm really hoping they didn't get anything in the minute or so they had control.

Currently changing every login and password I use from this second computer.

Beware. I consider myself savvy - but they got me.

For what it’s worth, Microsoft support page says they will never call you. They will use ISPs as intermediaries to resolve any possible issues that might come up. So if you get a call from Microsoft, hang up. (Thing is, the scammers called about six times in a row, insistent there was a problem. I finally gave in despite considerable misgivings from the get-go.)

Nothing new

General rule: anytime somebody contacts you out of the blue seeking personal information or control of your computer, and you feel any misgivings ... don't listen to them. Just hang up. (Though it's completely understandable how six phone calls in a row might have worn someone down, too.)

Yet the “Microsoft phone call” scam is nothing new. In October 2012, the scammers tried calling Ars Technica writer Nate Anderson, who noted:

When the call came yesterday morning, I assumed at first I was being trolled—it was just too perfect to be true. My phone showed only "Private Caller" and, when I answered out of curiosity, I was connected to "John," a young man with a clear Indian accent who said he was calling from "Windows Technical Support." My computer, he told me, had alerted him that it was infested with viruses. He wanted to show me the problem—then charge me to fix it.

This scam itself is a few years old now, but I had not personally received one of the calls until yesterday—the very day that the Federal Trade Commission (FTC) announced a major crackdown on such "boiler room" call center operations. The very day that six civil lawsuits were filed against the top practitioners. The very day on which I had just finished speaking with Ars IT reporter Jon Brodkin, who spent the morning on an FTC conference call about this exact issue. And here were the scammers on the other end of the line, in what could only be a cosmic coincidence.

When Sammy read Anderson’s story, he ruefully admitted: “that Ars Technica article is the exact thing that got me. Folks, read that to see what I just went through. I even got the same ‘John’ with the clean Indian accent!”

So here we are, 14 months after the FTC announced its major crackdown and Ars Technica wrote about it—and the exact same scam is still playing out.

Motels Internet - Passwords Keylogger Warning:

PhotoU.S. Secret Service gives security warning to hospitality industry

(Jennifer Abel @ ConsumerAffairs) “Never share private information on a public computer” is a standard, longtime Internet safety rule.. Ideally, any password-protected activity, from checking your email to monitoring your online banking accounts, should only ever be done from your own personal device (outfitted with all proper security software, of course).

If you need another reminder of why you should follow this rule, the latest post from security blogger Brian Krebs provides one: “Beware keyloggers at hotel business centers.”

As the name suggests, keylogging software is a form of malware that literally logs your keyboard activity – in other words, keeps track of every button you type, so if you check your email, use a credit card, manage your bank account or anything else on a computer outfitted with keylogging software, whoever installed it now has a record of your passwords, credit card numbers and everything else you typed.

And apparently, there's a big problem with thieves secretly installing keylogging software on hotel computers, big enough that the U.S. Secret Service is, according to Krebs, “advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.”

Secret Service advisory

The Secret Service issued a non-public notice about it on July 10, including tips for various ways hotels can try to keep their public computers safe.

Unfortunately, as Krebs pointed out, an ordinary hotel guest has no way of knowing which hotel computers are safe, and which are not, which is why public computers should never be used for anything more than casual web browsing. If you need to do more than that, here's what Krebs advises:

If you’re on the road and need to print something from your email account, create a free, throwaway email address at yopmail.com or 10minutemail.com and use your mobile device to forward the email or file to that throwaway address, and then access the throwaway address from the public computer.

NSA Spyin on Offline Computers

NSA headquarters(bbcnews) The US National Security Agency (NSA) used secret technology to spy on computers that were not even connected to the internet, it has been reported.

Citing documents from whistleblower Edward Snowden, the New York Times said 100,000 machines were fitted with small devices that emitted radio waves.

Targets included the Chinese and Russian military as well as drug cartels, the newspaper claimed.

On Friday, the US President is expected to address concerns over NSA activity.

Quoting sources "briefed" on Barack Obama's plans, the Times reported that restrictions on the scope of collecting bulk telephone data will feature, and that a person will be appointed to represent the views of the public in secret intelligence meetings.

Furthermore, tighter controls on foreign surveillance will be implemented - an attempt, the paper suggests, to dampen the political fall-out from revelations the US had obtained data from the communication tools of world leaders without their knowledge.

Offline access

This latest leak details how the NSA accessed targets by inserting tiny circuit boards or USB cards into computers and using radio waves to transmit data without the need for the machine to be connected to a wider network.

It is a significant revelation in that it undermines what was seen to be one of the simplest but most effective methods of making a system secure: isolating it from the internet.

While the technology involved is not new, its apparent implementation by US security services was previously unknown.

In a statement made to the New York Times, an NSA spokeswoman said none of the targets were in the US, adding: "NSA's activities are focused and specifically deployed against - and only against - valid foreign intelligence targets in response to intelligence requirements.''

"We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of - or give intelligence we collect to - US companies to enhance their international competitiveness or increase their bottom line."

Neatness Counts in the Server Room

Many times when companies grow, change, and add equipment, the tendency is to get it running and worry about how it looks later… only later never comes. When something breaks or needs to be reconfigured, well, good luck. It may take hours just to figure out where each wire goes and which breaker affects what device. In the mean time your users are sitting and waiting for something to do. Sounds pretty expensive to me.

That was exactly the situation with this anonymous company. Hey, if my server room looked like this, I wouldn’t want anyone to know it was mine either. This room was so bad that Bell South refused to add service until the mess was cleaned up and safe for human occupancy, and it only took a few hours to complete.

The plan had four phases:
       1. Move equipment to logical locations
       2. Re-Run wires in a neat and orderly fashion.
       3. Color-Label equipment and wires so that it could be tracked from source to destination, by battery back and circuit breaker.
       4. Map wires from end-user workstations to computer room patch panel

Now when trouble strikes, the service tech can know in seconds what equipment is connected together and how it is connected. The large color labels allow the Tech to visually see the connectivity from a distance. And when the Tech hits a circuit breaker, the Tech knows what to shut down and who will be affected.

Before:

After:

Before

 

Before

 

Before

After

 

After

 

After

Proposal:
Simple plan for redecorating the computer room at Park Shore for minimal cost that will make the work area safe, efficient, and add a measure of eye appeal.

Rack:
       1. Use the 2 Tripp Lite 2200 rack mount Battery Backups. They have 8 ac outlets each and will minimize the need for power strips.
            a. Make certain UPS batteries are current – replace if necessary
            b. Wire installation for Battery Backups
            c. Color-code AC wires to match each backup, receptacle, circuit breaker
            d. Reroute and zip-tie all power and data cables
       2. Move Voice Mail Computer under the workbench
            a. Need cables for KV Switch Box – Eliminate Monitor
            b. Use surplus battery backup from Rack for Voice Mail

Space Under Workbench:
       1. Place Rubberized Flooring under servers for protection
       2. Color-code AC wires to match each backup, device, receptacle, circuit breaker
       3. Reroute and zip-tie all power and data cable
       4. Make certain UPS is sufficient to power the connected devices
       5. Make certain UPS batteries are current – replace if necessary
       6. Label Servers – Name – Purpose – IP….

Workbench:
       1. Use Workbench only as a prep area for current projects
       2. Install wider shelf and move monitors to the shelf to maximize work area.
       3. Workbench is used only as a prep area for current projects

Storage Area:
       1. Establish policy dealing with old/obsolete equipment
       2. Establish system for storing spare computers and parts
       3. Label Storage Areas

Materials: Zip Ties
       1. Color Tape
       2. 3 KV Cables and a few extension cords
       3. Replacement Batteries (as necessary)
       4. Wiring for Tipp Lite 2200 UPS.
       5. Rubber Flooring

Never open an unsolicited file or download an unsolicited attachment

PhotoA legitimate USPS shipping message

(Jennifer Abel @ ConsumerAffairs) “Never open an unsolicited file or download an unsolicited attachment.”

In the world of online security, that statement is the equivalent of “Look both ways before going out into traffic” — sounds self-evident, yet it needs to be repeated because rarely a day goes bywithout someone ignoring (or forgetting) that advice and coming to a bad end as a result.

Consider the latest scam alert issued by the Better Business Bureau: somebody is sending out emails made to look like “shipping notifications” from the U.S. Postal Service.

Supposedly, they were unable to deliver a package to you, so you should download the attached “confirmation form” and take it to your nearest post office.

Of course, if you click on the link to download the form, you'll actually infect your computer with a nasty virus. The BBB ended its scam alert with five pieces of advice, all of which we've discussed during previous anti-scam pieces:

Don't believe what you see. Scammers make emails appear to come from a reputable source. Just because it looks like an "@usps.com" address does not mean it's safe.

Be wary of unexpected emails that contain links or attachments. As always, do not click on links or open the files in unfamiliar emails.

Beware of pop-ups. Some pop-ups are designed to look like they've originated from your computer. If you see a pop-up that looks like an anti-virus software but warns of a problem that needs to be fixed with an extreme level of urgency, it may be a scam.

Watch for poor grammar and spelling. Scam emails often are riddled with typos.

Immediate action is necessary. Scam emails try to get you to act before you think by creating a sense of urgency. Don't fall for it.  

Be original

Another important rule to remember is this: seek out your own contact information. When you get such an email, even if you clearly recognize typos and other indications of possible scamminess, you might not be able to blithely dismiss it as a fraud.

After all (the nagging worrywart part of your mind might argue), the post office's losing a package or not delivering it to a clearly labeled address happens all the time. As for the no-typos rule — well, it's always possible that someone with poor writing skills nonetheless got stuck with email duty today, right?

So if you can't bring yourself to ignore that potentially scammy warning message, you don't have to. Go ahead and ask the post office if they have a package for you — but do this independently, after having done your own research to find a phone number or email address or some other legitimate USPS contact information.

The seek-your-own-information rule applies to every other threatening email, phone call or other message you might get: this letter, allegedly from the IRS, says you owe extra taxes? Then ignore the “contact information” in that letter, and find the IRS' phone number yourself.

That email, allegedly from Netflix, warns of massive problems with your Netflix account? Ignore the phone number and email address it offers you, and look for the Netflix customer-service information yourself.

And never trust anyone who deliberately tries pushing your panic button or otherwise demands “immediate action” as the BBB warned about — legitimate authorities collecting legitimate debts have no need to do that.

Neverquest banking malware more dangerous than Zeus trojan

( @ IT Security) New Neverquest malware steals bank account logins and lets attackers access accounts through victims' computers.

For over five years, Zeus has been the undisputed king of banking malware. Once this trojan was loaded onto a victim's machine, it could:

  • Detect when the owner entered banking information into a web browser.
  • Steal passwords and other pertinent login information.
  • Encrypt the stolen information and send it to the attacker's specified servers.

Zeus was also one of the first pieces of malicious software to be sold under a license. For the right price, anyone could use it.

 

Zeus remains active today, but its source code was published online in 2011 and this cyberscourge has about run its course. Unfortunately, Security experts are already sounding the alarm about a new piece of malware that makes Zeus look like a simpleton. Neverquest significantly raises the bar for online banking malware.

How Neverquest works

Like Zeus, Neverquest is a Trojan. Bad guys introduce Neverquest to the victim’s computer via social media, email, or file transfer. According to the security blog Threat Post, Neverquest replicates in a manner similar to the Bredolab botnet client:

"Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet."

Before it was shuttered, the Bredolab botnet consisted of 30 million computers. Why not use something that works?

If the victim’s computer is vulnerable to an exploit targeted by Neverquest’s trojan loader; the malware is installed. Then Neverquest starts paying attention to what the user is typing into their web browser. If a predetermined financial term is recognized, Neverquest checks the website domain name. Since, Neverquest has hundreds of banking and financial institutions in its database; there’s a better than average chance Neverquest will be familiar with the banking website.

Once Neverquest recognizes a banking site, it will relay the login information back to the attackers’ command and control server. Once the victim's credentials are in the hands of the attackers, they will remotely control the victim's computer using VNC, log into the victim's banking website, and do one of the following:

  • Transfer money to different accounts
  • Change login credentials, locking out account owner
  • Write checks to money mules

And to make matters worse, banking sites are unable to distinguish the victim's login from that of the attacker using Neverquest.

One capability Neverquest has that Zeus doesn’t, is the ability to cultivate new banking sites for its database. If the malcode recognizes certain financial terms, but not the domain; Neverquest will send the information back to the command and control server which then creates a new identity, and updates every compromised computer under its control.

Neverquest in the wild

One sobering reality is that Neverquest is already for sale. Zeus, being “first of its kind” malware, required skilled controllers. Not so with Neverquest, script kiddies and malware non-experts are able to make use of the potent malware as soon as they buy it.

Next reality: standard antivirus software is not effective. Kaspersky mentions in this blog:

“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.”

Kaspersky also reported that:

"Neverquest is also designed to start harvesting data when an infected user visits any number of sites not related to finance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more."

It appears that Neverquest developers are looking to diversify.

Protecting yourself

Despite Neverquest's formidable capabilities, there are several things we can do to protect ourselves. First, there is the security expert’s mantra, “Make sure the computer operating system and all applications are up-to-date.” Doing so will at least prevent malware from exploiting known weaknesses.

Second, even though I wrote the article, Online banking: How safe is it in 2009, using a LiveCD to access banking websites is still a valid method to prevent malware such as Neverquest from stealing your financial information and eventually your money.

New Computer Scam Gets You Twice

A completely new scam is usually as rare as a solar eclipse. Once they find a scheme that works, scammers usually stick with it.

However, scammers constantly tweak how they approach their victims to maximize the payoff, and we try to keep an eye out for those subtle changes.

In Southwest Virginia, the Southwest Times reports police in the region are dealing with a variation of the tech support scam. In that scam, someone contacts victims and tells them their computer is infected with a virus, then sells them an expensive and unnecessary security program.

In Virginia, consumers are reporting the message comes in the form of a pop-up, and appears to come from Microsoft. The message instructs the consumer to call a phone number. If they do, an operator tries to sell them "lifetime" virus protection for $500.

Suspicious forms of payment

In this particular scam, the scammer will only take payment with a Walgreens Steam card, which is used in the purchase of online gaming services. Here's where it gets interesting.

If the victim purchases a Walgreens Steam card and calls the number again, the scammer takes down the numbers on the card, then tells the victim the card is invalid -- even though it works just fine.

The victim is told they can get a refund, if they make the same amount of purchase on an iTunes card. So the scammer ends up with $500 on a Walgreens Steam card and $500 on an iTunes card. The numbers are then sold on the black market.

FTC warning

The Federal Trade Commission (FTC) advises that it's a dead giveaway that you're dealing with a scam if payment is required to be made with some kind of money card and not a credit card.

The FTC is constantly on the prowl for these tech support scams. This month the agency obtained a default judgment and permanent injunction against a Florida man it says peddled a phony tech support service using email.

The FTC was particularly incensed because it says the man was using fake FTC press releases and the real names of FTC officials in his scheme.

The agency said the scammer also employed scare tactics -- as scammers often do -- claiming that victims' computers were sending out signals to hackers, informing them of system vulnerabilities.

New IRS Scam Making The Rounds

The Internal Revenue Service (IRS) commands attention. When you get something in the mail from the tax agency, you can bet you'll open it right away.

That's why the agency is a favorite of scammers who try to trick victims into disclosing personal information. A new scheme is packaged in a spam email with the heading “Report of Foreign Bank and Financial Accounts (FBAR).”

The first line if the email is designed to get your attention and, perhaps, make you drop your guard:

“This is in reference to your 2010 U.S. Individual Income Tax Return we seem to have some discrepancies with your filing.”

Then the email tries to scare recipients into revealing bank information...

Read More - Click Here!

Be careful about following the “advice” you  get about filing for tax credits or rebates. 

The Internal Revenue Service is encouraging taxpayers to guard against being misled by unscrupulous individuals trying to persuade them to file false claims for tax credits or rebates. 

The Internal Revenue Service (IRS) notes there’s been an increase in tax-return-related scams -- frequently involving unsuspecting taxpayers who normally do not have a filing requirement in the first place. 

These taxpayers are led to believe they should file a return with the IRS for tax credits, refunds or rebates for which they are not really entitled. Many of these recent scams have been targeted in the South and Midwest.

Read More - Click Here!

New Malware Hides in Windows Registry

After you clean your computer of the viruses and malware, it reinstalls itself and continues to reek havoc with your system...

(Jill Scharr @ Toms Guides) A new piece of malware called Poweliks can seize control of a Windows computer — and it can't be detected by antivirus programs. That's because it doesn't download any files to the infected computer; instead, it resides as encrypted text in the computer's registry. From there it can seize control of the computer's processes to do things such as download more malware onto the computer.

Poweliks is all but invisible to traditional antivirus programs, which work by searching for recognized malware files — a potentially very dangerous situation, said malware researcher Paul Rascagnères.

"As the malware is very powerful and can download any payload, the amount of possible damage is not really measurable," Rascagnères, a threat researcher with Bochum, Germany-based antivirus company G Data, wrote in a company blog post. 

MORE: 7 Scariest Security Threats Headed Your Way

Poweliks, which has also been documented by Tokyo-based antivirus firm Trend Micro, has been spotted infecting computers via a corrupted Microsoft Word file attached to an email, but the file could spread in other ways as well. This is the best place that an antivirus program might be able to catch Poweliks, if the program scans for malicious email attachments, Rascagnères said. 

If the malicious file is opened, it will create an encoded autostart registry key and hide it within the Windows registry, where the computer's configuration settings are stored. Every time the computer is booted, the key implements code that eventually reaches out to an external IP address controlled by the malware's creators. Through this connection, the creators can then issue further commands.

Rascagnères compared the attack's structure to Russian matryoshka nesting dolls: Poweliks targets the innermost "doll" of the computer, and uses that vantage point to compromise the entire device. 

Poweliks appears to be a fairly recent creation, and it's not yet clear what the malware was created to do.

"It might install spyware on the infected computer to harvest personal information or business documents," Rascagnères wrote. "It might also install banking Trojans to steal money, or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud." 

New Tech Support Scam Beware

Photo(Mark Huffman @ ConsumerAffairs) You get a call at home from someone who claims to be from Microsoft tech support. In an urgent, breathless tone, he warns your computer has been compromised with a dangerous virus. You need to follow his instructions, to the letter, immediately.

 

 

Relax, your computer is fine. It's just the latest scam that's making the rounds – one known as the “tech support scam.”

In many ways it's very clever and effective. Most of us, after all, aren't computer geeks. We might not know much about computers but we do know that having a dangerous computer virus is not a good thing.

Also, we've heard of Microsoft. It's a huge company and chances are, some of its products are running on our machine. If they say we've got a computer virus, who are we to question them? They're Microsoft.

Out to pick your pocket

Only they aren't. Chances are the caller is offshore, in India or Russia. Their objective, ultimately, is to pick your pocket.

Scammers preying on computer users is nothing new. According to the Federal Trade Commission (FTC), the previous computer scams involved setting up fake websites and offering free security scans. Once the alleged scan has run, you would then receive an alarming message that your computer was infected. The scammer would then sell you security software that, at best was worthless and at worst, would be loaded with malware.

The new version of the scam is “old school,” in that it involves a telephone call. If the scammer gains the victim's trust, he instructs the victim to perform a series of complex tasks. Sometimes, they target legitimate computer files and claim that they are viruses. Their tactics are designed to scare you into believing they can help fix your “problem.”

Bad things can happen

PhotoThey may ask you to run a bit of code, or download a file from a website. If you do, a lot of bad things can happen.

You could give them remote access to your computer so that they can then make changes to your computer, leaving it vulnerable. They may have you download malware that could steal sensitive data, like user names, bank account numbers and passwords.

That allows them to come back later and either steal money from your bank account or use your computer to send out hundreds of thousands of spam messages. But they may also go for money up front.

Asking for a credit card

Some victims have reported that the scammers assure them they can fix the non-existent problems remotely but that it will cost a small fee, like $19.95. If the victim agrees, the scammer hits the card for thousands of dollars in purchases. Regardless of the tactics they use, they have one purpose, and that is to take your money.

If you receive one of these phone calls, the FTC suggests hanging up and calling the company back on a number you look up yourself. However, that's really just a waste of time. Microsoft says it does not call customers to warn them of computer viruses. It is safe to say, no other legitimate companies do either.

If you get a call from someone who claims to be a tech support person, just hang up. A caller who creates a sense of urgency or uses high-pressure tactics is almost certainly a scam artist.

The FTC also warns that searching online might not be the best way to find technical support or get a company’s contact information. Scammers sometimes place online ads to convince you to call them. They pay to boost their ranking in search results so their websites and phone numbers appear above those of legitimate companies. If you want tech support, look for a company’s contact information on their software package or on your receipt.

New Vulnerability Discovered in openSSL That Gave Us Heartbleed

(Jim Finkle @ Reuters)  Security researchers have uncovered new bugs in the Web encryption software that caused the pernicious “Heartbleed” Internet threat that surfaced in April.

Experts said the newly discovered vulnerabilities in OpenSSL, which could allow hackers to spy on communications, do not appear to be as serious a threat as Heartbleed.

The new bugs were disclosed on Thursday as the group responsible for developing that software released an OpenSSL update that contains seven security fixes.

Experts said that websites and technology firms that use OpenSSL technology should install the update on their systems as quickly as possible. Still, they said that could take several days or weeks because companies need to first test systems to make sure they are compatible with the update.

"They are going to have to patch. This will take some time," said Lee Weiner, senior vice president with cybersecurity software maker Rapid7.

OpenSSL technology is used on about two-thirds of all websites, including ones run by Amazon.com, Facebook, Google, and Yahoo. It is also incorporated into thousands of technology products from companies, including Cisco Systems, Hewlett-Packard, IBM, Intel, and Oracle.

The widespread Heartbleed bug surfaced in April when it was disclosed that the flaw potentially exposed users of those websites and technologies to attack by hackers who could steal large quantities of data without leaving a trace. That prompted fear that attackers may have compromised large numbers of networks without their knowledge.

Security experts said Thursday that the newly discovered bugs are more difficult to exploit than Heartbleed, making those vulnerabilities less of a threat.

Still, until users of the technology update their systems, “there is a window of opportunity” for sophisticated hackers to launch attacks and exploit the newly uncovered vulnerabilities, said Tal Klein, vice president of strategy with cloud security firm Adallom.

No Password Gets You 25,000 co-opted Linux servers drop malware and stolen credentials

it security lock.jpg( @ IT Security) A new report details how 25,000 servers were compromised. The attacks would have failed if more than single-factor login (username/password) had been required. Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This report was a joint research effort by ESET, CERT-Bund, SNIC and CERN. The key phrase in the report title is “server-side.”

Over the past two years, ESET has chronicled 25,000 malware-infected servers that have been instrumental in:

  • Spam operations (averaging 35 million spam messages per day)
  • Infecting site visitors’ computers via drive-by exploits
  • Redirecting visitors to malicious website

The report talks about two well-known organizations that became victims of Windigo: "This operation has been ongoing since 2011 and has affected high-profile servers and companies, including cPanel and Linux Foundation’s kernel.org."

Single-factor logins make it easy

The Linux servers had a common thread — all were infected with Linux/Ebury, malware known to provide a root backdoor shell along with the ability to steal SSH credentials. The report also said, “No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.”

In a sense that helps explain the compromise, as Linux servers are for the most part bulletproof. 

Windigo 1.pngPierre-Marc Bureau

 Image: ESET

 So, how did attackers get root-access credentials, login, and ultimately install the malware?

For those answers, I enlisted the help of Pierre-Marc Bureau, security intelligence program manager for ESET. Bureau said all it takes is to compromise one server in a network, then it becomes easy. Once root is obtained, attackers install Linux/Ebury on the compromised server, and start harvesting SSH-login credentials.

With the additional login credentials, attackers explore to see what other servers can be compromised in that particular network.

This slide depicts the infection process:

Windigo 2.png

Infection process
 Image: ESET

Additional malware

As mentioned earlier, the infected servers are part of spam campaigns, redirect visitors to malicious websites, or download malware to the victim’s computer if it is vulnerable. In order to accomplish this, the attackers install additional malware on the servers, consisting of:

  • Linux/Cdorked: Provides a backdoor shell and distributes Windows malware to end users via drive-by downloads
  • Linux/Onimiki: Resolves domain names with a particular pattern to any IP address, without the need to change any server-side configuration
  • Perl/Calfbot: A lightweight spam bot written in Perl

The victims

The report mentions there are two types of victims, the Linux/Unix server operators, and end-users who receive spam and or visit a website hosted by a compromised server. In that regard, ESET has determined that compromised servers try to download the following Windows malware:

  • Win32/Boaxxe.G: A click fraud malware
  • Win32/Glubteta.M: A generic proxy targeting Windows computers

Snort and Yara rules

ESET has worked up Snort and Yara rules that can be found at GitHub.

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

No iOS Zone attackers remotely crash iPhones within in wi-fi rang

 

Photo

Photo (c) dolphfyn - Fotolia

(Jennifer Abel @ ConsumerAffairs) Another day brings another way hackers can wreak havoc on your life, this time for owners of Apple devices: securityresearchers from Skycure have discovered a vulnerability they call the “No iOS Zone,” which effectively lets attackers crash any mobile iOS device connected to a wi-fi hotspot.

Actually, it's even worse that: You don't have to actively connect your device to a hotspot in order to be at risk. No iOS Zone lets attackers crash your device if you are so much as in range of a hotspot, unless you've completely turned off the device (or at least its wi-fi).

Yet in a way this is not entirely surprising — and Apple devices aren't the only ones at risk from public wi-fi.

Last summer, for example, Ars Technica tried a little experiment and discovered that millions of customers of both Comcast and AT&T were at risk of letting hackers surreptitiously get into their devices' Internet traffic and steal all sorts of personal data, because those two companies' hotspots proved particularly easy for hackers to “spoof” (which is hackerspeak for “impersonate”).

Simple explanation

Here's a very oversimplified explanation of why: Unless you specifically turn off that feature, or your device itself, your smartphone, tablet or other connectable device is always looking to connect with a familiar network.

Let's say you visited Starbucks to take advantage of their free w-fi. Now, every time you go there your phone automatically sends out a signal, basically saying “Hey, Starbucks w-fi, where are you?” and waiting for the electronic response “Here I am! Starbucks wi-fi, now connecting with you.”

But it's very easy for anyone to set up a wireless hotspot to respond under a false name: “Here I am, Starbucks wi-fi! Actually I'm a hacker up to no good, but I said my name is 'Starbucks w-fi' so I can connect with you.”

To guard against that particular danger, you must shut off the wi-fi connections on your mobile devices when you're not using them, and set each device so that it must ask before joining a mobile network.

Endless reboot

The “No iOS Zone” vulnerability is similar, except instead of letting hackers use wi-fi hotspots to spy on various iDevices, it “only” gives hackers the ability to make those devices crash and go into an endless reboot loop. And once that happens, you can't turn off your wi-fi connection and regain control since, of course, your device has to be booted up before you can change its wi-fi settings or do anything else with it.

The Skycure researchers presented their findings (available here in .pdf form) at today's RSA Conference (an annual cryptography and information-security conference held in San Francisco).

The researchers named this vulnerability the “No iOS Zone” because once attackers set up a malicious wi-fi network, any iOS mobile device within range of it would connect, get stuck in an endless reboot loop and thus be rendered useless, resulting in a literal no-iOS zone.

Skycure's presentation also offered a list of “potential areas that may be attractive for attackers,” which includes “political events, economical & business events, Wall Street [and] governmental and military facilities.”

Apple is currently working with Skycure to develop a fix for this problem. Meanwhile, iOwners should keep their wi-fi turned off unless and until they actually plan to use it, and be extra-wary of any public wi-fi hotspot – which, come to think of it, is good advice regarding any mobile device, regardless of who manufactured it.

November 13 2012 Patch Tuesday

This months Microsoft Patch Tuesday contains Six bulletins, four rated critical, according to Microsoft advanced notification.

Many of the bulletin issues addressed affect new software, including the first fixes for Windows 8, which we find very concerning!
"Nothing is ever 100% secure and albeit mistakes are made in software. But it's still ugly to see," blasts Paul Henry, security and forensic analyst at Lumension Security Inc, a Scottsdale, Ariz.-based security firm.
The four critical bulletins address 13 vulnerabilities in Microsoft Windows, Internet Explorer and the .NET Framework involving remediation for remote code-execution vulnerabilities.

Bulletin 1 addresses issues in Internet Explorer 9, requiring a restart to apply the patch.

Bulletins 2, 4 and 5 address issues in various Windows XP Service Packs, Windows Server 2003, Windows Vista Service Pack, Windows Server 2008, Windows 7, Windows Server 2008, Windows 8 Windows Server 2012 and Windows RT, and will require a restart.

According to Marcus Carey, security researcher at Boston-based security vendor Rapid7 Inc, says "Most organizations will be affected by these critical bulletins as they relate to legacy codebase that is present even in Microsoft's most recent releases"… "This may come as a surprise to many who expected that Windows 8 and Windows Server 2012 to be much more secure than legacy versions. The truth is that Microsoft and other vendors have significant technical debt in their code base which results in security issues."

Bulletin 6, listed as important, addresses a remote code-execution vulnerability and will require a restart to apply updates. This bulletin affects multiple versions of Microsoft Excel Service Pack, Microsoft Office for Mac, Microsoft Office Compatibility Pack Service Pack and Microsoft Excel Viewer.
Bulletin 3, rated moderate,  is an information disclosure vulnerability rated as moderate and requires a restart. It affects several versions of Windows Vista Service

Pack, Windows 7 and Windows Server 2008.
Bottom line, leave your computers and servers on Tuesday Night and restart them first thing Wednesday Morning!
 

Obama's Blackberry Mods AND Why The Concern

Much has been revealed about the modifications made to Obama's BlackBerry. \nHowever, we can get a clearer picture by piecing the various reports together \nwith what we know about the BlackBerry. Let's start by taking a look at the \nfacts.

Excerpt from the Chicago Tribune:

Obama's new BlackBerry will come with software approved by U.S. intelligence \nofficials, allowing him to communicate with friends, family and close associates \nwithout fear of hackers reading his private e-mail.

Mentioned in various news reports were a number of "compromises” that \nPresident Obama had to adhere to before he got his way.

The Seattle Times newspaper lists the \ncompromises:

  • First, only a select circle of people will have his address, creating a true \nhierarchy for who makes the cut and who does not. \n
  • Second, anyone placed on the A list to receive his e-mail address must first \nreceive a briefing from the White House counsel's office. \n
  • Third, messages from the president will be designed so they cannot be \nforwarded.

The security concerns

From the above facts, it is possible to figure out the security concerns that \na smartphone-toting President will bring about. Foremost would be the risk of \ninterception and decryption of data to and from his smartphone, as well as those \nwith whom he is corresponding.

Detractors might also point out that the various encryption employed by \ncellular networks are known to be breakable. In addition, the wireless nature of \ncell phone technology means that it is also theoretically possible to \ntriangulate the President's location. However, I would submit that these \nproblems are inherent to any mobile devices — and not just to smartphones in \ngeneral. As such, I will not be exploring this angle.

How does a standard BlackBerry work?

It is clear from the comments to Michael's earlier post that there is some \nconfusion about how a BlackBerry works. Let me try to summarize it here.

In a typical enterprise implementation, e-mails and messages are sent via \nencrypted UDP data packets generated from RIM's BlackBerry Enterprise Server \n(BES). The BES sits behind the firewall, and its primary task is sending the \nmessages via a RIM-run NOC. The NOC is then in charge of forwarding the \nencrypted data packets to the correct BlackBerry smartphone. The data packets \nare useless to any other smartphone because they will not have the correct \nAES-128 key required to decrypt the data packets.

On a side note, you might be interested to know that the use of UDP packets \nmeans that the BlackBerry smartphone is much more data efficient than \ncompeting push mail strategies such as the HTTP-based Direct Push \nimplemented by Microsoft.

In conclusion

It is possible to draw a number of conclusions from the above-mentioned \nfacts. First of all, the modified BlackBerry OS on Obama's BlackBerry probably \nbumps up the encryption from AES-128 to AES-256. This has been noted on some \nnews sites, though in no way officially confirmed. If true, it must be noted \nthat such a move represents an exponential increase — and not just doubling — in \nthe strength of the encryption.

It is hard to say if RIM allowed the creation of a custom NOC specifically \nfor Obama's BlackBerry "network". However, being able to tap into the data \npackets destined for his device would only be as useful as sniffing the \nencrypted data streams out from the cellular network.

As pointed out by some TR members, it is also likely that features such as \nBluetooth, wireless LAN, and the built-in GPS are stripped out from Obama's \nBlackBerry. Similarly, the ability to send text messages is likely to be \ndisabled as well.

As for the mandatory briefings, they are likely to have been related to steps \nto take should they lose their BlackBerry smartphones. I would imagine a \nsecurity officer would move quickly to invoke a remote device wipe.

Obamas Secret Directive To Fight Cyber Attacks

(Steve Huff Beta Beat) Cyber security is national security! At some point in October this year, President Obama signed the slightly creepy-sounding and secret Presidential Policy Directive 20, a source tells The Washington Post. According to the Post, the directive gives the military license to “act more aggressively” when combating cyber-attacks directed at major U.S. networks.

In essence, anyone waging war on the country via the internet is on notice:

The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

Policy Directive 20 is a refresh of a presidential directive signed during the Bush administration and falls in line with the Obama administration’s concerns regarding internet-based threats to the nation’s infrastructure.

Given the reported mid-October signing of Directive 20, it’s worth noting the timing of Secretary of Defense Leon Panetta’s October 11 speech about cyber threats. In his address, Secretary Panetta outlined a nightmare scenario combining real and cyber attacks, resulting in what he termed a “cyber Pearl Harbor.” Mr. Panetta said such devastating actions would result in “physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability.”

Read More - Click Here!

 

Online Privacy Protection Tips

© ra2 studio - Fotolia.com
(Mark Huffman @ ConsumerAffairs) If you're feeling a bit creeped out by the Internet these days, you aren't alone. A survey of U.S. Internet users found that nearly 75% admit to being worried about the quantity of personal information about them available online. What's more, they say they don't trust social media sites to keep their contact information, buying habits and political beliefs confidential.

When you break down the data compiled by Rad Campaign, Lincoln Park Strategies, and Craig Newmark of craigconnects, you find this mistrust and concern about privacy rises as Americans get older.

People 65 and older expressed their concern at roughly twice the rate of poll respondents under 35. They are also the consumers who feel most strongly that privacy laws need to be strengthened.

"The data shows very clearly that Americans feel manipulated and exposed by the websites they frequent," said Allyson Kapin, co-Founder of Rad Campaign, an organization pushing political advocacy and social change. "That may not stop them from using Facebook and Twitter, or other websites, but they are clearly calling for more safeguards so their personal data does not get sold or used for targeted marketing purposes so easily."

Cookies
The survey shows consumers tend to be most concerned about tracking cookies. These bits of data are responsible for the fact that, once you search for something on Amazon, for example, Amazon ads for that item tend to pop up on web sites you subsequently visit.

In fact, most cookies are fairly benign, compared to other threats, and simply a way for a web site to remember you when you return to the site – not requiring you to sign in again, for example. There are plenty of more serious privacy issues to be concerned about.

When you unknowingly download a program that gathers information – or even takes control on some of your device's functions – that's a big problem. The Department of Homeland Security breaks these intruders down to four similar, yet different threats – viruses, worms, Trojan horses and spyware.

A virus is activated when you click on something you shouldn't. Worms are more insidious, exploiting vulnerabilities on your computer without you doing anything.

A Trojan horse claims to be one thing but is really another. For example, it might present itself as software to protect your privacy, but then collect information about you and distribute it. Spyware shows up when you download a “free” application. It sends information about your activities to a third party.

What to do
To protect yourself from these threats, keep your anti-virus software up to date and don't visit websites you don't trust. Avoid downloading “free” apps unless they are from trusted sources and don't click on links in email, especially email from a spammer.

A major no-no is doing your online banking or checking email in an airport or coffee shop, using public Wi-Fi. An unsecured connection allows others in the public place, with the help of simple software tools, to monitor your activity.

If you have to check email or other sensitive data in a public place, connect to the Internet through a secure line, such as the “hot spot” feature on your smartphone.

Tools
There are also a number of tools that can protect your anonymity on the Internet, such a using “tails,” a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity.

The Electronic Privacy Information Center (EPIC) has compiled this list of other technology tools to protect your privacy.

But the biggest thing consumers can do, sponsors of the privacy poll suggest, is to be much more careful about what they sign up for – starting with actually reading the terms of service (TOS).

"On one hand, Americans are quite concerned about their online privacy, but on the other hand the majority of Americans are using websites and social media platforms without reading very much of the TOS," said Stefan Hankin, Founder of polling firm Lincoln Park Strategies. "That's a problem."

And it goes without saying that, if you are concerned about your privacy, be circumspect about the information and photographs you post on social media sites. It's easy to get caught up in the moment but remember, the Internet is forever. Once it's out there, it's out there.

Online Threats Get More Serious - What To Do

 

Photo(Mark Huffman @ ConsumerAffairs) While the world economy mostly just marked time in the first quarter of 2013, the “hacker economy,” populated by operators who use a large number of threats to compromise corporate and consumer computers, did quite well.

Security software maker McAfee reports hackers continued to make inroads in their increasingly sophisticated efforts to gain access to everything from your online banking account to the space on your hard drive. It all makes today's computing environment very different from the late 1990s, when most of the threats were of a more benign nature.

“Ten years ago we were still at that transitional point, transitioning from geeks trying to prove a geeky point to a Mafia-dominated black market trying to infect people in order to get their information,” said Adam Wosotowsky, Messaging Data Architect at McAfee.

While it is true that today's protections are better and more robust, the threat is even more dangerous. The stakes are higher. After all, ten years ago almost no one used online banking.

“The targeting level, the amount of information and their willingness to try financial fraud to get money out of you is much more aggressive and dangerous today,” Wosotowsky said.

Koobface

In the first quarter of 2013 MacAfee found a big spike in the presence of a social networking worm called Koobface. In fact, it found almost three times as many samples of Koobface as it found in the previous quarter. Almost anyone who has spent much time on social networking sites like Facebook or Twitter has seen examples of Koobface.

“It's something that works very well in a social networking environment,” Wosotowsky said. “They put up a message that says something like 'hey, I found naked pictures of you on the Internet, click here.' Someone clicks on that and they try to do a drive-by download or some sort of Javascript that either infects their machine or tries to do something with their account in order to send the same message to more of their friends and then more of their friends.”

If you haven't come across a message like that, it's because the social networking companies monitor what's in their system. When they see something like that, they remove it. But they can't be everywhere at once and many of these bogus messages manage stay up for a while.

“As a way to distribute malware, it's a pretty good one,” Wosotowsky said.

When you see messages that make you feel even slightly nervous or uncomfortable, Wosotowsky said the best course of action is to simply ignore them. If they are malware the social networking site will at some point remove them.

Low profile

Photo
Adam Wosotowsky

With organized crime more heavily involved in today's malware, the hackers' footprints are harder to detect. In the past many viruses and malware might “brick” a machine. In other words, it might make your machine run slower or grind to a halt altogether. It was a dead giveaway that your computer had been infected. But times have changed.

“Operators in the Mafia-dominated malware area don't want to brick a machine,” Wosotowsky said. “They want to make money off those machines, whether it's sending spam, doing denial-of-service attacks or engaging in financial fraud. “If you've been infected with a really professionally-made virus, your computer might even run better afterward.”

In spite of early predictions that 2013 would be the year of mobile malware, MacAfee reports the evidence has yet to emerge. In fact, growth of mobile malware declined slightly during the period. However, there was an alarming 40% increase in Android malware.

“What we've started to see are attempts to do drive-by downloads on the Android operating system itself,” Wosotowsky said.

That means the threat isn't just from downloading a suspect app, as it was in the past. It all points to the need to be more careful online, whether you are at your desk or on the go, and taking advantage of every security measure available.

“Having up-to-date anti-virus on you system is important but people should understand that it is your last line of defense,” Wosotowsky said. “Once hackers get past your anti-virus, they're going to have their way with your machine.”

 

Online fraud - How easy is it to be conned

Sinister black-gloved hand inserting golden card into cash machine (Ann Brown @ BBCnews) Online fraud can be very convincing, even to the wary

Fraud is aimed at everyone and every part of society, Government at every level, businesses large and small, charities and individuals.

A Fraud Action report in 2012 put the cost to the UK economy at £73bn, and of that £6.1bn a year is the cost to individuals.

I was a victim of a very plausible fraudster in the run up to Christmas, and that is the basis of The Investigation on BBC Radio Scotland.

A phone call at home asked if I was Mrs Brown. Being used to calls trying to sell me everything from PPI inquiries to home improvements, I am always on my guard and ask who wants to know.

This caller introduced himself as Michael Scott from the Visa Verification Fraud Team.

Did I, he asked, know there had been some unusual activity on my account that morning, and had I set up a payment of £5,000 to a George Sim. I'd been at a meeting all morning, hadn't been into my online banking, and had never heard of anyone of that name.

But, being the wary soul I am, I told the caller I wouldn't speak to him but would call the bank back. He immediately agreed that that was exactly what I should always do.

Nothing roused my suspicions about the call to the number shown on the back of my card; there was a normal dialling tone, then ringing tone, and the phone was answered in precisely the way I expected of the bank.

This time I was talking to John Turner. He confirmed the activity there had been on my account, and we spent some considerable time going through everything.

He told me not to use my card again, and said the bank would send me out a new card and pin within 48 hours. I was happy that any illegal use of my account had been averted.

But it was all a fraud, which I discovered when I spoke to the real bank the next day. My accounts had been wiped out, a loan set up for £10,000 and my phone number changed.

The bank refunded all my money - which they will do providing it's a genuine fraud and the customer hasn't taken any action themselves.

Primary Head Teacher JennieTracy experienced much the same type of scam, and at the fraudster's instructions, set up a new - supposedly secure - account to transfer all her money into.

She lost a total of £13,000 which her bank won't refund because she took the action herself, even though she believed she was talking to the bank.

The bank's advice is clear: don't ever call straight back on the same phone, the fraudster may be still on the line, so wait 10 minutes - or use another phone.

The bank says they would never ask someone to use a card-reader over the phone - the fraudster had done this, and I did use it.

This gave him access to everything. And of course, don't ever give your PIN number, passwords or the security number on the back of your card to anyone.

As technology advances, fraudsters have become increasingly sophisticated, and online fraud comes in many forms.

Scammers use fake letters, emails and phone calls, with the intention of getting hold of as much information as possible, particularly bank details, so they can get into accounts and strip them.

These are generally known as phishing. They might con people into spending money to claim a lottery win or a prize, or to take advantage of a fantastic special offer; they clone retail or even Government websites which look like replicas of the real thing, but if you look hard enough there are very small differences that should make shoppers beware.

Neil Coltart, Group Manager for Trading Standards with Glasgow City Council advises potential shoppers to make sure the web address starts with https - with the s meaning security, and there should be a padlock icon there as well.

Cloned Government websites include the Passport Office, where renewal is offered on line, and payment taken on the site.

Thousands are being duped by this one, including heads of government departments, senior journalists and business owners, all getting their new passports as they book their holidays.

One was even threatened with legal action if he tried to get his money back. The genuine Passport Office, while providing renewal forms online, does not take payment that way.

Other cloned Government websites include HMRC, the DVLA, and the European Health Insurance Card - which is charged for by the fake site, but is actually free in the UK.

The message from police, banks, Citizens Advice and Fraud Action organisations, is never give your personal details to anyone unless you are 100% sure of who they are.

Online messages might not be secure

Many people who use popular messaging services like Facebook Messenger, What’sApp and Viber take for granted that their conversations are private because they are encrypted.

But a recent study from Brigham Young University shows that these messages are still vulnerable to hacking attempts because users don’t take advantage of other important security options. The researchers say that although these three messaging services encrypt messages by default, they also require an “authentication ceremony” to ensure that conversations stay private.

Ph. D. student Elham Vaziripour says that unfortunately many consumers aren’t aware of these ceremonies, which means that “a malicious party or man-in-the middle attacker can eavesdrop on their conversations.”

Guaranteeing privacy

In basic terms, an authentication ceremony allows users to confirm the identity of the person they’re communicating with on one of these messaging services. Those who take advantage of this security option guarantee that no other party – not even the company providing the messaging application – can intercept the messages.

To see which steps typical users took to protect their privacy, the researchers asked a group of people to participate in a multi-phase experiment. In the first phase, the participants were asked to share a credit card number with another person in the study while keeping in mind that information should be kept confidential.

The results showed that only 14% of users successfully authenticated the recipient of the messages, with most resorting to ad-hoc security measures like asking the recipient to reiterate details of a shared experience.

In the second phase, participants were once again asked to share a credit card number, but this time the researchers accentuated how important authentication ceremonies were for maintaining privacy. The results showed that this extra direction led to 79% of participants authenticating their partner. However, the researchers found that completing this extra security step tended to take some time – around 11 minutes on average.

Automatic authentication

While the study shows that many users are able to conduct authentication ceremonies to maintain privacy, it is not necessarily at the forefront of their mind when using these messaging apps. The researchers hope that these services will adapt to make authentication ceremonies more automatic so that consumers don’t leave themselves exposed.

 "If we can perform the authentication ceremony behind the scenes for users automatically or effortlessly, we can address these problems without necessitating user education," said Vaziripour.

"Security researchers often build systems without finding out what people need and want," added researcher and professor Kent Seamons. "The goal in our labs is to design technology that's simple and usable enough for anyone to use."

Overcoming the uncanny valley to catch a pedophile

Photo(Jennifer Abel @ ConsumerAffairs) "Sweetie"

 

 

Technology is all too often used by pedophiles and those who cater to them. Now a Dutch non-profit has turned the tables and is putting technology to work stopping pedophila.

Computer animation experts working for the Terre des Hommes International Foundation (“For children, their rights and equitable development,” according to its website) have managed to overcome the “uncanny valley” and create a CGI avatar good enough to fool webcam-watching pedophiles.

The avatar, named Sweetie, looks like many young Filipinas recruited to the sex trade. Appearing to be just 10 years old, she spends her days online fielding offers to perform sex acts online. 

“Sweetie” had 20,000 visitors during the eight weeks she spent online last year. Luckily, she wasn't a real little girl forced to perform on camera for paying pedophiles, but a computer-generated avatar created by Terre des Hommes, and controlled by researchers in an Amsterdam warehouse.

During the initial interactions, the researchers gathered information about the predators through social media to uncover their identities. Online contact was cut off before any simulated sexual acts were performed.

Worldwide campaign

Sweetie is part of Terre Des Hommes' campaign to stop webcam child sex tourism, which it calls a “quickly spreading new form of child exploitation that has got tens of thousands victims involved in the Philippines alone.”

TdHIF's website also includes an eight-minute video discussing the child webcam sex industry and Sweetie's part in fighting it (the video contains no sexually explicit content but you might want to avoid watching it at work anyway, as certain parts of it could sound incriminating if overheard out of context).

Of course, Terre des Hommes is hardly the only group working to combat child pornography on the Internet; so is every reputable tech company out there.

Last November, for example, Google launched an anti-child porn initiative involving changes to its search algorithms (to make child pornography harder to find or share online), image-recognition technology to automatically identify potentially problematic pictures, and individual human oversight to, for example, distinguish between exploitative images and harmless photos of kids in the bathtub.

Past Time To Upgrade Your WiFi Router For Security Sake

TP-Link wireless router(Chances are you set up a wireless network in your home for a single task, such as enabling a laptop to access the Internet without having to use a cable.

Over the years, numerous other devices have entered the scene that can use your home’s Wi-Fi network -- HDTVs for streaming movies and accessing the Internet, printers, tablets, video game systems, ebook readers, media players and more.

Can your network handle this increased demand?

If it’s been a few years since you installed a wireless router, the answer is probably no. The latest routers feature 802.11n technology (compared to the older 802.11g/b), which offers faster speeds -- especially ideal for streaming video and playing multiplayer games.

Some models also have multiple antennae, sometimes referred to as dual-band (2.4GHz and 5GHz speeds), to better handle a number of wireless devices at the same time.

These new 802.11n routers offer a broader range, easier setup and better security. Speaking of security, remember to password-protect your wireless network (see below).

The good news is you don’t need to break the bank to pick up a new wireless router, as prices start at about $15 for an 802.11n model capable of streaming up to 150 megabits per second. Wireless routers than can handle up to 300 Mbps speeds start at about $35 and routers with speeds up to 450 Mbps typically start at $70 and go up to $150.

To recap, there are five good reasons to consider the upgrade:

1. Faster speeds: Newer routers can handle streaming high-def video, multiplayer games.
2. Broader distance: Access the Internet anywhere in your home or on a porch or backyard deck.
3. Support for more wireless devices: Connect a couple dozen devices without fear of noticeable slowdown.
4. Better security: Newer routers offer more secure ways to safeguard your network and information.
5. Simpler setup: The latest routers are easier to setup, offering interview-like questions for users to click through.

Stop your neighbors from stealing your Wi-Fi

On a relate note, while routers are getting easier to set up than ever before, you should still ensure you're taking precautions to prevent other people from using your wireless network without your consent.

Not only does this slow down your connection, but if uninvited guests download illegal content you’re liable unless proven otherwise, plus it also puts your own data at an increased risk. And if you have a monthly data cap, your neighbors might be prematurely pushing you towards your limit.

What to do?

When setting up your wireless network, you’ll typically get a choice to secure your connection with WEP, WPA or WPA2.

WEP (Wired Equivalent Privacy) is the oldest wireless security protocol out of the three, and it has the most known security flaws. Using WEP is better than no protection at all, of course, but inferior to WPA and WPA2.

WPA (Wi-Fi Protected Access) was introduced after WEP and combines two different security protocols to create a more resilient alternative to WEP. But it didn’t take long for hackers to find and exploit weaknesses inherent with WPA.

WPA2 (Wi-Fi Protected Access version 2) adds another layer of technology called Advanced Encryption Standard (AES) to secure the connection against unwanted outsiders. Couple this with creating a strong password and this is the most secure wireless protocol to go with.

Secure Password Information - Click Here!

Read More - Click Here!

Patch Tuesday April 10,2012

Microsoft has released their Advance Notification for the upcoming April Patch Tuesday, that is, today.  A total of six bulletins will address 11 vulnerabilities.  This marks Microsoft’s heavy patch month this year for desktops and servers alike. 

Security Bulletin Breakdown:

  • 4 bulletins are rated as Critical
  • 2 bulletins are rated as Important
  • 5 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 1 bulletin addressing a vulnerability that could lead to Elevation of Privilege

 Affected Products:

  • All supported Microsoft operating systems
  • All supported Internet Explorer browsers
  • Microsoft Office 2003, 2007, 2010
  • Microsoft Office 2003 Web Components
  • Microsoft SQL Server 2000, 2005, 2008, 2008 R2
  • Microsoft BizTalk Server 2002
  • Microsoft Commerce Server 2002, 2008, 2009, 2009 R2
  • Microsoft Visual FoxPro 8, 9
  • Microsoft Visual Basic 6.0 Runtime
  • Microsoft Forefront Unified Access Gateway

Read More – Click Here!

Bottom line, Remember to restart your computers and servers Wednesday morning.

Patch Tuesday June 2013

Microsoft has published its June Advance Notification, giving us insight into what to expect Tuesday June 11. This release is relatively small with only one critical and four important security bulletins making it the smallest of 2013 yet. However, it does patch some of the more widely used and important windows components.

Bulletin 1 is rated critical and affects all versions of Internet Explorer on all Windows platforms. If left unpatched, this vulnerability can cause RCE (remote code execution) which implies that an attacker can take control of the victim computer if the victim browses to a malformed website using Internet Explorer(IE). Since the browser is a window to the internet, IE users should apply this RCE patch as soon as it is released.

Bulletin 2, fixes an information disclosure vulnerability in the server and desktop versions of Windows 32-bit systems. Windows 7, 8, Vista, XP as well as Server 2003 and 2008 are affected. Systems that are not affected include Windows Server 2008 R2, 2012 and Windows RT.

Bulletin 3 is only a denial-of-service vulnerability, but since it affects server operating systems, including Windows 2008, R2 and 2012, we need to watch if it can be exploited remotely by sending malicious packets of data on listening services. We will update you more on this next Tuesday when more information is available. Bulletin 4 is an elevation of privilege vulnerability, which implies that an attacker would need valid credentials to exploit this issue and gain higher privileges.

Bulletin 5 impacts Microsoft Office 2003 SP3 as well as Office for Mac 2011. Microsoft Office has a widely deployed customer base and usually the attack is carried out by sending malicious files via e-mail or hosting them on a compromised website. This vulnerability also allows an attacker to take full control of the victim machine and is classified as an RCE.

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 2 Important 
Information Disclosure
Requires restart Microsoft Windows
Bulletin 3 Important 
Denial of Service
Requires restart Microsoft Windows
Bulletin 4 Important 
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 5 Important 
Remote Code Execution
May require restart Microsoft Office

 

Windows Operating System and Components






Windows XP
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Important None None
Windows XP Service Pack 3 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Service Pack 3
(Important)
Not applicable Not applicable
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Not applicable Not applicable Not applicable
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Important None None
Windows Server 2003 Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 Service Pack 2
(Important)
Not applicable Not applicable
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Not applicable Not applicable Not applicable
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Not applicable Not applicable Not applicable
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Important Moderate Important
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista Service Pack 2
(Important)
Windows Vista Service Pack 2
(Moderate)
Windows Vista Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Not applicable Windows Vista x64 Edition Service Pack 2
(Moderate)
Windows Vista x64 Edition Service Pack 2
(Important)
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Important Moderate Important
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Moderate)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Not applicable Windows Server 2008 for x64-based Systems Service Pack 2
(Moderate)
Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Moderate)
Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Moderate)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Important Moderate Important
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for 32-bit Systems Service Pack 1
(Moderate)
Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Not applicable Windows 7 for x64-based Systems Service Pack 1
(Moderate)
Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate None Moderate Important
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Internet Explorer 10 
(Moderate)

Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Moderate)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Moderate)
Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Moderate)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows 8
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Important Important Important
Windows 8 for 32-bit Systems Internet Explorer 10 
(Critical)
Windows 8 for 32-bit Systems
(Important)
Windows 8 for 32-bit Systems
(Important)
Windows 8 for 32-bit Systems
(Important)
Windows 8 for 64-bit Systems Internet Explorer 10 
(Critical)
Not applicable Windows 8 for 64-bit Systems
(Important)
Windows 8 for 64-bit Systems
(Important)
Windows Server 2012
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate None Important Important
Windows Server 2012 Internet Explorer 10 
(Moderate)
Not applicable Windows Server 2012
(Important)
Windows Server 2012
(Important)
Windows RT
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical None Important Important
Windows RT Internet Explorer 10 
(Critical)
Not applicable Windows RT
(Important)
Windows RT
(Important)
Server Core installation option
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating None Important Important Important
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Moderate)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Moderate)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Moderate)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation) Not applicable Not applicable Windows Server 2012 (Server Core installation)
(Important)

Windows Server 2012 (Server Core installation)
(Important)

 

 

 

Microsoft Office Suites and Software



Microsoft Office Software
Bulletin Identifier Bulletin 5
Aggregate Severity Rating Important
Microsoft Office 2003 Service Pack 3 Microsoft Office 2003 Service Pack 3
(Important)
Microsoft Office for Mac 2011

Microsoft Office for Mac 2011
(Important)

 

 

Pay attention to ALL malware warnings

 

Photo

 

 

 

 

 

google.com

(Jennifer Abel @ ConsumerAffairs) Here's a useful tip if you want to avoid getting your computer hacked: whenever you see one of those “this website is not safe” or “this website will harm your computer” warnings, stay away from that website.

Such advice sounds almost too obvious to mention, yet psychology researchers at Brigham Young University recently determined that it is worth mentioning — more specifically, that even presumably computer-savvy people who “ought to know better” will nonetheless ignore those security warnings.

BYU researchers Bonnie Anderson, Brock Kirwan and Anthony Vance tried a little experiment wherein it appeared that they'd hacked into study participants' personal laptops and caused major damage. That didn't really happen, of course; what happened was, study participants were surveyed about their own attitudes toward computer security.

Then, in an apparently unrelated task, they were asked to use their own computers to log on to a website filled with pictures of Batman, and divide the pictures into two categories: photography or animation.

Damage warnings

The researchers loaded the website with links, many of which had damage-warnings attached to them. Students who ignored too many “warnings” and clicked on links anyway eventually saw a terrifying (though completely fake) message on their screen: a laughing skull and crossbones, a 10-second countdown timer and the words “Say goodbye to your computer,” all courtesy of an alleged “Algerian hacker.” And even those students whose survey answers suggested they took computer security very seriously would often click on those “dangerous” links.

Brock Kirwan, an assistant professor of Psychology and Neuroscience, said that “A lot of people don’t realize that they are the weakest link in their computer security …. The operating systems we use have a lot of built-in security and the way for a hacker to get control of your computer is to get you to do something.”

Or to not do something: consider, for example, how many people don't even bother changing the default passwords on their IP cameras, leaving everything from their baby monitors to their home-security camera feeds accessible to anyone who knows the default code.

Some personal-security matters are beyond your control: if you have and use a credit card, you're at risk if that credit card or any of the stores where you used it get hacked. But as the recent Brigham Young study and the IP camera-password fiasco conclude, many of the worst hackings result from things you can control, yet don't.

In real life, if you visit a compromised website, you won't see a skull-and-crossbones logo or anything else letting you know you made a mistake.

Petraeus Affair Teaches Five Gmail Lessons

(MICHELLE QUINN and ALEX BYERS - Politico) It’s become the email equivalent of separating church and state: work email is for official communications while private accounts are for personal — and sometimes inappropriate — messaging.

But as the scandal that has enveloped former CIA director David Petraeus and Gen. John Allen has shown, Gmail and other Web-based email services are not completely safe zones.

The FBI probe into Petraeus — which led to his resignation last Friday — serves as a reminder that even the most private emails sent on commercial online services among people using pseudonyms can be discovered and thrown into the harsh light of scrutiny.

Here are Gmail lessons to be learned from the Petraeus affair:

1. It’s not anonymous.

Petraeus and his biographer Paula Broadwell apparently took steps to protect their communication, such as using pseudonyms to set up an online service account and in communicating with each other. But FBI investigators were able to figure out some information about the account from looking at emails sent from the account to another party. Reportedly this is what led authorities investigating threatening emails to Tampa socialite Jill Kelley from Broadwell.

“Who you are saying it to and where you are saying it from has the least protection under the law,” said Chris Soghoian, principal technologist at the ACLU. “A warrant is needed to find out what you are saying.”

Internet service providers and most websites keep complete records of the Internet Protocol addresses of those who use their services for 18 months, and then slightly blurred records of IP addresses after 18 months. Investigators can obtain that information under the Electronic Communications Privacy Act as long as they have reasonable grounds to believe that it is relevant to an ongoing criminal investigation — less than the probable cause needed to secure a warrant. In the Petraeus case, the FBI reportedly got the necessary court clearances.

The only way that people can use pseudonymous webmail accounts safely is via an anonymizing service like Tor, said Peter Eckersley, technology projects director for the Electronic Frontier Foundation. Tor is installed on a computer and reroutes website visits, instant messages and other communications to other Tor users so it is not possible to identify a single computer, sort of like hiding in a crowd.

2. Government requests for access are increasing and Google and other services play ball.

Google reported Tuesday that law enforcement and courts in the United States made nearly 8,000 requests for user information in the first half of 2012 from all of Google’s products — including Gmail, search, Google Docs, etc. The number of requests from the American law enforcement alone jumped 26 percent from the previous six months, when 6,321 requests were made.

Government officials wanted information on 16,281 accounts, Google said, and Google complied roughly 90 percent of the time.

The report shows governments around the world not only wanted more data for law enforcement purposes but also increased requests to Google to remove content.. “Government surveillance is on the rise,” Dorothy Chou, a senior policy analyst at Google, wrote in a blog post announcing the report.

3. You’re not in cyberspace.

A person’s physical location when sending an email can often be pinpointed from the email they send. Email metadata contains IP addresses of the computers and servers they come in contact with, as well as the unique number associated with the device that sent the emails. Sometimes, the traceable IP of the sender’s device is visible in a sent email — email services such as Yahoo and others reveal information about the sending computer, while messages sent from Gmail’s Web interface do not reveal the information about the sending computer, privacy experts say. Even if it isn’t visible, investigators can obtain it with the use of a subpoena or court order, and determine other accounts accessed from the same location n the Petraeus case, authorities reportedly used location data in the headers of emails to trace them to Broadwell. Once they pinpointed her as a suspect, FBI investigators were able to obtain a warrant to look at her other email accounts, including the Gmail account she reportedly shared with Petraeus.

4. A draft email folder does not offer magical protection.
The Associated Press reported Monday that Petraeus and Broadwell sometimes communicated by writing messages and storing them in the draft folder of a jointly accessed email account, rather than sending them. The idea is to avoid creating a digital trail of email transmissions, a technique reprtedly used by Al Qaeda operatives to hide traffic but dismissed by one privacy expert as “security folklore.”

The technique doesn’t work because emails kept in the draft folder are sent to service providers’ servers. In fact, they may be more vulnerable. Government may have easier access to the unsent emails, because draft communications might not meet the technical definition of “electronic storage” in ECPA. That would allow access to the communications without a full-blown warrant.

5. Off-record chats can linger — somewhere.

When using instant messaging in Google Talk or Gmail, many users choose to chat “off record,” meaning that nothing said is saved in either person’s Gmail account. But if using a third-party service to access chat, the history may be saved to the users’ computers, Google says. “We can only guarantee that when you go off the record, the chat history is not being automatically saved or made searchable in either person's Gmail account,” the company reports.

But Soghoian said that “Google's off the record isn't bulletproof.”

“If the government sends Google a preservation order” — a stipulation requiring a company to preserve data, even if it’s not yet signed by a judge — “then Google can be forced to retain future records for that account,” he said.

Read More - Click Here!
 

Phony WiFI Signal Scam

Photo(Daryl Nelson @ConsumerAffairs) Okay, so you're grabbing a bite and a cup of coffee at Panera and you pull out your laptop and look for Panera's Wi-Fi signal. You see it, log in and start using your computer. But one question: How do you know the signal that you're using is really Panera's.

 

Or this: You're out of town on business and you log into your hotel's Wi-Fi, but when you get home, you find out your personal information has been compromised. A few days after that, you learn the Wi-Fi signal you were using at the hotel was fake.

According to Adam Levin, chairman of Identity Theft 911, phony Wi-Fi signals are used all the time.

"The most common locations for Wi-Fi scams are hotels, coffee shops and airports," he said in an interview with ConsumerAffairs. And how do scammers do it? Levin says they set up signals that look exactly like the real thing.

"When you are looking for a free network at, for example, a hotel, conference, restaurant or airport and see "free Wi-Fi," or something which looks very much like the free network where you are staying, you may be staring at a hot spot scam."

And once you see a certain logo or symbol associated with the Wi-Fi, like a Panera logo for example, you automatically let your guard down, says Levin.

"You connect to it because it sounds right and/or it shows up as being the strongest signal," he explains. "Basically, according to Computerworld, you may have just encountered a 'man in the middle' scam and are connecting to the Internet through the hacker's computer."

"This means--since your cyber gateway is the connection through his computer--he is monitoring your online activity."

Extremely easy

Security expert Apolonio Garcia, of the company Health Guard IT Security, says it's extremely easy for scammers to set up phony Wi-Fi signals, especially in places that are usually considered secure.

Photo"If you're in an airport, you can make it an airport hotspot," said Garcia in a published interview. "If you're in a coffee shop, you can make it the name of the coffee shop."

Steve J. Bernas, president and CEO of the Better Business Bureau in Chicago, said hotels are especially vulnerable, because scammers know that often let their guard down when they're staying in a comfy place away from home.

And many times, folks have more time to browse the Internet and do things like check their social media page when they're staying in hotels.

"Checking personal and work email as well as updating social media posts while on vacation are common," said Bernas.

"Scammers know that because many hotels charge for Wi-Fi, a free connection looks appealing. However, by connecting to an unknown and unsecure Wi-Fi connection, you are letting the owner of the connection see all your Internet activity."

"This could include your personal information, banking information and other Internet browsing activity."

Seeing double

And if you see two of the same Wi-Fi signals in the same location, Levin says to stay away from both.

Photo
Adam Levin

"The best defense against an attack is not to be there," he said. "Therefore, only connect to a network that you know for sure is the real deal. Keep in mind that a clever hacker can name a network virtually the same name as the authentic network. If they don't, make sure you know the exact name of the network you want to log onto."

"If you only see one network with the precise name given to you by a knowledgeable representative at the location, it is far less dangerous than if you see two networks with the exact same name. If so, do not use either one," Levin advises.

In addition, he says don't even use free Wi-Fi if you can help it, because there are much better ways to go. 

"Frankly, it's best not to use free Wi-Fi but use a virtual private network that you can get through various outside companies (security software firms), service providers such as AT&T or Verizon, or through your work. These are effectively encrypted conduits."

Chances are you can also connect through your smartphone. Major carriers offer wireless broadband via your phone. It works quite well but will cost you a few bucks per month. 

What else?

Here are Levin's other tips to avoid being scammed: 

  • Turn off ad hoc mode (generally not turned on, but might be)
  • Turn off file sharing (many people have this turned on in order to share files, folders, resources with others on their network).
  • Turn off visible network. This makes your network invisible to others. If you get to a public hot spot, designate it "public" on your computer. This makes it invisible to others who might try to connect to you for various reasons, most not good for you.
  • Encrypt your email (check your email programs, many allow you to encrypt both incoming and outgoing email).
  • Carry an encrypted thumb drive and keep private data on it and not your computer.
  • Disable your wireless adapter. Oftentimes it's best to avoid all wireless exposure.
  • Be alert and keep an eye out for those who might be peering over your shoulder.
  • Always keep your firewall on.

And if you ever fall victim to a Wi-Fi scam, Levin says you should do the following:

  • Run a full security scan of your computer and determine if there is malware, or a virus.
  • Buy programs to remove malware, viruses, etc., from your computer. Better yet, use a professional to inspect and clear your computer of viruses and/or malware.
  • If you don't already have it, buy the most sophisticated firewall and/or security software programs available for your computer and make sure they are either automatically updated or you update them frequently.
  • Change all of your passwords on all email, social networking, financial service sites and retail sites.
  • Consider putting a freeze on your credit files.
  • Get a free copy of your credit report from each of the three national credit reporting agencies at www.AnnualCreditReport.com

Places to Never Use a Debit or Credit Card to Make a Payment

(Ellen Chang @ TheStreet) NEW YORK (MainStreet) -- While carrying around your debit and credit cards to make your daily purchases from coffee to lunch to parking is efficient, the convenience could spell trouble.

Using your credit or debit card to pay for your purchases puts consumers at greater risk of identity theft and losing key personal information.

Here are seven places you should think twice before swiping your debit or credit card to prevent a hacker from intruding into your finances and potentially affecting your credit score.

Online Shopping

With the proliferation of discount shopping websites, make sure the online retailer you are purchasing from has a safe website, because many are not secure. Before you enter your credit or bank card information, look for the green lock icon without any overlays, said Shaun Murphy, CEO of Private Giant, an Orlando, Fla.-based company that plans to launch a security app for smartphones.

"Some sites, including Amazon, will not show you a lock icon until you log-in into your account or begin the check-out process," he said. "This means anyone can see what you are shopping for while you are browsing."

Hidden/Out Of View Terminals

Be wary of the hidden terminals when you are shopping. It could be the gas pump that is furthest away or an unattended station for automatic checkouts at the grocery store, Murphy said.

"These are sweet targets for credit card skimming devices that can sit there for months without anyone noticing," he said.

Nowadays, skimmers are small enough to fit inside pockets or even hidden within the credit card slots in payment terminals. This means you may unwittingly hand over data when swiping your card at a gas pump, so go inside to pay, said Geoff Sanders, CEO of LaunchKey, a Las Vegas-based decentralized mobile authentication and authorization platform.

"Criminals merely need to pull a car up in front of a pump to surreptitiously install or retrieve a skimmer within a matter of minutes," he said.

Temporary Stores

It's tempting to use your credit card to pay for a T-shirt at a concert or a vendor at a temporary open air markets, swap meets or craft fairs, "thanks to the ubiquity of mobile Internet connections," Parker said.

"These scenarios provide an excellent venue for the grifting of card information," he said. "The consumer is left trusting a vendor that doesn't have an actual retail location."

Outdoor Pay Terminals

Another place that consumers should be wary of using their cards is at outdoor pay terminals including drive through locations at fast food restaurants. Being outdoors means it's another prime location for a skimmer device to be hidden.

Skimmers have even been found on the door readers that require users to scan their card before entering the ATM lobby, Parker said.

Cell Phone Charging Stations

As consumers spend more time on their smartphones, charging your phone becomes more of a necessity than a preference. Even though it seems like a no-brainer to swipe your card to charge your phone for free when the battery is nearly dead, the convenience could cost you.

"These devices can also dump the information from your cell phone while charging," Murphy said. "This attack method even has a cool name: juice jacking!"

Apps

All apps are not the same and designed with the same goal in mind. If any of the apps on your laptop, tablet or mobile device ask you for your credit card information outside of the normal app store, check to be sure the program is legit. There is a good possibility that it is a fake, especially the ones the need your immediate attention and claim that your computer has a virus or all of your files are encrypted and need to be unlocked for a price.

Free Services or Trial Period

There are a multitude of free services or a trial period that allows you to watch a movie or try some software for a period of time. The catch is that you still need to enter your credit card information before you can start using it. It sounds too good to be true, because it is "almost guaranteed that the service is either going to scam you or sign you up for some paid service that will be impossible to cancel," Murphy said.

What to Use Instead of Your Bank or Credit Card

Re-loadable pre-paid cards and cash are two good options since they are not linked to any personal financial information. Using cash is the best way to avoid overspending, because it makes you more aware of the financial impact that the purchase has on your budget, said Bruce McClary, spokesperson for the National Foundation for Credit Counseling, a Washington, D.C.-based non-profit organization.

You should not use your debit card anywhere other than in an ATM machine, said Steve Weisman, a Boston lawyer and a lecturer of law, taxation and financial planning at Bentley University in Waltham, Mass. You are exposed to more liability when you are using a debit card. Although laws limit your debit card liability to $50 if you report the fraudulent use to the bank within two days,that changes as you wait longer. If you don't notice the fraud and report it to your bank after three days, your liability jumps to $500, he said.

"Your bank account will be frozen while the bank investigates the matter, thereby limiting your own access to the account," Weisman said.

If you don't have cash or a pre-paid card handy, a credit card is still a good choice because it may take banks many days to refund fraudulent charges or withdrawals, said Sanders.

"If an attacker successfully drained your checking account through your debit card, you could be without cash for quite some time," he said.

Since nearly all debit cards can be used as a credit card, consumers should always use the credit card feature, Parker said. When the card is used as a debit card with the PIN being entered, you are risk for having both the card and PIN compromised.

"This could allow cyber criminals to directly withdraw cash," he said.

With major retailers and banks such as Target, Sony, AOL, eBay, JP Morgan Chase, Home Depot, Anthem , TJ Maxx and Apple being attacked by cyber criminals and having millions of data records leaked and exposed, consumers should be more concerned about large companies, said Dave Bennett, CTO of IONU, a data security company based in Longmont, Colo.

"Hackers are going to go after the big targets, not the small fry," he said.

Police departments offer places to complete online transactions

The popularity of online peer-to-peer platforms for buying and selling things is unmistakable.

Websites that allow consumers to interact to sell household items, vehicles, furniture, and just about any other item to people in their community are highly popular.

There's just one problem. Assuming you aren't shipping the item to the buyer, the buyer and seller have to meet somewhere to execute the deal. Since the two parties have probably never met before, there could be some concerns about safety.

For example, some of these online transactions have been linked to violent crimes, which might make some consumers leery of meeting a potential buyer who is a perfect stranger. So at least one of these online platforms, Offer Up, has staked out safety as a key part of its mission.

Find a public place

"Whenever possible, meet at a public location such as a cafe or shopping mall," the company advises. "Take extra caution when meeting for a high-value item, and consider meeting at your local police station."

But finding a safe, highly visible place in a rural area is more challenging than in the suburbs. There aren't that many cafes or shopping malls.

So the company has produced signs, designating the area around the sign as a safe transaction place, and sent them to small town police stations. One arrived at the Northumberland County, Virginia Sheriff's Department.

"It's actually something that we had been talking about for a while," Northumberland County Sheriff James "Doc" Lyons told ConsumerAffairs. "We haven't really had many problems with this but it just seemed like a prudent step."

In front of the sheriff's department

Lyons had the sign installed in front of the sheriff's department building, which is located in a central part of the sparsely populated county in eastern Virginia. The sign identifies the area around it as a safe place in which to carry out a transaction with a stranger.

"Not only are there always law enforcement officers nearby, the location is well lit and is videotaped around the clock," Lyons said.

For its part, Offer Up says it has sent out around 5,000 "meet-up transaction site" signs to local police departments.

Other peer-to-peer transaction sites are also pushing safety. Craigslist, one of the oldest and most widely used, urges users to exercise "common sense" precautions.

Among its advice -- always meet in a public place, avoid inviting strangers into your home, and always tell someone where you are going when you meet a buyer or seller to complete a transaction.

Pressure to post first creates major online missteps

As the tune says: "baby you can do it take your time do it right". Being First is one thing, embarrased or being sued is another. Of course, the desire to be first, even at the risk of being wrong, is nothing new. But social networks and real-time Internet portability have combined to spawn errors and reactions at an increasingly breakneck pace, particularly on Twitter, which -- with its brevity and scope -- makes it easy to disseminate clickbacks and comebacks in 140 characters or fewer.

Many errors are minor. Actor LeVar Burton, mistaking Twitter's private and public spheres, accidentally released his phone number to the entire Twitterverse, then backtracked with a joke. Celebrity rumors roar through all the time, causing quick kerfuffles as they're checked and then dismissed.

Others, however, are more dramatic. Last month controversial hip-hop singer Chris Brown posted a defiant message after the Grammys -- a tweet that didn't go over well. Soon afterward, Brown (or his handlers) deleted all evidence of his Twitter tantrum, but not before bloggers had grabbed screen shots of the offending missives.

Ashton Kutcher posted a hasty tweet about the firing of Penn State\'s Joe Paterno, then apologized.
Ashton Kutcher posted a hasty tweet about the firing of Penn State's Joe Paterno, then apologized.

Several news services initially tweeted that Arizona Rep. Gabrielle Giffords had died in the Tucson shootings last year. When Giffords was confirmed to be alive, some deleted their early posts.

Actor Ashton Kutcher, who has close to 10 million Twitter followers, tweeted a protest of Penn State coach Joe Paterno's firing -- before realizing why Paterno was being let go. Kutcher later apologized, deleted his earlier messages and finally put his Twitter account under the control of his publicists.

Read More - Click Here!

Prevent Employee WiFI Security Leaks With Open Source Kisnet

It’s a real challenge. While business tries to keep their networks secure, some employees sneak WiFI hubs into the building and connect to the network so that they can use wireless devices from home, cell phones, tablets,…. We don’t question their motives. Employees are simply trying to be as productive as possible with devices they are familiar with. What they don’t appreciate is that unprotected WiFI, known as 802.11 networks, can open gaping holes in network security. We are actually seeing networks that can be easily accessed from the company parking lot. What to do…

Kismet is an open source tool for discovering wireless networks. It can be used to troubleshoot a wireless network and detect network intrusions. It is a similar tool to netstumbler (which is used in the Windows world) but it does have some differences. One area in which kismet is superior is the ability to detect hidden 802.11 wireless networks.

The significant area of difference between kismet and netstumbler is how kismet detects a 802.11 network. Kismet listens for a beacon transmission from a wireless access point; this is in contrast to netstumbler which sends broadcast for any Service Set Identifier (SSID). The advantage of listening rather than broadcasting is that kismet is able to detect networks that do not advertise an SSID.

Kismet uses channel hopping to enable detection of wireless networks. This means that it will listen on one channel, then hop to another channel and listen, then to another and so on. Channel hopping is a simple algorithm that hops from channel to channel in a pre-determined pattern. Kismet can detect a client’s response to a beacon frame and uses this to associate the client with a wireless access point.

By simply monitoring WiFI with a product like Kismet, a business will know immediately when new WiFI network appear before they give away the corporate secrets.

Protect Your 4 Digit Pin Number

The safest 4-digit PIN is '8068' — or at least it was, until researchers at Data Genetics told everyone this week. The researchers there went through a set of 3.4 million four-digit personal identification numbers and found "8068" came up only 25 times.

But now that this news is out, that's probably a PIN to stay away from. As Softpedia pointed out, would-be thieves may start trying that combination right after they hit "1234" ― the most common PIN, with nearly 11 percent frequency.

While not as common as 1234, there are several numbers that people seem drawn toward. For instance, PINs starting in "19" are common because people like to link their identification numbers with a significant year. In fact, all PINs that start in 19 fall into the top fifth of the dataset.

The top 20 includes all the series in which the first number is repeated throughout (such as 3333) plus 4321, 1212 and 2001. The study also found that many PINs are based on visual clues. Coming in at No. 22 is 2580 ― the numbers that run down the middle of a phone or ATM keypad.

Based on this report, more than10 percent of all bank accounts can be hacked with one guess. Beyond that, one-third of all PINs are made up of just 61 variations.

Even when PINs get longer, security doesn't seem to improve. Regardless of length, the most popular personal identification numbers appear in  sequential order. As for the second-most common combinations, among seven-digit PINs it's 7777777. Six digits? 123123. What about nine? 987654321.

It's also important to note that PIN users are fans of 1980s band Tommy Tutone. "Jenny's" number, 8675309, is the fourth most-popular seven-digit PIN.

So what is the most secure PIN now that 8068 has been outed as the least popular? It's the one you make up, don't write down and don't share with anyone. As long as you don't use your birthday (or your spouse's or child's), or 1234, your PIN should be just as secure as the gentleman's at the ATM in front of you.

Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed

Read More - Click Here!

Cracking Your PIN Code: Easy as 1-2-3-4

If you lost your ATM card on the street, how easy would it be for someone to correctly guess your PIN and proceed to clean out your savings account? Not long, according to data scientist, Nick Berry, founder of Data Genetics, a Seattle technology consultancy.

Berry analyzed passwords previously from released and exposed password tables and security breaches and filtered the results to just those that were exactly four digits long [0-9]. There are 10,000 possible combinations that the digits 0-9 can be arranged to form a four-digit code. Berry analyzed those to find which are the least and most predictable. He speculates that if users select a four-digit password for an online account or other web site, it's not a stretch to use the same number for their four-digit bank PIN codes.

What he found, he says, was a "staggering lack of imagination" when it comes to selecting passwords. Nearly 11% of the 3.4 million four-digit passwords he analyzed are 1234. The second most popular PIN in is 1111 (6% of passwords), followed by 0000 (2%). (Last year SplashData compiled a list of the most common numerical and word-based passwords and found that the "password" and "123456" topped the list.)


Berry says that a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

We don't like hard-to-remember numbers and "no one thinks their wallet will get stolen," Berry says.

Days, months, years
Many of the commonly used passwords are, of course, dates: birthdays, anniversaries, the year you were born, etc. Indeed, using a year, starting with 19__ helps people remember their code, but it also increases its predictability, Berry says. His analysis shows that every single 19__ combination be found in the top 20% of the dataset.

"People use years, date of birth — it's a monumentally stupid thing to do because if you lose your wallet, your driver's license is in there. If someone finds it, they've got the date of birth on there. At least use a parent's date of birth [as a password]," says Berry.

 

 

 

 

 

 

 

Keyboard patterns

Somewhat intriguing was #22 on the most common password list: 2580. It seems random, but if you look at a telephone keypad (or ATM keypad) you'll see those numbers are straight down the middle — yet another sign we're uncreative and lazy password makers.

The least predictable password
The least-used PIN is 8068, Berry found, with just 25 occurrences in the 3.4 million set, which equates to 0.000744%. (See the second table for the least popular passwords.) Why this set of numbers? Berry guesses, "It's not repeating pattern, it's not a birthday, it's not the year Columbus discovered America, it's not 1776." At a certain point, these numbers at the bottom of the list are all kind of "the lowest of the low, they're all noise," he says.

A few other interesting tidbits from Berry:

-The most popular PIN code (1234) is more popular than the lowest 4,200 codes combined.
- People have even less imagination in choosing five-digit passwords — 28% use 12345.
- The fourth most popular seven-digit password is 8675309, the Tommy Tutone song.
-People love using couplets for their PINs: 4545, 1313, etc. And for some reason, they don't like using pairs of numbers that have larger numerical gaps between them. Combinations like 45 and 67 occur much more frequently than 29 and 37.
- The 17th-most common 10-digit password is 3141592654 (for you non-math nerds, those are the first digits of Pi).

Read More - Click Here!

Protect Yourself From Secial Engineering

Not all computer security problems are technological problems. Some are people problems. Just as talented hackers can use their programming skills to exploit applications, operating systems, and protocols to get inside your company’s network, talented social engineers can breach your network by using their “people skills” and powers of observation to exploit your company’s employees, partners, and others who have legitimate network access. They are adept at psychologically manipulating people into giving them access or the information necessary to get access using a variety of schemes. Here's a look at some of the tactics and techniques commonly used by these intruders and what you can do to thwart them.

1. Impersonating IT staff

A favorite ploy of social engineers is to pretend to be someone from inside the company—often a member of the IT department. Many users who would never give their passwords to a “stranger” don’t think twice before supplying whatever information is requested by a phone call from a member of the IT staff. This is especially true if the caller implies that their account may be disabled and that they might not be able to get important e-mail or access needed network shares if they don’t cooperate. It’s not enough to warn users to be careful; good social engineers will do their homework and find out the names of real members of the IT department. They'll even find a way to place the call from inside the company or have a plausible excuse for why it’s coming from outside (for example, saying that they're troubleshooting the problem from the company’s headquarters or its special “central IT center").

So how are employees to know whether the person asking for their passwords is legit? In fact, there’s rarely any reason a real IT administrator would need to know a user’s password. If administrators need to get into a user’s account, they can simply use their administrative privileges to change the password to whatever they want and access the account that way. Asking users for their passwords usually indicates either an administrator who doesn’t know the job or a social engineering attempt.

2. Playing on users’ sympathy

Another favorite tactic of social engineers is to elicit sympathy from a user to get him or her to reveal password information or allow physical access to sensitive servers. For example, the social engineer may pretend to be a worker from outside, perhaps from the phone company or the company’s Internet service provider. He tells the secretary who has the key to the server room that he’s new on the job and supposed to be back to the office in an hour, and he just needs to check out some wiring very quickly. Or he pretends to be with the ISP and tells the user he calls that he has messed up her account and if he doesn’t get it fixed right away, he’ll lose his job—and of course, he needs her password to do it. Whatever the story, the social engineer appears to be upset, worried, and afraid of some dire consequence that will befall him if the target victim doesn’t help. This exploits the natural people of most people to want to help a person who’s in trouble.

3. Wooing them with words

Some social engineers will go to great lengths to pry information out of a user, especially if the stakes are high (e.g., in cases of corporate espionage where the social engineer stands to gain a big financial reward for getting into the network). They’ll engage in elaborate, long-term schemes that include slowly becoming close friends with their target victims or even initiating and developing a romantic relationship to get to the point where the victim trusts the social engineer enough to reveal confidential information, including network passwords and other information needed to break in. This may also make it possible for the social engineer to gain access to keys, smart cards, etc., that can be used to defeat security mechanisms.

Another example of wooing involves gradually persuading the victim that he or she has been wronged by the company or that the company is doing something illegal or unethical and thus deserves to be “taken down” by the social engineer—who just needs the victim’s help in the form of passwords or other access to bring about justice.

4. Intimidation tactics

Some victims don’t respond well to the sympathy tactic or romantic overtures. In that case, social engineers may need to turn to stronger stuff: intimidation. In this case, the social engineer pretends to be someone important—a big boss from headquarters, a top client of the company, an inspector from the government, or someone else who can strike fear into the heart of regular employees. He or she comes storming in, or calls the victim up, already yelling and angry. They may threaten to fire the employee they don't get the information they want—even if the employee protests that company policy says not to divulge that information to anyone. It takes a very strong person to say “no” to the (supposed) boss or risk losing the company a big contract or getting the company in trouble with the government.

5. The greed factor

Many con games rely on people’s greed, and social engineers take advantage of it, too. Sometimes they just come out and offer money or goods in exchange for passwords or access, but they’re usually more subtle than that. Regardless of the approach, the bottom line is that the social engineer promises the employee some benefit (for example, a better paying job with a competing company) if he or she divulges the requested information.

6. Creating confusion

Another ploy involves first creating a problem and then taking advantage of it. It can be as simple as setting off a fire alarm so that everyone will vacate the area quickly, without locking down their computers. Social engineers can then use a logged-on session to do their dirty work.

7. Shoulder surfing

Shoulder surfing is a form of “passive” social engineering in which social engineers put themselves in a position to observe when the victim is typing in passwords or other confidential information. They may do this without the victim’s knowledge that they're there or they may use their people skills to win the victim's trust so they don't mind their being there.

8. Dumpster diving

Dumpster diving is a form of social engineering that predates computers. The social engineer goes through the victim’s trash can or the company’s dumpster, in this case looking for hard copies of information that can be used to break into the network. The social engineer may pose as a janitor to get access to discarded papers, diskettes, discs, etc., that are supposed to be taken to a central shredding or incineration facility.

9. Gone phishing

The well-publicized Internet scam called “phishing” is a type of social engineering, often done via e-mail rather than in person. (However, phishing scams can also be conducted by snail mail or telephone.) Traditional phishers pretend to represent a company with which the victim does business, often requesting that the victim go to a Web site that looks like the site of the company they claim to represent. (In reality, the site belongs to the phisher.) The victim enters password and other information on the site, and it goes directly to the phisher, who then uses it for nefarious purposes. A clever social engineer who wants to break into your network might create a site that purports to be set up by the IT department for the purpose of confirming or changing the user’s network password. The information is redirected to the phisher, providing a “free pass” to log onto your network.

10. Reverse (social) engineering

An even sneakier method of social engineering occurs when a social engineer gets others to ask him or her questions instead of questioning them. These social engineers usually have to do a lot of planning to pull it off, placing themselves in a position of seeming authority or expertise. This often involves creating a problem with the network hardware or software (or the appearance of a problem) and then showing up as the expert who can fix it (and who gets full access to the systems to make the repairs).

Protecting against social engineering

Although all of these methods differ, some solutions are common to all of them. User education is the number one line of defense against social engineering, backed up by strong, clear (written) policies that define when and to whom (if ever) users are permitted to give their passwords, open up the server room, etc. Strict procedures should be laid down. For example, if you want to enable users to give their password information to the IT department in some cases when administrators call and ask for it, you should direct that they first hang up and call the department back (using the number in the company directory, not one left by the caller) and that administrators supply a prearranged verbal password to verify their identity.

Social engineering itself is not a technological problem, but it does have a technological solution. In most cases, social engineering is aimed at getting a user to reveal network logon passwords. By implementing multifactor authentication (smart cards/tokens or, even better, biometrics), you can thwart a high percentage of social engineering attempts. Even if the social engineer manages to learn the password, it will be useless without the second authentication factor.

RansomWare: Extortion via the Internet by Michael Kassner

'I received so much email on this article I decided to run it one more time.

One of my neighbors recently experienced ransomware first hand. Up until then, he had no idea it existed. Because of that, it seems important to revisit extortion malware, explain exactly what it is, and how to avoid it.

Ransomware made its debut with a trojan called PC Cyborg, the brainchild of Dr. Joseph Popp. The extortion begins with a vulnerable computer becoming infected. Once settled in, the malware hides all folders and encrypts file names on the C: drive. Next, a dialog box opens, proclaiming the victim needs to send PC Cyborg Corporation $189 US, because the license had expired.

Until ransom money is received and the malware’s activities are reversed, the victim has a non-working computer. Thankfully, the doctor’s trojan had a weakness. It encrypted the file names using symmetric cryptography. Once experts had a chance to analyze the malcode and encrypted tables, it became simple to reverse and determine who created the ransomware.

It seems the doctor felt he was doing something worthwhile (eventually declared mentally unfit). At his trial, he mentioned that the ransom money was to be used for AIDS research.

Public key and Cryptovirology

In 1996, two researchers Adam Young and Moti Yung fixed Dr. Popps oversight, explaining how in the paper: Cryptovirology: Extortion-Based Security Threats and Countermeasures (PDF). I believe it’s also where the term Cryptovirology was coined.

Young and Yung figured out how to use public-key cryptography in ransomware, making reverse-engineering virtually impossible. The crypto-virus encrypts the victim’s files using the malware writer’s public key. The extortion comes into play when the victim is asked to pay ransom in order to obtain the private key for decrypting the files.

How it works

Young and Yung call this type of ransomware crypto-viral extortion. Giving the following definition:

“Crypto-viral extortion, which uses public key cryptography, is a denial of resources attack. It is a three-round protocol that is carried out by an attacker against a victim. The attack is carried out via a crypto-virus that uses a hybrid cryptosystem to encrypt host data while deleting or overwriting the original data in the process.”

The three-round protocol is interesting. It consists of the following:

  • Crypto-virus is installed: Using any number of techniques, usually drive-by dropper platforms; the crypto-virus gets installed on vulnerable computers. When the virus activates, it creates a symmetric key and initialization vector (IV). The crypto-virus proceeds to encrypt data files using the symmetric key and IV. After which, the crypto-virus concatenates the IV with the symmetric key. Finally, the concatenated string is encrypted using the malware author’s public key. With everything now in place, the crypto-virus pops open a window explaining the ransom demands to the victim.
  • Victim’s response: If the victim decides to pay the ransom. There are several ways that can happen. We will look at those in a bit. The victim also has to send the encrypted concatenated string to the cybercriminal.
  • Attacker’s response: The extortionist then decrypts the string using the private key, which discloses the symmetric key and IV. Finally, sending both back to the victim. Who will use them to decrypt the data files.

Covering their tracks

On their Web site, Young and Yung talk about the effort cybercriminals go through to protect themselves. They store the public and private keys on a smart card and do not personally know the bit representation of the private key:

“Ideally, the smart card will implement two-factor security: something the virus author knows (a PIN number) and something the virus writer has (the smart card that contains the private key). Also, the card will ideally be immune to differential power analysis, timing attacks, etc. to prevent the virus author from ever learning the bits of the private key.”

 

The Web site goes on to explain why the extortionists do this:

“In the U.S. the virus author cannot be forced to bear witness against himself or herself (Fifth Amendment) and so the PIN can remain confidential. The purpose of this setup phase is to limit the effectiveness of seizing and analyzing the smart card under subpoena or warrant (competent evidence).”

Payment techniques

In the past, ransomware has not been the malware of choice. That’s because cybercriminals are concerned about the money trail sending ransom funds creates. I mentioned earlier that many approaches have been tried. Here are some of them:

  • Trojan. Ransom-A declares that it will destroy one data file every 30 minutes unless $10.99 US is sent to a specified account via Western Union.
  • Trojan.Archiveus is a bit more creative. The ransom note declares the decryption password will be sent. If the victim purchases something from a specified Web site, typically in Russia.
  • Win32.Ransom uses a novel way to obtain ransom money. The crypto-virus blocks Internet access until the victim sends a premium SMS message. This approach is becoming the favored payment method.

Example

To help understand the entire process, let’s look at what many consider cutting-edge ransomware. F-Secure just released information about Trojan:W32/DatCrypt. Here’s how it works.

The trojan makes its way onto the victim’s computer. After which, it gives the illusion data files such as Office documents, music, audio, and video are corrupt. As shown in the following slide (courtesy of F-Secure):

In reality, the files have been encrypted by the trojan. The next message opened by DatCrypt informs the victim to download specified file repair software. Notice how the window created by the malware appears to be a message from the Security Center (courtesy of F-Secure):

What is actually downloaded is Rogue:W32/DatDoc. Malware that gives the appearance of fixing the problem. But, only one file can be fixed with the free version (courtesy of F-Secure):

The attackers are trying to lull the victim into thinking the software actually works. They hope the victim will spend $89.95 US for the registered version. In reality, victims are paying ransom to get their own files back.

Solution

There is no magic formula to avoid crypto-viral extortion. It’s just malware looking for vulnerable computers to exploit. Keeping operating system and application software up-to-date, along with a decent anti-virus application will offer protection. Also, having current backups of all important data is a good idea, just in case.

Final thoughts

Ransomware is making a resurgence. Hard-to-trace Internet payment methods are emboldening cybercriminals.

Fact is, this type of Virus changes so often, there is no way your AntiVirus provider can keep up. The Viral Terrorists are so slick that even though you think you have removed the program, it might really be laying dormant, ready to strike again. Then too, we have reformatted drives and reloaded OS and programs and then have a system get re-infected after only a day or so on the internet.

Two thoughts immediately come to mind. Once the extortionist has the money, why send back the decryption information? Also, what proof does the victim have that the whole process won’t start over again? What will they do with the credit card information???

Ransomeware Targets Your Car and Your Home

jolly-roger-image-representing-malware.jpg

( @ ZDNET) Ransomware is perhaps the biggest cybersecurity scourge of 2016, becoming increasingly problematic both for individuals and businesses of all sizes.

The concept is simple: the cybercriminal will trick a victim into opening a malicious file or a clicking on a link which causes their computer, tablet, or smartphone to be infected with malware that encrypts the data stored on the device. The cybercriminal then demands the victim pay a ransom -- often in Bitcoin -- in order to get their systems unlocked. (Now it's not just your data that's at risk from ransomware. - Image: iStock)

MORE SECURITY NEWS

While the ransomware installs data-stealing malware on your system, getting infected with ransomware is more an annoyance more than anything. Yes, a business will lose money while its networks are locked down, but most cases it doesn't have any further 'real world' consequences, as the theft of personal data or banking information might.

However, with more and more connected objects joining the Internet of Things, there's the potential that cybercriminals could also seek to install ransomware on these additional devices, with consequences ranging from the annoying to the potentially dangerous.

Researchers at Intel Security recently discovered a vulnerability in the infotainment system of a connected car from one manufacturer, which could allow criminals to install malware on the vehicles' systems by putting it on an SD card and loading that into the infotainment system, said Raj Samani, CTO EMEA at Intel Security.

Researchers demonstrated that the device had been infected by having the sound system play a single song over and over. But what if instead of just being annoying, cybercriminals could go on to disable a vehicle with ransomware too?

It's possible, especially as vehicles' systems become more interconnected on the inside --something like a sound system vulnerability could be potentially be used to access other in-car systems if vehicle manufacturers don't take security seriously enough.

Unless there is clear separation between the engine control units and other systems, hackers could block out the entire car "so you're not even going to get out of your driveway unless you pay," says Samani. This could be a lucrative option for cybercriminals because, while people might be OK with losing some files if they don't pay the ransom, when it comes to a car, they're going to give in, he added.

"Quite frankly, if you're sitting in your driveway in 2021 in a self-driving car, if you have to pay two Bitcoins to get to work, what are you going to do? Are you going to pay? Of course you will. If you've got a $60,000 connected car to drive you work and you're being charged $200 to move? You'll pay," he says.

bhivi-ransomware1.jpg

Ransomware in a connected car would render the vehicle useless until a ransom is a paid in this scenario mocked up by Intel.

Image: Intel Security

Researchers have also demonstrated how it can be relatively simple for malicious hackers to infect a home router with ransomware -- the one used during the research is available to buy from Amazon and over 100,000 have been sold.

The devices are shipped with some rather basic default login credentials, making it easy for cybercriminals to hack the system, simply by entering the default login and password. Anyone who wanted to try to infect this particular router could do so by searching for it on Shodan, the search engine for connected IoT devices.

"A search finds tens of thousands of home routers which basically have fundamental security issues," he said. If a hacker were able to exploit the flaw, the victim would need to pay the ransom in order to regain control of every internet-connected device in their home -- and it's likely they'd pay up in order to regain control of their systems from the hackers.

bhhome-router-ransomware2.jpg

Security researchers managed to infect a router with ransomware.

Image: Intel Security

So how do organisations feel when outside researchers inform them that there are potentially huge holes in their devices that could be taken advantage of by criminals?

"We get a very mixed bag of responses from companies," says Samani. "In some cases they say 'great, let's fix it,' but in other cases we just get complete silence."

Given the sheer number of devices being connected to the internet, it's somewhat worrying to hear that there are device manufacturers out there who are taking a blasé attitude to cybersecurity of their products.

"The concept of today's ransomware is to lock your data to ransom. But what we're showing here is that the data is almost irrelevant -- it's the device we're locking up: connected medical devices, home routers, cars; it's the device," Samani says.

Ransomware Spreads Like A Virus In The Cloud

(Stu Siouweman @ CyberHeist) An obscure 2-year old ransomware strain called Virlock has a nasty feature: it is capable of stealthily spreading itself via cloud storage and collaboration apps. That way just one infected user can unknowingly spread the infection further across your network, Netskope researchers discovered. Virlock is borrowing from a wide range of threat techniques. 

How does it work? 

Ransomware normally spreads through email phishing attacks, exploit kits, removable drives or external network shares. However, Virlock is a weird family of ransomware that not only encrypts files but also converts them into a polymorphic file infector just like a virus. Apart from infecting the usual documents and image related files, it also infects binary files. Yikes. 

Virlock has effectively weaponized every data file it encrypts, converting each one into a propagation vehicle for the malware itself

Read the whole story at the KnowBe4 Blog with links, a bunch of screenshots, schematics and how to mitigate if you get hit with this, because there is one silver lining that you need to know about:
https://blog.knowbe4.com/new-virlock-ransomware-strain-spreads-stealthil...

Ransomware's Greatest Adversary: Employee Cyber Awareness

October is National Cyber Security Awareness Month, a great opportunity to strengthen your human firewall in the war against this ransomware epidemic. 

Here are two great bits of ammo if you need to get budget for IT security. First is an article that explains how ransomware causes downtime for sometimes a whole organization and how to boost cyber security awareness. I suggest you send this to the powers that be and cc HR while you are at it. This was written by a large insurance / reinsurance company:
http://xlcatlin.com/fast-fast-forward/articles/ransomwares-greatest-adve...

Next, the DHS site has lots of tools, hints and themes you can use. In their words: 

"October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about cybersecurity. We live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. 

National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident:
https://www.dhs.gov/national-cyber-security-awareness-month

Are Employees Still A Huge Security Risk

 

(CyberHeist) Is security awareness training doing the job of protecting organizations from employee negligence? Michael Bruemmer of Experian Data Breach Resolution tells us where awareness is falling short, and what companies can do to improve. He helps companies with data breaches and knows what he is talking about - they handle more than 3,500 of these per year. 

Despite an increase in security awareness training, and concern about awareness by top-level management at companies, data breaches continue to happen through employee negligence, whether malicious or not. 

In the latest episode of Security Sessions, Joan Goodchild spoke with Bruemmer about a recent survey that said companies are unprepared to stop employee-caused data breaches. Worth 8 minutes of your time, watch this on a break:
http://www.csoonline.com/article/3125093/security/why-your-employees-are...

85% Of State CIOs Have Now Developed Security Awareness Training

"As cyberattacks grow in frequency and intensity, state governments have responded by adopting cyber security disruption plans, and the vast majority of states have now adopted a cyber security framework based on national standards and guidelines. 

According to the recent report “The 2016 State CIO Survey” from the National Association of State Chief Information Officers (NASCIO), 94 percent of states CIOs have now adopted such a cyber security framework. That is up from 80 percent in 2015. 

Further, 85 percent of state CIOs have now developed security awareness training for workers and contractors, and 77 percent have created a culture of information security in state government." More:
http://www.information-management.com/news/security/cyber-threats-forcin...

Ransomware prevents Windows from starting Until you Pay Up

Ransomware asks users to pay up before letting them start Windows

A new ransomware variant prevents infected computers from loading Windows by replacing their master boot record (MBR) and displays a message asking users for money, according to security researchers from Trend Micro.

"Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code," said Cris Pantanilla, a threat response engineer at Trend Micro, in a blog post on Thursday. "Right after performing this routine, it automatically restarts the system for the infection take effect."

The MBR is a piece of code that resides in the first sectors of the hard drive and starts the boot loader. The boot loader then loads the OS.

Instead of starting the Windows boot loader, the rogue MBR installed by the new ransomware displays a message that asks users to deposit a sum of money into a particular account via an online payment service called QIWI, in order to receive an unlock code for their computers.

"This code will supposedly resume operating system to load and remove the infection," Pantanilla said. "When the unlock code is used, the MBR routine is removed."

Recent Facebook Flaw Bypasses Password Protection

(BBC News) Facebook has moved quickly to shut down a loophole which made some accounts accessible without a password.

The bug was exposed in a message posted to the Hacker News website.

The message contained a search string that, when used on Google, returned a list of links to 1.32 million Facebook accounts.

In some cases clicking on a link logged in to that account without the need for a password. All the links exposed the email addresses of Facebook users.

Throwaway account

The message posted to Hacker News used a search syntax that exposed a system used by Facebook that lets users quickly log back in to their account.

Email alerts about status updates and notifications often contain a link that lets a user of the social network respond quickly by clicking it to log in in to their account.

In a comment added to the Hacker News message, Facebook security engineer Matt Jones said the links were typically only sent to the email addresses of account holders. Links sent in this way can only be clicked once.

"For a search engine to come across these links, the content of the emails would need to have been posted online," he wrote. Mr Jones suspected this is what happened as many of the email addresses exposed were for throwaway mail sites or for services that did a bad job of protecting archived messages.

Most of the million or so links exposed would already have expired, said Mr Jones.

"Regardless, due to some of these links being disclosed, we've turned the feature off until we can better ensure its security for users whose email contents are publicly visible," he said.

Mr Jones added that Facebook had taken steps to secure the accounts of people who had been exposed by the flaw. Many of the exposed accounts were in Russia and China.

In an official statement, Facebook said the links were sent "directly to private email addresses to help people easily access their accounts, and we never made them publicly available or crawlable."

However, it said, the links were then posted elsewhere online which led to them being indexed on search engines.

It said: "While we have always had protections on these private links to provide an additional layer of security, we have since disabled their functionality completely and are remediating the accounts of anyone who recently used this feature."

Read More - Click Here!

 

Red October Cyber Attack Found By Russian Researchers

(A major cyber-attack that may have been stealing confidential documents since 2007 has been discovered by Russian researchers.

 

Kaspersky Labs told the BBC the malware targeted government institutions such as embassies, nuclear research centres and oil and gas institutes.

It was designed to steal encrypted files - and was even able to recover files that had been deleted.

One expert described the attack find as "very significant".

"It appears to be trying to suck up all the usual things - word documents, PDFs, all the things you'd expect," said Prof Alan Woodward, from the University of Surrey.

"But a couple of the file extensions it's going after are very specific encrypted files."

In a statement, Kaspersky Labs said: "The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.

"The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment."

'Carefully selected'

In an interview with the BBC, the company's chief malware researcher Vitaly Kamluk said victims had been carefully selected.

"It was discovered in October last year," Mr Kamluk said.

"We initiated our checks and quite quickly understood that is this a massive cyber-attack campaign.

"There were a quite limited set of targets that were affected - they were carefully selected. They seem to be related to some high-profile organisations."

Red October - which is named after a Russian submarine featured in the Tom Clancy novel The Hunt For Red October - bears many similarities with Flame, a cyber-attack discovered last year.

Like Flame, Red October is made up of several distinct modules, each with a set objective or function.

Explainer

Red October is said to be one of the most significant attacks ever to be discovered. Key facts include:

  • It has been operating since 2007
  • Attackers created more than 60 domain names to run the attack, based mostly in Germany and Russia
  • Specifically targeted "Cryptofiler" files - an encryption technique used by organisations like Nato and the EU
  • Most infection connections were found coming from Switzerland, followed by Kazakhstan and Greece
  • Intended targets received personalised correspondence based on gathered intelligence on individual people
  • Unlike Stuxnet, another major cyber-attack, Red October is not believed to have caused any physical damage to infrastructure, concentrating solely on stealing information

Source: Kaspersky Labs

"There is a special module for recovering deleted files from USB sticks," Mr Kamluk said.

"It monitors when a USB stick is plugged in, and it will try to undelete files. We haven't seen anything like that in a malware before."

Also unique to Red October was its ability to hide on a machine as if deleted, said Prof Woodward.

"If it's discovered, it hides.

"When everyone thinks the coast is clear, you just send an email and 'boof' it's back and active again."

Cracked encryption

Other modules were designed to target files encrypted using a system known as Cryptofiler - an encryption standard that used to be in widespread use by intelligence agencies but is now less common.

Prof Woodward explained that while Cryptofiler is no longer used for extremely sensitive documents, it is still used by the likes of Nato for protecting privacy and other information that could be valuable to hackers.

Red October's targeting of Cryptofiler files could suggest its encryption methods had been "cracked" by the attackers.

Like most malware attacks, there are clues as to its origin - however security experts warn that any calling cards found within the attack's code could in fact be an attempt to throw investigators off the real scent.

Kaspersky's Mr Kamluk said the code was littered with broken, Russian-influenced English.

"We've seen use of the word 'proga' - a slang word common among Russians which means program or application. It's not used in any other language as far as we know."

But Prof Woodward added: "In the sneaky old world of espionage, it could be a false flag exercise. You can't take those things at face value."

Kaspersky's research indicated there were 55,000 connection targets within 250 different IP addresses. In simpler terms, this means that large numbers of computers were infected in single locations - possibly government buildings or facilities.

A 100-page report into the malware is to be published later this week, the company said.

Read More - Click Here!

Robocall strike force seeks solution to pesky calls and texts

(Jim Hood @ ConsumerAffairs) Considering all of its blather about customer service, the telecommunications industry has been rather reluctant to do anything about robocalls, perhaps the most hated of modern annoyances.

But after prodding from the Federal Communications Commission (FCC), AT&T has agreed to lead an effort to limit the calls using technology that will use a "Do Not Originate" list identifying suspicious calls originated outside the United States.

AT&T had been arguing that it didn't have the legal authority to block robocalls, even though the FCC last year had clearly said the industry had its permission to do just that.

Last week, FCC Chairman Tom Wheeler decided to try again, writing to AT&T and other major carriers urging them to "offer call-blocking services to their customers now -- at no cost."

Task force

A few days later, AT&T said in a blog post that AT&T CEO Randall Stephenson would head up an industry task force to "accelerate the development and adoption of new tools and solutions to abate the proliferation of robocalls and to make recommendations to the FCC on the role government can play in this battle."

In other words, don't look for anything to happen right away. Wheeler, however, took it as a sign that things may at last be starting to move.

“I applaud AT&T for committing to make robocall-blocking technology available to its customers, as I requested in a letter to the company last week," Wheeler said in a statement and said he hoped to see recommendations in 60 days.

"Since giving consumers meaningful control over the calls and texts they receive will require collective action by the industry, I am gratified that AT&T will lead an industry strike force to develop an action plan for providing consumers with robust robocall-blocking solutions. ... I strongly urge industry participants to join the effort and to produce conclusions within 60 days.”

Wheeler also wrote to "intermediary carriers," the companies that connect robocallers to the consumer's phone company, reminding them of their responsibility to help facilitate the offering of blocking technologies.

Last summer, the FCC made clear that there are no legal obstacles to carriers offering consumers robocall-blocking services, the agency noted, adding that some IP and mobile phone networks are already doing just that. 

"The Commission is committed to doing everything it can to further empower consumers to control unwanted calls and texts," the FCC said.

SEC reveals details of 2016 data breach

The Securities and Exchange Commission (SEC) has announced details of a 2016 hack of its computer system that may have led to “illicit gains” from stock trades.

SEC officials learned in August that hackers had breached the agency’s EDGAR online database, which contains many companies’ securities filings and other highly sensitive information. SEC Chairman Jay Clayton issued a statement Wednesday evening explaining that the intrusion was the result of a software vulnerability that was “patched promptly after discovery.”

“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” Clayton said. “Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”

Must step up efforts

Thus far, the SEC has investigated and filed cases against individuals who it alleges placed fake SEC filings connected to the breach. However, the agency’s announcement did not sit well with Senator Mark Warner (D-Virginia).

The lawmaker compared the breach with the recent hacking of credit reporting agency Equifax, which compromised sensitive personal details of 143 million people. Warner indicated that he would be questioning Clayton about the breach in an upcoming Senate Banking Committee meeting, according to the Los Angeles Times.

“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and business entities need to step up their efforts to protect our most sensitive personal and commercial information,” Warner said.

Cybersecurity lapses

This isn’t the first time that the SEC has had to deal with cybersecurity issues. In 2014, an internal review by the agency’s Office of the Inspector General (OIG) found that laptops containing sensitive, private information could not be located.

In another instance, the OIG found that SEC employees had shared nonpublic information through non-secure personal email accounts.

Interactions with outside vendors have been troublesome as well. In his statement, Clayton confirmed that certain vendor systems and software products have provided the means for threat actors to access SEC systems.

Largely due to these incidents, the SEC has adopted an extensive cybersecurity detection, protection, and prevention program. However, Clayton says that the agency’s own limitations will require “additional expertise in this area.”

STRONG PASSWORDS

If you are not using strong passwords a hacker can crack it in less than 20 seconds. And just because your computer is behind a locked office door doesn't mean it's safe. A hacker can use your computer and login password over the internet to get into your office network, and that is why a strong password policy is so important.

History Lesson:
Since passwords were introduced in the 1960s, the notion of a "good" password has evolved in response to attacks against them. At first, there were no rules about passwords except that they should be remembered and kept secret. As attacks increased in sophistication, so did the rules for choosing good passwords. Each new rule had its justification and, when seen in context, each one made sense. People rarely had trouble with any particular rule: the problem was with their combined effect.

An early and important source of password rules was the Department of Defense (DOD) Password Management Guideline. Published in 1985, the Guideline codified the state of the practice for passwords at that time. In addition to various technical recommendations for password implementation and management, the Guideline provided recommendations for how individuals should select and handle passwords. In particular, these recommendations yielded the following password rule:

1. Each password you choose must be new and different.

2. Passwords must be memorized. If a password is written down, it must be locked up.

3. Passwords must be at least six characters long, and probably longer, depending on the size of
   the password's character set.

4. Passwords must be replaced periodically.

5. Passwords must contain a mixture of letters (both upper- and lowercase), digits, and punctuation
    characters.

Problem:
Bottom line is: The password must be impossible to remember and never written down. How's that for security! Even the computer user can't get into their own computer. OR they write it on a sticky note and stick it on the monitor for all to see.

Solution:
However, there is a system for creating and remembering strong passwords, Start off with your favorite saying such as:

Gladly Pay You Tuesday For A Hamburger Today. To create a strong password from your favorite saying, take the first letter of each word and alternate between upper and lower case, IE GpYtFaHt Now you have something you can remember. To really spice it up, change the first "t" to a 2, change the"F" to a 4, the "a" to an @, and the t to a ! IE GpY24@H!. And that's the easy way to create and remember a strong password with 8 characters, upper and lower case with numbers and symbols.

1. Peter Piper Picked a Peck of Pickled Peppers just won't get it!
2. Don't use GpYtFaHt ! That's my password! :-)

Scam Warning Signs

Photo(Jennifer Abel @ ConsumerAffairs) The world is full of untrustworthy people, both on and off the Internet, so you need to protect yourself and your finances from them. For that goal, this website (like many other consumer-journalist sources) frequently publishes warning articles on the themes “Here's a new scam you must be wary of,” “Here's another new scam you ought to watch out for,” or even “This latest phishing scam is the worst one yet.”

But it's not possible to create a single omnibus list of “every potential scam on the Internet,” anymore than it's possible to produce a single comprehensive list of “every thief and dishonest person in the world today”; even if you could, new additions would spring up all the time.

You can't protect yourself from email scams by simply maintaining a list of suspicious senders; instead, you need to learn a few general rules that apply to all emails, text messages and other communiques you get (even those allegedly sent from people you know and trust).

A few examples

To demonstrate, let's look at a random sampling of actual come-on emails, most of which our various readers received and forwarded to us.

It's worth remembering that, while some scams are illegal, not all of them are. Phishing and other forms of identity theft are definitely against the law — if the thieves are successful, you part with your money without your consent, or even knowledge.

But other scam artists operate by convincing you to voluntarily hand your money over to them. The legality there depends on what they promise in exchange for your money — if some random stranger emails you an offer to sell you an astrology reading or pray to God on your behalf (in exchange for a hefty amount of cash, of course), chances are your only recourse is to not send money in the first place.

Rule one: Where your money or personal information are concerned, remember “Don't call me; I'll call you.”

PhotoThis should protect you from most phishing scams. The way phishing works is, you get an email (or some other message), allegedly from a legitimate business, or government or financial institution. The message usually says there's a problem with your account, and if you don't tend to it right away something bad will happen, so you need to either click on the link or call the phone number included in the message.

The Netflix phishing scam from earlier this month is a typical example – would-be identity thieves somewhere in India sent out spammy emails allegedly from Netflix, warning customers of problems with their accounts. Anyone foolish enough to respond and cooperate with the alleged “Netflix” employees would soon have important financial information stolen from their computers.

So remember “Don't call me; I'll call you.” If you're worried about a problem with your Netflix account (or bank account, or anything else), it's okay if you contact the company, but be wary when the company allegedly contacts you. And if you do receive such a message and want to respond anyway, do your own independent online search for the company's contact information, rather than trust any links, phone numbers, or other contact options in the email itself.

Rule two: Never give money to someone you've never met.

This might sound too obvious to mention, yet the romantic scammers who haunt various dating websites in search of new victims are successful primarily because so many people forget this rule.

Last January, for example, an elderly divorcee in California was bilked out of half a million dollars, after a would-be suitor she'd “met” on Christian Mingle (but never actually met in person) convinced her to send him the money. Remember: if you've never so much as been in the same room with a person, you do not know them well enough to lend them money.

Rule three: Flattery will get you in trouble.

PhotoEarlier this week, we reported the story of a man who lost hundreds of dollars after falling for a bizarre scam which basically boiled down to “Hey, you know those conspiracy stories you hear about a small shadowy group of super-powerful people who secretly run the world? They're real, I belong to said secret conspiracy group, and you're invited to join us.”

Granted, most companies and marketing campaigns – even legitimate, non-scammy ones – will flatter their intended customers to some extent (e.g. “Are you a busy, modern mom who loves her kids? Then use our credit card, not the other bank's!” or “Are you a fashionable, attractive, successful person? Then wear our clothes, not the other company's!”).

Scam flattery goes far beyond that; it usually says you've been specifically selected, often for a unique offer denied to the common rabble. (That conspiracy letter had “For your eyes only!” right in its letterhead.)

Or check out this excerpt from an email one of our readers received and forwarded to us this week, from someone trying to sell him an astrological reading (ellipses taken from the original):

Last night as I was going through and sending back the reading requests that had come in throughout the day, nothing was out of the ordinary. I was calmly reviewing the information provided for each request that I had printed out beside me, doing some quick interpretations, deciphering the meanings and writing them out…

… and then yours came to the top of the pile.

It did not take me long before I had to stop and sit up straight.

[Name], to put it bluntly, you are about to enter a BIG period of change in your life - whether you're prepared for it or not does not matter, but that's where I can help you.”

How very flattering indeed — you might think you're just an ordinary everyday person, but in reality you are so important, people you never even heard of before you got this email can't concentrate on their work because they spend their nights distracted by thoughts of you and your amazing awesomeness.

Don't trust anyone who tells you this.

Rule four: People with magic powers don't need money.

PhotoOf course, excessive flattery isn't the only red flag waving within that astrologer's email. Even if you want to assume astrology is not only real, but powerful enough that total strangers thousands of miles away can use it to predict your personal future — forgive the channeling of Captain Obvious here, but anyone with such powers doesn't need your money to stay financially healthy.

Here's another email forwarded from another reader; the message is from a self-described “Master Prophet” presumably with a direct hotline to God, offering to make personalized prophecies if the recipient will only send money first:

Act now! Watch your future come alive now! God is transforming you completely. This will make you confident, full of belief and satisfied about the outcome to your situation.

1.   A prophet will call you and speak with you one-on-one.

2.   A prophetic word for your relief will be in their mouth for you.

3.   This word of prophecy will be recorded for you to hear again.

4.   I will email this important prophetic word to you.

5.   I will prophesy on an MP3 or CD all about your life.

6.   I will ask another prophet to join me, and together we will prophesy about you

Here's a prophecy about you: if you send this “Master Prophet” any of your money, you'll wind up much poorer than if you'd kept that money for yourself. Real prophets and psychics don't need your money; they can make a fortune more easily than Warren Buffett.

For example: in summer of 2013, a Minnesota man bought an old house for $10,000, planning to renovate and resell it. During the renovations, he discovered that a previous homeowner had used old magazines and other papers as insulation—including a great-condition copy of Action Comics #1 (first-ever appearance of Superman, and something of a Holy Grail among comic book collectors). That comic book eventually sold at auction for $175,000.

Why was this discovery only made accidentally, by a super-lucky house-flipper? Why didn't some fortuneteller or psychic princess or Master Prophet know to buy that house and its secret-treasure insulation?

Theory: because such people do not have psychic powers or the power of prophecy; at best, they have the power to convince gullible people to part with their money. Don't let yourself be one of them.

 

Scam: Customer Satisfaction Survey by Stu Sjouwerman

If the bad guys would use their energy and inventiveness in a more productive way, the world economy would be a lot healthier. So this week, there is a popular social engineering attack doing the rounds where people get promised a $50 or EUR50 voucher/gift certificate if they answer a quick 5-question customer satisfaction survey. Major brands are used, in Europe it's Tesco and Woolworth. The attack is launched via Facebook.

Two other scams are also worth mentioning. To start with, an email disguised as a voicemail notification from Microsoft Exchange Server tries to get users to double click a link to listen to the voicemail. The second one is an email that appears to come from the FDIC and tries to get users to follow a link to download “a new security version.”
https://s3.amazonaws.com/knowbe4.cdn/SocialEngineeringRedFlags.pdf

1-Minute-Internet-Security-Survey

Could you do me a big favor? Spend one minute! Kevin and I are working on internet security awareness training for families. First we asked people which things they thought were important for Internet Security at the house. In other words, what they thought was needed to protect their family online. Please indicate how important you think the following items are for families to stay safe online. We added one short bonus question. If these topics would be covered in a course that all family members could take, what would be a good name (title) for that course?) Here is the link to the survey and thanks so much in advance!
https://www.surveymonkey.com/s/9RL7VPM

My Top 3 Security Sites

A customer asked me what my three top security websites are. I had to think for a bit, and then had to conclude that these three were my faves. You might like these too, so here thay are, not necessarily in order of importance, however I have been reading InfoWorld since 1981. My Top 3 fave security sites are:
1) http://www.infoworld.com/d/security
2) http://www.virusbtn.com/vb100/index
3) http://www.csoonline.com/

Scams And How To Report Them (text & video)

The following are some of the most common scams that the FBI investigates and tips to help prevent you from being victimized. Visit our White-Collar Crime and Cyber webpages for more fraud schemes. To report cases of fraud, use our online tips form or contact your nearest FBI office or overseas office.

The FBI is warning you about a new scam out there to steal your money.

It's a scheme that uses spam e-mails that appear to be from government agencies like the Federal Reserve or the FDIC.

When you open the e-mail, you're told there's a problem with your bank account and to fix it, you must click on a link.

The link then sends you to a phony website that steals your banking information. Feds say they will never ask for sensitive information like that through e-mail.

Read More - Click Here!

Scareware attacks increase around holidays

Scam artists hawking “scareware” products -- which make you think you have a virus when you don't -- are increasingly use what's called Search Engine Optimization (SEO) poisoning attacks.

They do it by manipulating search engine results to make their links appear higher on the search page than legitimate results.

You see it a lot around holidays like Easter, when scammers know that there will be a lot of computer users searching using terms like “Easter egg,” “chocolate,” and “bunny.” When an unsuspecting user clicks on one of these “poison” links, they get a phony message like those below warning them of a virus and encouraging them to purchase and download supposed security software.

Those who fall for it not only throw away money on a product they don't need and that may not even work.  They also give criminals access to their credit card and download malware onto their computer.

Photo

Fraser Howard, an anti-virus specialist at Sophos Security reports an increasing number of the SEO attacks in recent week, as Easter approaches. He notes that most people fall for this scam.

Read More - Click Here

Scrap Microsoft Patch Tuesday - One Opinion

(Dennis Fisher @ ComputerWeekly) Patch Tuesday is perhaps the most anticipated and feared day of the month for network administrators and security managers. They wait eagerly for the next batch of patches from Redmond, glad to have some protection against attacks on the vulnerabilities that have popped up since the previous month's release. But they dread it too, and with good reason, given the massive amount of work involved in rolling out a dozen or more patches to thousands of systems.

Known in some circles as Black Tuesday, the second Tuesday of each month in the last few years has become a kind of national day of mourning in the IT industry, as admins call all hands on deck and load up on pizza and Red Bull for the long night ahead. Microsoft moved to a monthly patch schedule after some pointed requests by large customers who were having a hard time dealing with the steady and unpredictable flow of patches. And many IT managers still say they like knowing exactly what's coming down the pike and when. Indeed, the monthly bulk patch release has served to increase awareness of available security fixes in both the enterprise and the consumer market.

But given all of that, I submit that it may be time to rethink the concept of Patch Tuesday.

The main thing that both Microsoft executives and IT folks cite in their support of the monthly patch cycle is its regular schedule. IT staffs know days ahead of the patch release how many patches are coming, what products are affected and how severe the vulnerabilities are that they correct. This allows for planned downtime for patching critical systems, schedule adjustments for personnel to help with the patching and time to digest the magnitude of the fixes and decide whether any of them can wait.

But even with all of that advance notice and the knowledge of exactly when the patches will be available, many enterprises still don't deploy them right away. Admins are loathe to deploy any patch without first testing it, and rightly so. Even with Microsoft's improved QA process, some patches still cause regression errors or problems with other applications. The problem here is that while IT departments are testing the patches, attackers are busy reverse engineering the fixes and building exploits to throw at the vulnerabilities. (That is, those attackers who haven't already bought an exploit somewhere else.) There is anecdotal evidence that attacks against publicly known vulnerabilities spike in the hours and days after patches are released, meaning that those organizations that don't deploy the fixes immediately are at an increased risk of attack once the patches are available.

A hacker only needs one unpatched system, one little crack in the fence in order to launch a major attack on a given network. The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time. Patch management systems can help, but they have their limitations as well. 

MICROSOFT UPDATES
Network safety relies on reaction time to Patch Tuesday: Taking a wait-and-see approach before installing updates on Patch Tuesdays can leave your company vulnerable to attacks, thanks to zero-day exploits.

Patch Tuesday linked to exploit time frame: A 2004 VeriSign report shows Microsoft's patch releases coincide with new exploits with such regularity they can almost be plotted on a calendar.

Prove your patching prowess: Is Patch Tuesday the bane of your existence? Take our quiz and learn best practices for better patch management.

Another key flaw in the monthly cycle is the very nature of the schedule itself. Even Microsoft has resource limitations and its Security Response Center staff can only build and test so many fixes in a given month. That means that some vulnerabilities remain unpatched for months at a time, even when there is exploit code publicly available and confirmed attacks going on. The DNS RPC flaw that Microsoft patched this week is a perfect example. The first reports of the vulnerability surfaced just two days after the company released its patches for April, and despite widespread reports of attacks against vulnerable machines, including a worm, Microsoft did not publish an out-of-cycle patch. So attackers have had nearly an entire month to hammer on the vulnerability, which Microsoft itself rated as critical.

Microsoft officials have made it clear that they're committed to the monthly patch cycle and have said that when events warrant, they will release out-of-cycle patches. When the company began the monthly schedule several years ago, those incidents that might have called for an unscheduled patch were rare, but that is no longer the case. Now, it's rare for a month to pass without the disclosure of a zero day in some Microsoft product. And those are just the ones that we hear about. Who knows how many other vulnerabilities the hackers are using at any given time?

So where do we go from here? Back to the future. The value of the predictability of the monthly schedule simply doesn't outweigh the danger to customers posed by the flaws that go unpatched for three or four weeks between cycles. If a new vulnerability in Windows is disclosed today, Microsoft has shown in the past that it can bring enough resources to bear on the problem to produce a high-quality patch within a week. It's time to return to that approach. Release patches when they're needed, not when the calendar dictates.

I strongly disagree and this is why: Running a large enterprise system OR technical support for lots of small companies, Patch Tuesday allow IT and Users to plan for potential hickups during a finite period of time,  rather than getting blindsided several times a month. It's nerve racking and costly for users to sit on their hands whist Update Manager takes control and repeatedly says "Please Waite!" Web browser doesn't work, ERP system bounces you out, Excel won't save, Then it takes forever for a mandatory shutdown, and the restart lasts a lifetime. Then you have desperate users, that restart or shutdown and restart their computers whilst just trying to do their jobs. Sometime you even lose the OS and have to reinstall Windows.  Patch Tuesday is much more time and cost effective.. In addition, when Microsoft has a emergency update, they push them to users anyway, rather than waiting (and that doesn't happen very often). So, my opinion, let's keep Patch Tuesday and stave off total insanity OR move to Mac or Linux!

Seattle police drone helicopters drones

(Steve Gorman and Jackie Frank Reuters) - One of the latest crime-fighting gadgets to emerge on the wish lists of U.S. law enforcement agencies - drone aircraft - has run into heavy turbulence in Seattle over a plan by police to send miniature robot helicopters buzzing over the city.

A recent push for unmanned police aircraft in several cities is being driven largely by grants from the U.S. Department of Homeland Security, including more than $80,000 the city of Seattle used to buy a pair of drone choppers in 2010.

But getting aerial drones off the ground has run into stiff opposition from civil libertarians and others who say the use of stealth airborne cameras by domestic law enforcement raises questions about privacy rights and the limits of police search powers.

The aircraft would never carry weapons, but the use of drones for even mundane tasks raises ire among some because of the association of pilotless crafts with covert U.S. missile strikes in places such as Pakistan and Yemen.

In Seattle last month, a community meeting where police officials presented plans to deploy their two remote-controlled helicopters erupted into yelling and angry chants of "No drones!"

"My question is simple: What's the return policy for the drones?" said Steve Widmayer, 57, one of numerous citizens who spoke out against the unmanned aircraft. He predicted the City Council would commit "political suicide" if it backed the plan.

Seattle City Councilman Bruce Harrell said he hoped the council would set strict drone policies by January.

Police in Seattle, along with Florida's Miami-Dade County and Houston, are among a handful of big-city law enforcement departments known to have acquired aerial drones. But those cities have not started operating the robot aircraft.

FEAR OF FLYING ROBOTS

In Oakland, California, this month, an Alameda County sheriff's application for a federal grant to buy an aerial drone to help monitor unruly crowds and locate illegal marijuana farms drew opposition at a Board of Supervisors meeting.

"I do not want flying spy robots looking into my private property with infrared cameras," Oakland resident Mary Madden said. "It's an invasion of my privacy."

County Board President Nate Miley said the issue would be taken up by the supervisors' Public Protection Committee.

The two Draganflyer X6 remote-controlled miniature helicopters purchased by Seattle have so far been mostly grounded, restricted to training and demonstration flights.

Equipped to carry video, still and night-vision cameras, they can remain aloft for only 15 minutes at a time before their batteries run out, police said.

Assistant Police Chief Paul McDonagh said the aircraft would not be used in Seattle for surveillance or for monitoring street protests. Instead, his department's plans to deploy drones to search for missing persons, pursue fleeing suspects, assist in criminal investigations and for unspecified "specific situations" subject to McDonagh's approval.

Seattle City Councilman Bruce Harrell said he hoped the council would set strict drone policies by January.

Months ago in Texas, Chief Deputy Randy McDaniel of the Montgomery County Sheriff's Office raised eyebrows by saying he hoped to equip his department's drones with rubber bullets and tear gas, though he told Reuters his thinking on armed aircraft has since evolved.

"From a law enforcement standpoint, that's never going to happen," he said. McDaniel said his office received Federal Aviation Administration clearance earlier this month to begin operational drone flights but has not yet had occasion to do so.

Actual U.S. domestic use of law-enforcement drone aircraft remains extremely limited.

The Mesa County Sheriff's Department in Colorado has been operating two small drones, also bought with Homeland Security funds, since 2010.

It uses them largely to create three-dimensional images of crime scenes, said Benjamin Miller, director of the department's drone program. They are not used for surveillance, he said.

In North Dakota, the Grand Forks police department last year called in a high-flying Predator drone operated by the U.S. Department of Homeland Security to monitor a tense standoff with a rancher over alleged stolen cattle.

The rancher, Rodney Brossart, and five family members are believed to be the first Americans nabbed by police with drone assistance - with the possible exception of operations along the southwest border with Mexico.

The use of drones there by the Customs and Border Protection agency - a part of Homeland Security - led to 7,500 arrests and the seizure of thousands of pounds of drugs up to the end of last year.

The nationality of those arrested in drone assisted operations in the borderlands is not clear, nor is if Customs and Border Protection partnered with local forces in any of those arrests.

Read More - Click Here!
 

Secure Search Alternatives

(Kim Komando) Just recently, Google updated its terms of use and privacy policy. The goal was to allow Google to use your name and public photo in "Shared Endorsements." In plain English, it wants to use you in ads.

So, if you like or "+1" something on Google+, for example, Google can show your friends that you recommend it if it pops up their searches. I'm sure Google can expand that in the future to the channels you subscribe to on YouTube or music and apps you buy in Google Play.

To Google's credit, you can opt out - if you know where to look. Head over to the Shared Endorsements page, sign in with your Google account and make sure the option at the bottom is not checked.

Still, it's a reminder where Google's focus is. It's keeping track of what you do so it can use that information in advertising. And don't forget that your information is one subpoena away from ending up in a government database. Click here to learn how to stop Google from storing your search history.

But it's not like there's a better alternative for search, right? Bing and Yahoo! probably do the same thing.

That's true, but those aren't the only alternative search sites around. Here are some that do the job and take your privacy seriously.

duckduckgo.com: If you want most of what Google has to offer in a safer package, take a look at DuckDuckGo. Though it's similar to Google, it doesn't collect any information about you when you search.

It matches Google Search in features and performance with a similar simple layout. Its "Goodies" features offer geographic search, calculators and more. You could literally spend hours checking out DuckDuckGo's cool features.

Maybe there's just one feature about Google's search you really can't live without, though. In most cases, you can find search sites tailored to that feature.

wolframalpha.com: runs circles around Google when it comes to research and calculations. Just type in a question and it can usually figure out what you mean. You can even upload images to get more information about them.

blekko.com: For quick answers, Blekko is usually easier to use than Google. Instead of returning advertisers and other iffy results first, it sends you links that actually answer your question.

The links are even broken down into categories, such as Top results, Shopping and Latest. You can expand a category to see more of just what you want.

Blekko is more private than Google in normal mode. However, I recommend you use its "SuperPrivacy" mode for maximum privacy. This blocks ads and takes you to secure, encrypted sites by default. You can turn it on by clicking "Prefs" in the right corner of the site.

txquick.com: If you like how quickly Blekko gives results, you can try IxQuick, too. It encrypts your search for privacy while giving you pre-approved results from other top search sites for a faster answer. You can rate results to help other searchers find what they're looking for faster, too.

yippy.com: Are you concerned about search results showing up with inappropriate content? It happens quite a bit, and - thanks to Murphy's Law - usually when a child is present. Yippy detects adult content and blocks it automatically. That makes it great for the family computer.

mazoom.com: Google is a popular search provider on tablets and smartphones, but it isn't the only option. Instead, try Mazoom on smartphones and Izik on tablets. Both give you mobile-friendly results first. This helps you save on your data plan and makes pages load faster.

Of course, search isn't the only thing Google does. Between YouTube, Gmail, Maps, Google+, Google Play, Google Drive and its many other services, it could run your whole life.

Finding alternatives for these services means some serious work and often inconvenience. Plus, most of the alternatives are run by other major companies that aren't big on privacy either.

Instead, find alternatives for one or two services. Try using some Google services without logging in to your Google account. While Google, and other companies, will still record your information, no one company will have all of it.

Securitty: 4 Spear-Phishing Hooks designed for the Holidays

Expect some of the typical phishing lures to be cast this year, but more targeted 'spear-phishing' twists raise the potential for damage. The CSO website warnss: "Cybercriminals are increasingly abandoning the technique of casting a wide net by blasting thousands of email accounts with a phishing scam. That's not nearly as lucrative as a spear-phishing attack, which might take more work, but has the potential for a much bigger payoff, according to Rohyt Belani, CEO of phishing-awareness-training company PhishMe.

"The kind of phishing attacks that are working now involve targeting specific employees at an organization," said Belani. "Every major breach we have heard about this year has been initiated by a targeted phishing
attack—be it RSA, Epsilon, numerous defense contractors, Oak Ridge National Laboratory and on and on.   
   
Here are the headlines, the details are in their story:
1) Kick off your holiday shopping with this 10% off coupon for any store at [your local mall]"

2) "[Your company] thanks for your hard work this year and invites you to enter our holiday raffle"

3) "A year-end inspection has turned up mold in offices in our building at [your work address]"

4) "[Your company] is migrating its payroll system before the end of the year. Please enter your updated information to avoid interruption of your direct deposit."

Read More - C Herelick!
 

Security warning - Update your Adobe Flash Immediately

(Jennifer Abel @ ConsumerAffairs) Adobe has released a security update which you need to apply at once, especially if you ever visit Tumblr, eBay, Instagram or pretty much any website using Adobe Flash.

The security patch is in response to “Rosetta Flash,” a software exploit which security blogger and Google engineer Michele Spagnuolo discovered. Spagnuolo said Rosetta Flash is “a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and infiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site. This is a CSRF bypassing Same Origin Policy.”

Translation, courtesy of Gizmodo: “Basically, the flaw … made it possible for hackers to steal the cookies that authenticate returning users on sites like eBay, Twitter, Tumblr, and thousands more.”

Adobe quickly responded by releasing an updated version of Flash to patch the vulnerability.

Even so, some Adobe users might not be protected unless they take active steps to ensure it. As security blogger Brian Krebs noted:

Flash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you haven't updated your Adobe Flash yet, stop reading and go do it, right now.

 

Security updates available for Adobe Flash Player

Vulnerability identifier: APSB14-17

Priority: See table below

CVE number: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

  • Users of Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 14.0.0.145.

  • Users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.394.

  • Adobe Flash Player 14.0.0.125 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.145 for Windows, Macintosh and Linux.

  • Adobe Flash Player 14.0.0.125 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.0.

  • Adobe Flash Player 14.0.0.125 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.1.

  • Users of the Adobe AIR 14.0.0.110 SDK and earlier versions should update to the Adobe AIR 14.0.0.137 SDK.

  • Users of the Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions should update to the Adobe AIR 14.0.0.137 SDK & Compiler.

  • Users of Adobe AIR 14.0.0.110 and earlier versions for Android should update to Adobe AIR 14.0.0.137.

Affected software versions

  • Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh

  • Adobe Flash Player 11.2.202.378 and earlier versions for Linux

  • Adobe AIR 14.0.0.110 SDK and earlier versions

  • Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions

  • Adobe AIR 14.0.0.110 and earlier versions for Android

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIRTechNote.

Solution

Adobe recommends users update their software installations by following the instructions

  • Adobe recommends users of Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh update to the newest version 14.0.0.145 by downloading it from the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted.

  • Adobe recommends users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux update to Adobe Flash Player 11.2.202.394 by downloading it from the Adobe Flash Player Download Center.

  • Adobe Flash Player 14.0.0.125 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.145 for Windows, Macintosh and Linux.

  • For users of Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh, who cannot update to Flash Player 14.0.0.145, Adobe has made available Flash Player 13.0.0.231, which can be downloaded from http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.

  • Adobe Flash Player 14.0.0.125 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.0.

  • Adobe Flash Player 14.0.0.125 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.1.

  • Users of the Adobe AIR 14.0.0.110 SDK should update to the Adobe AIR 14.0.0.137 SDK.

  • Users of the Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions should update to the Adobe AIR 14.0.0.137 SDK & Compiler.

  • Users of Adobe AIR 14.0.0.110 and earlier versions for Android should update to Adobe AIR 14.0.0.137.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

 
Product Updated version Platform Priority rating
Adobe Flash Player 14.0.0.145 Windows and Macintosh 1
  14.0.0.145 Internet Explorer 10 for Windows 8.0 1
  14.0.0.145 Internet Explorer 11 for Windows 8.1 1
  14.0.0.145 Chrome for Windows, Macintosh and Linux 1
  11.2.202.394 Linux 3
Adobe AIR 14.0.0.137 Android 3
Adobe AIR SDK and Compiler 14.0.0.137 Windows, Macintosh, Android and iOS 3
Adobe AIR SDK 14.0.0.137 Windows, Macintosh, Android and iOS 3

These updates address critical vulnerabilities in the software.

Details

Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

  • Users of Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 14.0.0.145.
  • Users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.394.
  • Adobe Flash Player 14.0.0.125 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.145 for Windows, Macintosh and Linux.
  • Adobe Flash Player 14.0.0.125 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.0.
  • Adobe Flash Player 14.0.0.125 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.1.
  • Users of the Adobe AIR 14.0.0.110 SDK and earlier versions should update to the Adobe AIR 14.0.0.137 SDK.
  • Users of the Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions should update to the Adobe AIR 14.0.0.137 SDK & Compiler.
  • Users of Adobe AIR 14.0.0.110 and earlier versions for Android should update to Adobe AIR 14.0.0.137.

These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).

These updates resolve security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539).

 

 
Affected Software   Recommended Player Update Availability
Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh   14.0.0.145 Flash Player Download Center
Flash Player 14.0.0.125 and earlier versions (network distribution)   14.0.0.145 Flash Player Licensing
Flash Player 11.2.202.378 and earlier for Linux   11.2.202.394 Flash Player Download Center
Flash Player 14.0.0.125 and earlier for Chrome (Windows, Macintosh and Linux)   14.0.0.145 Google Chrome Releases
Flash Player 14.0.0.125 and earlier in Internet Explorer 10 for Windows 8.0   14.0.0.145 Microsoft Security Advisory
Flash Player 14.0.0.125 and earlier in Internet Explorer 11 for Windows 8.1   14.0.0.145 Microsoft Security Advisory
AIR 14.0.0.110 SDK & Compiler and earlier versions   14.0.0.137 AIR SDK Download
AIR 14.0.0.110 SDK and earlier versions   14.0.0.137 AIR SDK Download
AIR 14.0.0.110 and earlier versions for Android   14.0.0.137 Google Play

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Michele Spagnuolo (CVE-2014-4671)
  • Masato Kinugawa (CVE-2014-0537, CVE-2014-0539)

Security-Conscious Products and Apps

(Mark Huffman @ ConsumerAffairs) The Internet has connected the world, which for the most part is a good thing. But a definite downside to the explosive growth in connective technology is a consumer's vulnerability to snooping and a loss of privacy.

Hackers seem to break into corporate databases with ease and, as recent revelations have shown, interested government agencies have increased their ability to track movements and phone calls. This trend may have created a new niche market – the security-oriented consumer.

There is no shortage of companies rushing to provide products and services. Geneva-based SGP Technologies has begun shipping its new Blackphone, which the company touts as among the most secure mobile devices available.

Focus on privacy

SGP says the Blackphone was built with a primary focus on user privacy, with integrated features for private communication, browsing and cloud storage.

"We are excited to achieve this key milestone on schedule and ship a remarkable device to customers that is the result of an unprecedented combination of privacy and mobile innovations and visionaries," said Toby Weir-Jones, CEO of SGP Technologies. "In a world where devices and apps increasingly offer features only in return for users' personal or sensitive information, the pent-up demand for Blackphone shows there is strong, international demand for our brand's devices and services that stand apart by placing privacy before all else."

How important is a privacy feature? To a political dissident, maybe a lot. In its review of the top breakthrough technologiesof 2014, MIT Technology Review begins with a chilling example.

Chilling example

When anti-government demonstrators in Ukraine gathered earlier year, protesting the government's soon-to-be ousted president, everyone with a smartphone received the same message.

“Dear subscriber, you are registered as a participant in a mass disturbance.”

The government, apparently, was able to hone in on all the mobile devices in the narrow geographical region of the demonstration and identify their owners.

The MIT Review notes Blackphone appears to be capable of standing up to garden-variety hacking threats and overly aggressive marketers but isn't “NSA proof.”

Features

PhotoPhoto © CIAmedia

But according to SGP, the Blackphone features plenty of security for the security-conscious user. For example it provides private encrypted voice and video calls and text messaging with attachments via Silent Circle's, Silent Phone and Silent Text. Users can community in security either through cellular or Wi-Fi connections.

Something called Disconnect Search is the default search provider for Blackphone, offering private browsing protection from invasive Web monitoring by hiding users' IP address, browser cookies and personal information. Blackphone also features Disconnect's Secure Wireless app, which is a smart VPN designed to prevent eavesdropping over Wi-Fi and cellular networks.

Also this week CIA Media has released a range of new features in its Android version of “CIA,” a souped-up caller ID app. The app reportedly detects incoming calls and searches 1.3 billion personal and business listings as the phone rings to display the caller identity.

But the updated app has been renamed “Reputation Check” and in sort of a privacy twist, now allows the user to observe how they are listed in the contacts lists of family and friends who call them.

Security: And You Trust The Internet?

I just finished reading a book last weekend called: 'Fatal System Error', by Joseph Menn. He's a journalist who covers cyber security for the Financial Times after a decade on the same beat at the Los Angeles Times. The tag-line of the book is: 'The hunt for the new crime lords who are bringing down the Internet'. Definitely interesting reading, and these few highlights from the book are eye-opening indeed...

The book goes into the M.O. of the gangs in Eastern Europe and also the fact that those governments are not really interested in  doing something about it. On the contrary, they are now and then -using- these gangs for DDOS attacks, e.g. Georgia recently. Three interesting points he made in the book were:

1) More education is required. People who won't let their lawns go uncut out of respect for the neighbors need to realize that turning on a PC without a strong firewall and without an OS and antivirus that each update automatically is like leaving a loaded shotgun on the front porch for passersby. It almost guarantees their computers will be compromised and used for nefarious activities.

2) One expert mentions: "It's incredibly disturbing, the engine of the world economy is based on this really cool experiment that is not designed for security, it's designed for fault-tolerance. You can reduce your risks, but the naughty truth is that the Net is just not a secure place for business or society".

3) And then the thing that really got my interest, Vincent Cerf, who was the co-author of the core Internet protocols, said: "My thought at the time, thirty-five years ago, was not to build an ultra-secure system, because I could not tell if even the basic ideas would work." And here comes the kicker: "We never got to do the production engineering". With that he means the version ready for prime time. So there you have it; Internet Protocol is really still in Beta. And most experts agree it's broken. You -really- need to take all measures necessary to make sure your organization is safe on the Internet.

Cybercriminals have found a new, rich hunting ground: small businesses' bank accounts. The average monetary loss for a cybercrime attack is $395,000, CS0 Magazine reported. (link below). The Wall Street Journal on Feb 8, 2010 had a major story on this. There was a side-bar that showed some interesting numbers about the causes of security breaches at small and midsize companies:


- System breakdown/hardware failure:    47%

- Lost/stolen laptop, SmartPhone or PDA:    44%

- Human error:    39%

- Loss/Theft of backup tapes or devices with sensitive data:    35%

- Improper / out-of-date security:    32%

- Natural/on-site disaster:    26%

- Employee sabotage:    25%

- Improper security procedures or education:    19%

- Unsure:    4%

Ronald Regan said “Trust but Verify”. Firewall, AntiVirus, Regular System Maintenance, Common Sense, and Vigilance are required to to keep your business networks safe whilst exposed to the internet. 

CSO and Deloitte have published some recent figures. Check it out at:

http://mkting.csoonline.com/pdf/2010_CyberSecurityWatch.pdf

Security: BotNets - Is Your Computer Working For Organized Crime?

    BotNet is a jargon term for a collection of software agents, or robots, that run autonomously and automatically. The term is most commonly associated with malicious software, but it can also refer to a network of computers using distributed computing software. Distributing Computing means that part of the program runs of thousands of computers, and most folks don't even know they are part of the BotNet network. While BotNets are often named after their malicious software name, there are typically multiple BotNets in operation using the same malicious software families, but operated by different criminal entities. Fact is, BotNets has become a billion dollar industry, and most of it is run by organized crime.  Is your computer working for organized crime? Let's find out more!.

    While the term "BotNet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

    A BotNet's originator (aka "Bot herder" or "Bot master") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C"). Though rare, more experienced BotNet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim's machine (Bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the BotNet network.

    A Bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, FaceBook, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the BotNet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a Bot can scan and propagate through, the more valuable it becomes to a BotNet controller community. The process of stealing computing resources as a result of a system being joined to a "BotNet" is sometimes referred to as "scrumping."

    BotNets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted BotNets, BotNet controllers have found other servers in small colleges, businesses, and home computer networks.

    Geographical origins of BotNets, according to a 2009 Cisco Systems report, lists the origin of BotNets by country as follows:

    (trillions of spam messages per year)

    Brazil: 7.7

    USA: 6.6

    India: 3.6

    South Korea: 3.1

    Turkey: 2.6

    Vietnam: 2.5

    How to tell if you are part of a BotNet? The first thing you will notice is that your computer will slow down. BotNets tend to propagate like rabbits, meaning that an infected computer may soon have hundreds of BotNets, each one taking away a little computer (CPU) power, occupying a little ram memory, each one taking away a little internet bandwidth. Multiply each BotNet by 100 and your computer may simply stop working, and the internet may become unavailable. Keep in mind, now, that your computer is controlled by other people, and it may be used to spew out spam advertising for legitimate products, gambling, porn, or even fraudulent scams. Even worse, you little computer may be used to attack a company like Microsoft, or even a country (like your own)!

    BotNets used in 2010:

    1: Grum (Tedroo)Grum is the future for spam BotNets. It's a kernel-mode RootKit and thus hard to detect. It's also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This BotNet is of special interest to researchers. It's relatively small, only 600,000 members. Yet it accounts for almost 25 percent, or 40 billion spam-emails a day.

    Grum focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam BotNets are involved with it to some degree.

    2: Bobax (Kraken/Oderoor/Hacktool.spammer) confuses BotNet hunters, being somewhat related to the Kraken BotNet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace.

    Right now, Bobax has only 100,000 members, yet it produces 27 billion spam messages a day. That's 15 percent. Or more impressively, 1,400 spam email messages per Bot per minute. Bobax appears to be a BotNet for hire, as the type of spam varies.

    3: Pushdo (Cutwail/Pandex) started at the same time as Storm, in 2007. Storm is all but gone. But Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is the downloader, which gains access to the victim computer. It then downloads Cutwail, the spamming software.

    The Pushdo/Cutwail BotNet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.

    4: Rustock (Costrat)Rustock) is another survivor. It was almost destroyed when McColo was shuttered in 2008. But it's back and currently the largest BotNet, with almost two million bots. Before McColo, Rustock's trademark was to generate huge amounts of spam, then go dormant for several months. Today, Rustock's signature is to deliver spam only from 3 a.m. to 7 a.m. EST (GM-5) daily.

    Rustock is also known for forging legitimate email newsletters using image files. Image spam is undetectable by most filtering software. In addition, Rustock does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.

    5: Bagle (Beagle/Mitglieder/Lodeight)Bagle) is an interesting BotNet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases.

    Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, but it still moves 14 billion pieces of spam each day.

    6: Mega-D (Ozdok) is famous — or infamous, depending on your point of view. In November 2009, researchers at FireEye were able to shut the BotNet down by registering its command and control domains ahead of the BotMaster. But the malware is programmed to constantly generate new domains, allowing the BotMaster to eventually regain control.

    Of the top 10 BotNets, Mega-D is the smallest, consisting of 50,000 members. That's not very many, considering it pushes out 11 billion pieces of spam daily. It's second only to Bobax, when considering spam per Bot per minute. Mega-D's spam consists of advertisements for an online pharmacy and, of course, male-enhancement drugs.

    7: MaazbenMaazben has been around only since June 2009. Yet it's of special interest to researchers. Maazben is the first BotNet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But proxy-based bots don't work if the infected computer is behind a NAT device.

    The new technique must be working. Maazben is the fastest-growing BotNet of the top 10, increasing membership five percent in one month. With 300,000 bots, Maazben spreads two and a half billion casino-related spam messages per day.

    8: Xarvester (Rlsloup/Pixoliz)Xarvester) came into the picture after the McColo shutdown. Researchers feel the Xarvester BotNet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi BotNet, one of the BotNets affected by the closing of the McColo data center.

    Currently, the Xarvester BotNet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.

    9: Donbot (Buzus) BotNet is unique. It is one of the first BotNets to use URL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually run networks, each one pushing different types of spam.

    Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump to debt settlement offers.

    10: Gheg (Tofsee/Mondera)Three things stand out about the number 10 BotNet.

    First, almost 85 percent of the spam from it originates in South Korea.

    Second, Gheg is one of the few BotNets that encrypt traffic from the command and control servers using a nonstandard SSL connection on port 443.

    Third, Gheg has options in how it sends spam email. It can act as a conventional proxy SpamBot. Or it can route spam messages through the victim's Internet provider's mail server. Gheg has 60,000 members and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.

    80 percent of all spam is sent by these 10 BotNets.

    These 10 BotNets send 135 billion spam messages a day.

    Five million computers belong to the 10 BotNets.

    MessageLabs, the research arm of Symantec, just released the February 2010 Intelligence Report, and it's full of valuable information. I thought it would be a good idea to share the link and mention some of the highlights. The paper pointed out that Grum and Rustock are the current heavyweights, accounting for 32 percent of all spam delivered. The following figure (courtesy of MessageLabs) shows the output from the 10 most active spam-sending BotNets. That's a lot of green (Rustock) and purple (Grum).

    \

    Two additional notable statistics:

  • The number of spam email messages containing attachments has dropped to less than one percent.

  • The size of spam email messages has also dropped considerably. Spammers are taking advantage of image spam with hidden links.

    MessageLabs mentions that both changes reduce the file size of the spam email, allowing the BotNets to send more spam messages per minute

    To protect itself from BotNets, a Small business must have a technology, internet, and email policy, and enforce it. In addition, strong passwords are “a must”.

Security: Conflicker Worm Is Back Despite The Patct (10/5/2010)

The Conflicker worm (also called Downadup by some anti-virus vendors) is \r\nspreading quickly despite the fact that Microsoft released a patch for the \r\nvulnerability back in October. Partly that\'s because many systems have remained \r\nunpatched, but it\'s also because the latest versions have ways of infecting \r\nsystems that have already been patched. Estimates are that up to almost 9 \r\nmillion computers were infected over a four day period.\r\n

\r\nMicrosoft has added the \r\nworm to its Malicious Software Removal Tool (MSRT), and there are other ways you \r\ncan reduce your exposure.

According to the Washington Post article, \"Tricky Windows Worm Wallops Millions, a sneaky co9mputer work that uses a virtual swiss amy knife of attach techniques has infected millions of Microsoft windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn.

Also, while infected PCs could be used for a variety of criminal purposes -- \r\nfrom relaying spam to hosting scam Web sites -- there are signs that this whole \r\nmess may be an attempt to further spread so-called \"scareware,\" which uses fake \r\nsecurity alerts to frighten consumers into purchasing bogus computer security \r\nsoftware.

The worm, called "Downadup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking \r\ncomponent found in most Windows systems. According to estimates from \r\nFinnish anti-virus maker F-Secure Corp., the worm has infected \r\nbetween 2.4 million and 8.9 million computers during the last four days alone.

If accurate, those are fairly staggering numbers for a worm that first \r\nsurfaced in late November. Microsoft issued \r\nan emergency patch to fix the flaw back in October, but many systems likely \r\nremain dangerously exposed.

One reason for this is because businesses will generally test patches before \r\ndeploying them on internal networks to ensure the updates don\'t break custom \r\nsoftware applications. In the meantime, an infected laptop plugged into a \r\nvulnerable corporate network can quickly spread the contagion to all unpatched \r\nsystems inside that network.

But the worm also has methods for infecting systems that are already patched \r\nagainst the Windows vulnerability. According to an analysis last week by \r\nSymantec, the latest versions of Downadup copy themselves to \r\nall removable or mapped drives on the host computer or network. This means that \r\nif an infected system has a USB stick inserted into it, that USB stick will \r\ncarry the infection over to the next Windows machine that reads it. That\'s an \r\nold trick, but apparently one that is apparently still very effective.

Security experts say the worm instructs infected hosts each day to visit one \r\nor more of about 250 potential \r\ncontrol servers -- basically, pseudo-random domain names -- in order to \r\ndownload instructions or malicious software updates from the worm\'s authors. \r\nWith such a system, security experts would have to register all 250 domains each \r\nday in order to kill off the worm, a costly and untenable solution. In contrast, \r\nthe worm authors need only register one of those 250 domains to update all \r\ninfected systems with new instructions and software.

F-Secure arrived at its infection estimates by registering a number of those \r\ndomains, and then watching to see how many infected systems would try to contact \r\nthe control servers. In addition to counting the number of bots reporting in for \r\nduty, researchers found another way to count victim PCs: Turns out, each \r\ninfected host reporting to the control server is configured to report the number \r\nof Windows systems it has succeeded in infecting.

Some experts say F-Secure\'s estimates are grossly inflated. Paul Royal, chief scientist for Damballa, an Atlanta-based security firm that \r\nhas conducted similar tests by registering some of the domains Downadup hosts \r\nare seeking, estimates the total number of infected systems to be between \r\n500,000 and one million.

It's not as though their extrapolation methodology sounds unreasonable, it\'s \r\nnot consistent with what we\'re seeing in terms of volume of hosts hitting\" the \r\ncontrol servers, Royal said.

But Roel Schouwenberg, senior antivirus researcher with \r\nKaspersky Lab Americas, said F-Secure\'s estimates were probably lower than the \r\nactual number of infected systems. He said that\'s in part because infected \r\nsystems reporting the number of machines they have in turn infected only count \r\nthose that have been infested using the Microsoft flaw.

"The model they are using is, as they say, conservative. The actual number of \r\nmachines that have been infected should have been higher,\" Schouwenberg said. \r\n\"As I believe that the importance of the other replication methods is currently \r\nundervalued we could be looking at 10 million compromised machines easily."

Regardless, even if the worm authors of Downadup only control a half million \r\nPCs, that would far eclipse the size of the largest known collection of hacked \r\nPCs on the planet (see Meet \r\nthe New Bots: Will We Get Fooled Again, for a look at this year\'s most \r\nmassive and sophisticated botnets.)

So what diabolical plans does this worm have in store for host systems? Such \r\na network certainly would make a very effective spamming machine for junk e-mail \r\nartists, but Damballa\'s Royal said there are no signs that the infected systems \r\nare being used for spam. Rather, he said, it appears the worm and its subsequent \r\nvariants may have been created for no other purpose than to generate income for \r\npeople who get paid to install rogue anti-virus software, so-called\"scareware" products like "AntivirusXP2009,\" and \"VirusRemover2009."

Royal said the original control server for Downadup used a Web service that \r\nalso was used by a large number of sites that pushed rogue anti-virus products. \r\n

"Plus, the original downloader file installed [by the worm] looked \r\nsuspiciously like the names of the rogue anti-virus installers we\'ve seen,\" \r\nRoyal said. \"That strongly indicates that at the top of this pyramid is someone \r\ntrying to make a lot of money from rogue anti-virus software sales."

It is likely that Microsoft itself will play a major part in cleaning up \r\nafter this worm. As part of its regular Patch \r\nTuesday cycle this week, Microsoft added Downadup to its "malicious software \r\nremoval tool" (MSRT), an optional component that can scan for and remove some of \r\nthe most prevalent threats in circulation today.

Windows users also can reduce their exposure to this worm and other malware \r\nthat piggybacks on USB drives and other removable media by turning off the \r\nAutoplay feature in Windows. I included instructions for doing this in a recent blog post.Microsoft also has instructions for doing this here and here."

The Conflicker worm (also called Downadup by some anti-virus vendors) is \r\nspreading quickly despite the fact that Microsoft released a patch for the \r\nvulnerability back in October. Partly that\'s because many systems have remained \r\nunpatched, but it\'s also because the latest versions have ways of infecting \r\nsystems that have already been patched. Estimates are that up to almost 9 \r\nmillion computers were infected over a four day period.

Security: Flame cyber weapon found in Iran

BOSTON (Reuters) - Security experts said on Monday a highly sophisticated computer virus is infecting computers in Iran and other Middle East countries and may have been deployed at least five years ago to engage in state-sponsored cyber espionage.

Evidence suggest that the virus, dubbed Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran's nuclear program in 2010, according to Kaspersky Lab, the Russian cyber security software maker that took credit for discovering the infections.

Kaspersky researchers said they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.

Iran has accused the United States and Israel of deploying Stuxnet.

Cyber security experts said the discovery publicly demonstrates what experts privy to classified information have long known: that nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.

"This is one of many, many campaigns that happen all the time and never make it into the public domain," said Alexander Klimburg, a cyber security expert at the Austrian Institute for International Affairs.

A cyber security agency in Iran said on its English website that Flame bore a "close relation" to Stuxnet, the notorious computer worm that attacked that country's nuclear program in 2010 and is the first publicly known example of a cyber weapon.

Iran's National Computer Emergency Response Team also said Flame might be linked to recent cyber attacks that officials in Tehran have said were responsible for massive data losses on some Iranian computer systems.

Kaspersky Lab said it discovered Flame after a U.N. telecommunications agency asked it to analyze data on malicious software across the Middle East in search of the data-wiping virus reported by Iran.

Read More - Click Here!

Security: Get That Data Off Your Floppies Before It's Too Late!!!

INSERT INTO `node_revisions` VALUES ('72','72','1','Security: Get That Data Off Your Floppies Before It's Too Late!','Do you still have old but important data stored on floppy disks or other magnetic media sitting around in a closet somewhere? Think it will still be there just in case you ever need it? Think again!

Even if you have a computer with a floppy drive, you can't count on those old disks still working. You should transfer them to a hard disk, optical disc (CD or DVD) or solid state storage (flash memory) while you still can. That applies not only to your computer data, but to other things stored on magnetic media, such as all those old VHS tapes, too. Read more about why it's time to take action:

http://blogs.zdnet.com/perlow/?p=9364

Security: How antivirus software works: Is it worth it? by Michael Kassner

We are told, in order to survive on the Internet, our computers need protection afforded by antivirus applications. If that's true:

  • Why do computers still get infected?
  • Would it be a lot worse if we didn't use antivirus programs?

Pondering those questions, I realized I may not have all the facts. So I began researching antivirus methodology. Here's what I found out.

What we are up against

Take note, the bad guys are motivated. Leveraging malware-infected computers to make money is easier and safer than any other illegal endeavor. That said, I'd like to think we (victims) are motivated as well, especially since it's our money they're after. So why do cybercriminals have the upper hand? For starters, they benefit from:

  • Vulnerable software: It's a given; software, especially complex code, will have exploitable bugs.
  • Element of surprise: Normal users do not look for vulnerabilities in software. The bad guys do, affording themselves opportunities to exploit weaknesses long before the rest of us know about them.
  • Playing catch up: It's difficult to determine what malware will look like, forcing antivirus developers into a reactionary mode.

Example

I couldn't ask for a better example than what recently happened to Google. Attackers leveraged unknown (zero-day) vulnerabilities in Internet Explorer to gain a foothold in Google's supposedly-secure network. Check how close the exploit follows the three steps I outlined above:

  • Vulnerable software: Internet Explorer has an exploitable vulnerability.
  • Element of surprise: Only the attackers knew about it.
  • Playing catch up: AV companies are trying to develop a detection method and Microsoft is scrambling to create a fix for Internet Explorer.

Still not understanding why antivirus applications are failing to protect our computers, I pursued the matter with an experienced software engineer. He pointed out that it's hard to remove something you can't find. Talk about an understatement. I get it though; detecting malware is not as easy as we're lead to believe. My next step, find out why.

Malware detection

Malware detection can be divided into two methods; signature-based malware detection and behavior-based malware detection. Antivirus applications can employ one or both of the methods; depending on the sophistication of the program. Signature-based malware detection has been around for many years, so let's look at that first.

Signature-based malware detection

Signature-based malware detection depends on pattern recognition. Here's how it works. The AV application scans the file in question, comparing specific bytes of code against information in its malware-signature database. If the scanned file has a pattern duplicating one in the database, the file is considered malware. The antivirus application will then either quarantine or delete the file, depending upon the program configuration.

Shortcomings

Presently, signature-based malware detection is included in almost every antivirus program. That said, AV companies are trying to move away from signature-based malware detection due to the following:

  • Signature-based malware detection is not effective against new or unknown malware.
  • New malware is being created daily, requiring the signature database to be updated ever more frequently.

These are valid concerns and why AV companies are investing a great deal of time and effort translating to behavior-based malware detection.

Behavior-based malware detection

Behavior-based malware detection makes sense because it monitors how programs act, not the software build. To explain, if abnormal behavior is detected, the program is flagged, regardless if the software seems correct. Behavior-based malware detection is broken up into two types; anomaly-based and specification-based malware detection.

Anomaly-based malware detection

The key ingredient to anomaly-based malware detection is determining what is considered normal behavior. Thus, any variation from the normal profile would be considered suspicious (anomalous). For example, normally a program, when executed, does not create any files. Then, all of a sudden, the program moves a file into one of the operating system's folders. That action would immediately be flagged by this type of antivirus software.

Anomaly-based malware detection can be further divided into:

  • Passive detection: Uses scanning to detect derivations from the program's normal profile.
  • Active detection: Involves executing a questionable program within a controlled environment such as a sandbox or virtual machine. Then observing the behavior of the program. If the program meets certain negative criteria, it will be flagged as suspicious.

As good as this sounds, anomaly-based malware detection has shortcomings. False positives are more common with this type of detection, simply because of the complexity of modern-day programs. Second, if an attacker makes sure his malcode behaves like a good program, it will not be detected. Threatfire Zero-Day Malware Protection is an example of anomaly-based malware detection software.

Specification-based malware detection

Right now, specification-based malware detection (Point IV-B) is our best hope for reducing malware problems. That's because, all actions taken by any programs (operating system and applications alike) are mediated by a predetermined policy. For example, if so configured, the policy would disallow execution of files downloaded from a Web site specified by the person in charge of the computer.

The advantage of specification-based malware detection is its flexibility and minimal false positives when compared to anomaly-based malware detection. One example of specification-based malware detection is NovaShield AntiMalware.

My findings

I seldom find quarantined malware on computers. I've noticed something else. Most infected computers protected with typical antivirus programs require specialized scanners to remove any offending malware. After writing this article, I know why that is.

Final thoughts

Being one of those “rather be safe than sorry” types, I will continue to suggest using an antivirus program. What I will change, is the type of antivirus program I recommend. They definitely will include anomaly and specification-based malware detection methods

Security: Instant Messaging Benefits VS Risk

Most of you know that I have never been a fan of IM (instant messaging) in small business. Instant messaging rapid evolution from personal entertainment to workplace tool, combined with ignorance of how IM works, means that most IM users are unaware of the risks that IM poses to the organization...

Public IM systems operate in the open where other people may be able to eavesdrop. Additionally, IM systems, both public and proprietary, often operate beyond the range of corporate firewalls and other security systems. In addition, most small businesses lack the resources to properly and securely manage IM. IM Benefits: For very large business, Better All-around Business Performance The primary reason that IM has been such a success in the large business environment (when permitted) is \"Presence Awareness\" which allows users to see who's available without picking up the phone or walking to another part of the building. The real-time nature of the medium makes it a faster and more efficient means of getting answers and transferring documents or information than e-mail or telephone.

IM provides a direct mode of communication with co-workers, customers, and vendors that enables far closer and more personal relationship. IM Risks: Information leaks. Confidential materials, intellectual property, or proprietary information can be revealed, either intentionally or accidentally, through IM sessions or file transfers. Virus, Worms, etc.

Numerous malware programs target public IM systems and allow them to bypass standard firewalls and mail server anti-virus systems. Network hacks and intrusions – Hackers use IM operating ports to bypass other security barriers and enter the corporate network unimpeded. Compliance, regulatory, or legal violations – Organizations subject to government oversight and compliance mandates may find themselves creating legal issues by failing to properly monitor, log, and regulate IM sessions and content. Productivity loss – Idle chat can disrupt employee productivity. And we're not just talking about big businesses that do secret government work.

Your small Doctor's office, Dentist Office, any business that stores Credit Card or Social Security numbers... all have heighten security risks by using IM with legal and civil ramifications. I know, IM is fun and allows you to keep close in touch with Aunt Sue and Mary Lou, but 4 of the last virus infections in my customer base came from IM. And the last one just called yesterday to say he had been reinfected. Think about it!

Security: Is Hotel Public Internet Access Secure?

'Whilst using a hotel internet service, did you ever wonder about security? According to Roger Grimes InfoWorld article "A Constant State of Insecurity" you have good reason to ask this question about public networks.

Grimes reports that “an acquaintance traveled around the world sniffing wireless and internet service access for passwords and was shocked at her findings. While I could think of better ways to spend my travel time, she used a program named Cain & Abel and her laptop to sniff the packets that passed through her NIC (network interface card). On an average day she could pick up 118 different unsecured passwords. How is this possible?

For one thing, most hotels use a hub for connecting everyone to the internet. A hub connect all devices as equals, meaning that every packet is passed to every device, including laptops. It is kind of like having all of the laptops on the same wire. So if you were entering a password or sending an email message, the packets with the password or message would pass through each and every laptop (device) in the hotel network and then to the internet, and therefore, is sniffable by any laptop running programs like Cain & Abel. In addition, most public networks do not use encryption, and, evidently, neither do laptop users.

According to Grimes, 41% of the passwords came from HTTP or webpage-type password entry. Nearly 40% of the passwords were entered for POP3, SMTP, or IMAP which are email protocols. The rest were stuff like FTP (File Transfer Protocol), ICQ (Chat), TelNet (interface for legacy accounting programs)….

Now this part is interesting: “My friend” found passwords to people’s TiVos, online poker games, and online chatting communities. What disturbed her was that often these personal passwords were identical to the use’s corporate passwords.

Now how scientific can this test be? An unidentified “acquaintance” travels the world for an unspecified period of time and sniffs however many connections at unidentified hotels and comes up with blaaa! Well, confession time, I had to try it myself. Saturday I went to lunch at a large Charleston hotel armed with my WiFi laptop loaded with Cain & Abel. I sat down at the table, started the program and ordered my meal. In just one hour I picked up 31 different user names and passwords, 18 were email protocols and 7 were web-based protocols. My experiment was not very scientific either, but it did highlight the danger of using public networks to access private information without encryption.

Security: Is You WebCam Spying On You?

Can your Webcam be Used to Spy on You? A big story making the headlines this past week involves a school district in Pennsylvania that spies on its students, at home, by using the webcams in their school-issued laptop computers. A student has filed a lawsuit over it and according to reports, the FBI is investigating to determine whether federal laws against wiretapping or unauthorized computer access were broken. But there is more.

http://news.yahoo.com/s/ap/us_laptops_spying_on_students

This story brings up quite a few issues. The school district representatives say they only activated the webcams in an attempt to find missing laptops. That makes me wonder whether, privacy issues aside for the moment, issuing laptops to students is a good idea or a silly one. Kids are kids, and kids lose and abuse "things." When a kid loses a $40 textbook, that's not good. When a kid loses a $400 laptop, that's much worse. The school claims that all 42 times it activated the remote software during the past 14 months, it was only to search for missing computers. 42 times $400 equals $16,800. If each of those incidences pertained to a different laptop, that's a significant chunk of change gone missing. Presumably those were tax dollars, unless someone donated the laptops to the district.

(Note: I used $400 as an example because you can get a decent medium-powered laptop for that amount. However, the computers in this case were Macs, so the retail value of the computers was much higher than that. The least expensive Macbook in the Apple Store is $999. At that price, we're talking almost $42,000).

Now, I understand the sentiments behind issuing the laptops. Certainly, in today's world, students need access to the Internet; any who don't have it will be at a major disadvantage in doing research for papers, etc. In a tough economic climate, some families may be unable to afford to buy their children computers. Giving all of the kids computers is intended to ensure "equal opportunity," to make sure they all have the means to do their work, regardless of how much money their families have or don't have. I get that (and I'll even restrain myself and not rant about how part of the reason families can't afford to buy the computers themselves is because they're paying outrageous school taxes).

But might it be both more economical and more all-round practical to issue each student a desktop computer instead of a laptop? I'm guessing the school already has computer labs that students can use when they're there. The laptops are to use at home. Desktop systems generally cost less for equal computing power, but more important, they aren't as fragile and portable so they're less likely to be broken or lost. It's also easier, with a desktop system that's in a fixed location in the home, for parents (those few who care to) to provide oversight when their kids are using the computer, thus helping to discourage bad online behavior.

Okay, so maybe there are advantages to a laptop. It's certainly easier for the kids to take them home in the first place; they're self-contained so you don't have to worry about parts and pieces - monitors, mice, keyboards, etc. - and you can get pretty cheap notebooks/netbooks these days. But do students really need systems that are decked out with webcams? Sure, they come built into most retail models, but I would guess it would be easy for a school district, buying hundreds of the things, to have the manufacturer supply systems that don't have that feature, or at least to disable the software/drivers that make it work. Because really, what do you think those adolescent and pre-adolescent kids are going to do with a webcam?

In fact, there have been numerous cases of teens sending webcam photos of themselves in inappropriate dress or sexually provocative poses to their friends. And even worse, webcams are a favorite tool of online pedophiles and child pornographers. They usually gain access to the child's webcam through social engineering tactics (persuasion, or even offering the child money to engage in webcam sessions).

http://www.nytimes.com/2005/12/19/national/19kids.ready.html

The bad guys can also use technological means to view the child's webcam, sending email or an IM with a link that downloads malware called RATs (Remote Access Trojans) to the child's computer, which activates the camera. Of course, if someone has physical access to the computer (like the IT person at the school district that issued the computers to students), that person can install software that will let him/her remotely control the webcam at will. In the Pennsylvania case, students reported that the lights on their webcams would turn on frequently.

http://gizmodo.com/5474975/update-students-knew-macbook-cameras-turned-on-randomly-as-school-adminstrators-gave-technical-excuses

It's bad enough that a school district, an entity that's entrusted with the care of children, might stoop to possibly illegal means to spy on them, but at least they are ostensibly doing it to keep the kids out of trouble. But the broader point is that it's not just students with school-issued laptops who are vulnerable to this type of spying. Anyone who owns a computer with a webcam attached could have photos or videos of him/herself in the hands of strangers without even knowing it ever happened.

Do you sit at the computer unclothed? Make funny faces while you're typing? Pick your nose? Having a bad hair day? Think it doesn't matter because you're all alone in the privacy of your own home? If you have a webcam, your home might not be as private as you think. Some people routinely turn their webcams toward a wall or ceiling when they aren't using them, or cover them with something (some even have lens caps). If you're a little more paranoid, you might want to unplug it altogether.

Another point that often isn't mentioned is that many webcams have built-in microphones, or you may have a separate microphone that's turned on. So even if you can't be seen, it's possible for an outsider to listen in on any sounds that occur in the vicinity of your computer. Answer the phone and have a conversation while sitting in front of the system? Talk with someone else who comes into the room? Play your favorite heavy metal music while you're working? Well, at least that last one might discourage eavesdroppers. Seriously, though, it's important to remember that if you're able to access the outside world, the outside world may be able to access you.

RATs have been around for many years. One of the first to become well known was Back Orifice. RATs can capture screen content, sound and video, log keystrokes, even ferret out your passwords. Early RATs used ICQ, IRC and other Internet communications technologies that were popular at the time, to communicate with the malware author or distributor.

Some RATs may even come with your hardware. Earlier this month, IT World reported that some "gifts" distributed by the Chinese to British businesspeople at trade fairs and exhibitions, including memory sticks and cameras, contained Trojans that provided the Chinese with remote access to users' computers when those devices were hooked up to the system.

http://www.itworld.com/security/95398/can-you-trust-chinese-computer-equipment

So what do you think? If your child's school issued a laptop with a webcam, would you tape over it or otherwise attempt to disable it? Would you send the computer back and say "no, thanks?" Is it okay for schools to spy on students as long as they notify parents and get their permission? Or are you afraid that those doing the "watching" might not be entirely trustworthy? Do you have a webcam? Do you cover it or unplug it when you're not using it? Do you think the dangers of webcams have been blown out of proportion? Or should they be banned from computers used by kids? Should they at least carry a warning label?

Security: Is Your Computer Breaking The Law?

For many years, the Internet was the “final frontier,” operating largely unregulated — in part because of the jurisdictional nightmare involved in trying to enforce laws when communications crossed not just state lines but also national boundaries. That was then; this is now. Legislation that affects the use of Internet-connected computers is springing up everywhere at the local, state and federal levels. You might be violating one of them without even knowing.

This article looks at some of the existing laws and some of the pending legislation that can influence how we use our computers and the Internet. Nothing in this article should be construed as legal advice; this is merely an overview of some of the legislation that's out there, how it has been interpreted by the courts (if applicable), and possible implications for computer users

1: Digital Millennium Copyright (DMCA) Most computer users have heard of this law, signed in 1998 by President Clinton, implementing two World Intellectual Property Organization (WIPO) treaties. The DMCA makes it a criminal offense to circumvent any kind of technological copy protection — even if you don't violate anyone's copyright in doing so. In other words, simply disabling the copy protection is a federal crime.

There are some exemptions, such as circumventing copy protection of programs that are in an obsolete format for the purpose of archiving or preservation. But in most cases, using any sort of anti-DRM program is illegal. This applies to all sorts of copy-protected files, including music, movies, and software. You can read a summary of the DMCA here.

If you're a techie who likes the challenge of trying to “crack” DRM, be aware that doing so — even if you don't make or distribute illegal copies of the copyrighted material – is against the law.

2: No Electronic Theft (NET) Act This is another U.S. federal law that was passed during the Clinton administration. Prior to this act, copyright violations were generally treated as civil matters and could not be prosecuted criminally unless it was done for commercial purposes. The NET Act made copyright infringement itself a federal criminal offense, regardless of whether you circumvent copy-protection technology and whether you derive any commercial benefit or monetary gain. Thus, just making a copy of a copyrighted work for a friend now makes you subject to up to five years in prison and/or up to $250,000 in fines. This is the law referred to in the familiar “FBI Warning” that appears at the beginning of most DVD movies. You can read more about the NET Act here.

Many people who consider themselves upstanding citizens and who would never post music and movies to a P2P site think nothing of burning a copy of a song or TV show for a friend. Unfortunately, by the letter of the law, the latter is just as illegal as the former.

3: Anti-Counterfeiting Trade Agreement (ACTA)This treaty is still in negotiation between the United States, European Commission, Switzerland, Japan, Australia, Canada, Jordan, Mexico, Morocco, New Zealand, the Republic of Korea, Singapore, and the United Arab Emirates. The most recent round of negotiations took place in Mexico in January 2010, and the next is scheduled for April 2010 in New Zealand.

As with the DMCA, many regard the ACTA as a workaround for governments to impose regulations and penalties through international treaties that they would not be able to pass into law through their regular legislative processes. ACTA covers a number of areas, including counterfeit products and generic medicines, but the part that affects computer users is the chapter titled “Enforcement of Intellectual Property Rights.”
Although the treaty negotiations are conducted in secret, a leaked document indicated that one provision in the treaty would force ISPs to give information about customers suspected of copyright infringement without requiring a warrant. According to reports, another provision would allow customs agents to conduct random searches of laptops, MP3 players, and cell phones for illegally downloaded or ripped music and movies. Not surprisingly, the Recording Industry Association of America (RIAA) is a supporter of the treaty. The Electronic Frontier Foundation (EFF) opposes it, as does the Free Software Foundation. You can read the EFF's stance on ACTA here: http://www.eff.org/issues/acta

4: Court rulings regarding border searches Most Americans are aware of the protections afforded by the U.S. Constitution's fourth amendment against unreasonable searches and seizures. In general, this means that the government cannot search your person, home, vehicle, or computer without probable cause to believe that you've engaged in some criminal act.

What many don't know is that there are quite a few circumstances that the Courts, over the years, have deemed to be exempt from this requirement. One of those occurs when you enter the United States at the border. In April 2008, the Ninth Circuit Court of Appeals upheld the right of Customs officers to search laptops and other digital devices at the border (the definition of which extends to any international airport when you are coming into the country) without probable cause or even the lesser standard of reasonable suspicion. The Electronic Frontier Foundation (EFF) and other groups strongly disagree with the ruling. You can read more on the EFF Web site:
http://www.eff.org/deeplinks/2008/04/no-cause-needed-search-laptops-border

Meanwhile, be aware that even though you've done nothing illegal and are not even suspected of such, the entire contents of your portable computer, PDA, or smart phone can be accessed by government agents when you enter the Unites States. So if you have anything on your hard drive that could be embarrassing, you might want to delete it before crossing the border.

5: State and federal laws regarding access to networks Many states have criminal laws that prohibit accessing any computer or network without the owner's permission. For example, in Texas, the statute is Penal Code section 33.02, Breach of Computer Security. It says, “A person commits an offense if the person knowingly accesses a computer, computer network or computer system without the effective consent of the owner.” The penalty grade ranges from misdemeanor to first degree felony (which is the same grade as murder), depending on whether the person obtains benefit, harms or defrauds someone, or alters, damages, or deletes files.

The wording of most such laws encompass connecting to a wireless network without explicit permission, even if the Wi-Fi network is unsecured. The inclusion of the culpable mental state of “knowing” as an element of the offense means that if your computer automatically connects to your neighbor's wireless network instead of your own and you aren't aware of it, you haven't committed a crime. But if you decide to hop onto the nearest unencrypted Wi-Fi network to surf the Internet, knowing full well that it doesn't belong to you and no one has given you permission, you could be prosecuted under these laws.

A Michigan man was arrested for using a café's Wi-Fi network (which was reserved for customers) from his car in 2007. Similar arrests have been made in Florida, Illinois, Washington, and Alaska.
http://arstechnica.com/tech-policy/news/2007/05/michigan-man-arrested-for-using-cafes-free-wifi-from-his-car.ars

The federal law that covers unauthorized access is Title 18 U.S.C. Section 1030, which prohibits intentionally accessing a computer without authorization or exceeding authorized access. But it applies to “protected computers,” which are defined as those used by the U.S. government, by a financial institution, or used in or affecting interstate or foreign commerce. In addition to fines and imprisonment, penalties include forfeiture of any personal property used to commit the crime or derived from proceeds traceable to any violation. You can read the text of that section here.

In a recent case regarding unauthorized access, a high profile lawsuit was filed against a school district in Pennsylvania by students who alleged that district personnel activated their school-issued laptops in their homes and spied on them with the laptops' webcams. The FBI is investigating to determine whether any criminal laws were broken. Because the school district owned the computers, there is controversy over whether they had the right to remotely access them without the permission of the users.http://news.cnet.com/8301-17852_3-10457126-71.html?tag=leftCol;post-1400

6: "Tools of a crime" laws Some states have laws that make it a crime to possess a "criminal instrument" or the "tool of a crime" Depending on the wording of the law, this can be construed to mean any device that is designed or adapted for use in the commission of an offense. This means you could be arrested and prosecuted, for example, for constructing a high gain wireless antenna for the purpose of tapping into someone else's Wi-Fi network, even if you never did in fact access a network. Several years ago, a California sheriff's deputy made the news when he declared Pringles can antennas illegal under such a statute. http://www.engadget.com/2005/07/25/wifi-cantennas-now-illegal/

7: Cyberstalking and Cyberbullying laws Stalking is a serious crime and certainly all of us are in favor of laws that punish stalkers. As Internet connectivity has become ubiquitous, legislatures have recognized that it's possible to stalk someone from afar using modern technology. Some of the "cyberstalking" laws enacted by the states, however, contain some pretty broad language.

For example, the Arkansas law contains a section titled "Unlawful computerized communications" that makes it a crime to send a message via email or other computerized communication system (Instant Messenger, Web chat, IRC, etc.) that uses obscene, lewd, or profane language, with the intent to frighten, intimidate, threaten, abuse, or harass another person. Some of the lively discussions on mailing lists and Web boards that deteriorate into flame wars could easily fall under that definition. Or how about the furious email letter you sent to the company that refused to refund your money for the shoddy product you bought?

Closely related are the laws against cyberbullying. Such laws have been passed by some states and local governments. In April 2009, the Megan Meier Cyberbullying Prevention Act (H.R. 1966) was introduced in the U.S. Congress. The act would make it a federal crime to “intimidate, harass, or cause substantial emotional distress to another person, using electronic means to support severe, repeated and hostile behavior.” Subcommittee hearings have been held and the bill is continuing through the legislative process.

Opponents of the proposed law point out that the language is open to interpretation, and could be construed to apply to someone who merely gets into heated discussions on a web board or email list. The best policy is to watch your language when sending any type of electronic communications. Not only can a loss of temper when you're online come back to embarrass you, it could even get you thrown in jail.
http://www.cio-today.com/news/Teen-Suicide-Spurs-Cyberbullying-Law/story.xhtml?story_id=12000B111K60&full_skip=1

8: Internet gambling laws Like to play poker online or bet on the horse races from the comfort of your home? The federal Unlawful Internet Gambling Enforcement Act of 2006 criminalizes acceptance of funds from bettors — but what about the bettors themselves? Are they committing a crime?

Under this federal law, the answer is no, but some state laws do apply to the person placing the bet. For example, a Washington law passed in 2006 makes gambling on the Internet a felony. The King County Superior Court just recently upheld that law, although challengers have vowed to take it to the Supreme Court. Be sure to check out the state and local laws before you make that friendly online bet.
http://www.gambling-law-us.com/Federal-Laws/internet-gambling-ban.htm
http://seattletimes.nwsource.com/html/localnews/2004418390_gambling16m.html

9: Child pornography laws We all want to protect children and keep pedophiles away from them, but could you be arrested for possession of child pornography or for exposing children to pornography even though you would never voluntarily indulge in such a thing? Unfortunately, as the laws are written and enforced, the answer is "yes" In January 2007, a substitute teacher in Norwich, CT, was convicted of four felony pornography charges, although she claimed the offending pictures were the result of pop-ups and that she did not knowingly access the Web sites in question. The conviction was set aside after forensics and security experts examined her hard drive and found the school's antivirus software was out of date and the computer had no anti-spyware, firewall, or pop-up blocking technology. The teacher ended up pleading guilty to a misdemeanor charge. http://www.wired.com/threatlevel/2008/11/proof-porn-pop/

Pornographic images of children are illegal to possess. This includes not just photographs of actual children, but also computer-generated pictures and drawings in which no real people are involved and photos of models who are of adult age but look like children. There are many ways such images can get on a computer. Viruses can infect your system and allow another person to remotely access your hard drive. Your computer can be taken over to become a bot, controlled by someone else without your knowledge. Someone can email you an illegal image. You can click a link on a non-pornographic Web site that takes you to a site where the illegal images are displayed, and they're then downloaded into your Web cache on your hard drive.

In another 2007 case, a 16-year-old was charged with possession of child pornography and got 18 months probation and over a quarter of a million dollars in legal fees, even though he passed polygraph tests in which he denied knowledge of the images and an examination of the hard drive found more than 200 infected files and no firewall.
http://www.foxnews.com/story/0,2933,244009,00.html

10: Pro IP Act Returning to the copyright front, the Prioritizing Resources and Organization for Intellectual Property Act (Pro IP Act), which was signed into law in 2008, imposes stricter penalties for copyright infringement. It created a new position of "copyright enforcement czar" (formally called the Intellectual Property Enforcement Coordinator) in the federal bureaucracy and gives law enforcement agents the right to seize property from copyright infringers.
http://arstechnica.com/tech-policy/news/2008/05/piracy-now-public-nuisance-in-los-angeles-county.ars
http://arstechnica.com/tech-policy/news/2008/05/house-overwhelmingly-passes-controversial-pro-ip-act.ars

This may all sound fine in theory, but when you look at the way other seizure and forfeiture laws have been applied (for instance, the ability of drug enforcement officers to seize houses, computers, cars, cash, and just about everything else that belongs to someone tagged as a suspected drug dealer — and in some cases, not returning the property even when the person is acquitted or not prosecuted), it makes many people wary. Read more about the bill here.

Some local jurisdictions have also established seizure authority for piracy. In September 2009, Victoria Espinel was appointed as the first copyright czar. She has asked for public input by March 24, 2010.

Security: Microsoft Patch Tuesday 10/9/2012

Microsoft has finally moved to deal with a zero-day exploit used on the internet to attack Internet Explorer. The company responded with an out-of-band patch reflecting the urgent nature of the threat.

According to the Microsoft Security Bulletin Advance Notification for October 2012, Microsoft has a total of seven new security bulletins slated for release.

Patch Seven is rated critical and addresses a flaw affecting ALL supported versions of Microsoft Word and Microsoft SQL Server (Escalation of Privilege vulnerability).

The first six bulletins are all rated important.

Three of them affect components of the Office family.

Bulletin two affects a Remote Code Execution vulnerability in Microsoft Works 9.

Bulletin three addresses InfoPath and SharePoint.

Bulletin four is an update patch affecting SharePoint Fast Search.

Bulletin five and six correct the local Elevation of Privilege vulnerabilities that might allow outsiders to gain administrative privileges whilst already present on the computer.  

This patch Tuesday highlights a particularly alarming fact, that some of these vulnerabilities have been lurking in Windows and Office code since the year 2000, indicating these flaw in Microsoft code has been around for decades. This means that, according to Alex Horan, senior product manager, CORE Security, "When you look at the number of versions that are affected you quickly come to the determination that these vulnerabilities have existed for quite a long period of time and have potentially been abused without user knowledge throughout several generations of the software".

Bottom line - leave your Microsoft computers and servers turned on Tuesday night to receive the patch. The restart your computer.
 

Security: Nobody knows you're a dog - on the internet

(Ben Brumfield CNN) A dog tapping away at a computer keyboard turns to another dog and says, "On the Internet, nobody knows you're a dog."

The cartoon by Peter Steiner, which first appeared in The New Yorker in July 1993, perfectly encapsulates the world we live in today.

How do you trust someone to be who they say they are on the Internet?

The question has bubbled up again after news broke that Notre Dame linebacker Manti Te'o fell for a "catfish," someone who fakes an identity online to finagle his or her way into a fraudulent romantic relationship.

 

Notre Dame stands behind Te'o

 

Notre Dame: Te'o caught in 'Catfish' scam

 

Notre Dame: Manti Te'o victim of hoax

 

We do our best to avoid being duped. But it's not always easy.

"This is so sad, this has happened to me a couple of times in the past when I first started dealing with internet dating," posted Ronnie Williams in a CNN story on the hoax. "I got my heart broken just like this, so trust me, this is a creepy, deceptive low life way of either playing with someones emotions or getting money or information out of them."

Twitter offers verified accounts to help us discern public figures from their imitators. Even President Barack Obama in a Reddit chat posted a picture of himself to verify his identity.

At CNN, we Skype with eyewitnesses on the scene of breaking news or have them stream live video of themselves and landmarks to verify that they really are where they say they are. At iReport, we call people on the phone to confirm their submissions.

Doubters wonder if Heisman Trophy a factor in hoax

Still, people fall for tricks by the droves and some of them have become iconic, if not old and dusty.

The classic e-mail scam known as the "Nigerian Letter" or "419" asks for money and your bank data to help out someone who claims to be in a pinch. The person promises to repay your kindness bountifully. Right.

Help! A Facebook friend is stuck in a foreign country and needs you to wire him money right away.

Or you sell something on Craigslist, and the buyer asks if she can overpay by money order and have you refund the difference in cash. Then the money order turns out to be fake.

Online identity scams have multiplied in form and name, phishing via e-mail spread to text messages, prompting the term "SMShing."

Vishing is the low-tech version, when someone simply lies to you over the phone ("V" stands for voice) to dupe you into handing over your identity.

Timeline: How the story unfolded

Te'o, for instance, says he was scammed digitally and over the phone .

As naive as someone who falls for a fake online girlfriend may seem, it's not hard to do, even for a sports superstar, said Nev Schulman, who hosts the MTV reality show "Catfish."

"When you make a connection with someone online, oftentimes it feels a little limited, but also safe," Schulman told MTV News. "Then people open up and get very close without scrutinizing the other person."

Still, we take steps. Step one: We Google. Relentlessly.

Before a blind date. Before picking up a concert ticket we bought off someone. Before hiring someone to rake our yard.

Because on the Internet, we the dog catchers have our work cut out for us.

Social media jump all over hoax story

What steps do you take? What are the signs you look for to verify someone's real? Were you still duped? Let us know in the comments section below.

Read More - Click Here!

Security: Sinowal has infected hundreds of thousands of PCs worldwide (1/1/2011)

A sophisticated cybercrime group that has maintained an especially devious Trojan horse for nearly three years has stolen login credentials of close to 500,000 online bank accounts and almost as many credit cards during that time, according to reports released today by RSA FraudAction Research Lab. The spyware is called Sinowal Trojan, also known as Torpig and Mebroot.

Sinowal has infected hundreds of thousands of PCs worldwide during its run, and it continues to attack machines. Once on a system, the MalWare waits for the user to enter the address to an online bank, credit card company site or another financial URL, then substitutes a fake in place of the real thing. It's triggered by more than 2,700 specific Web addresses, a massive number compared with other Trojan horses. The fake sites collect log-on usernames and passwords to banks and other financial institutions and dupe users into disclosing information those organizations never collect online, such as Social Security numbers. The Trojan then transmits the stolen credentials and data to the drop server. "This is one of the more sophisticated pieces of MalWare out there,\" said Brady. One reason Sinowal has been so successful is that is rarely detected by antivirus software.

"They struggle to find this one,\" Brady said. That's not surprising. The Trojan horse includes rootkit elements that infect the PC's master boot record (MBR), the first sector of a hard drive. Because the hardware looks to that sector before loading anything else, Windows included, the Sinowal is nearly invisible to security software. Security vendors have complained for months about how tough the MalWare is to spot. RSA Security suspects that the group responsible for Sinowal is based in Russia. \"The distribution was truly global, but the one statistical anomaly that we noticed was [that] Russia was the one region that had no infections.\" Cybercrooks will often forgo infecting machines in their own country in the hope that local law enforcement authorities will not come calling or that if they do find out about the attacks, they'll put any action low on their priority list.

How the Sinowal loader works Trojan-PSW:W32/Sinowal.CP drops and loads a password stealing component on the infected system and tries to steal account information from it. It also tries to steal information that is required to access certain online banks' and online payment systems' websites. Sinowal uses the normal methods to gain access to the computer being attacked. Initially most infections were via e-mail links, but it now appears that drive-by droppers, such as NeoSploit on malicious Web sites, are the attack vector of choice. Interestingly, Sinowal is selective about geographical location and incorporates an IP versus location application to focus on specific areas, and guess what, Germany is one such area. It’s starting to make sense now. The way Sinowal gains a foothold on the computer is nothing short of ingenious and most likely why it’s been able to survive for so long. After the initial infection, the loader remains dormant for a certain length of time. I’ve heard that it’s around six minutes, and the sole purpose of this is to fake out MalWare scanners. The scanners typically try the executable in a sandbox and see what happens. Since Sinowal doesn’t do anything, the scanner is fooled. Sinowal is also considered a Bootkit, meaning it overwrites the master boot record (MBR), allowing it to bypass Windows system functions.

The following installation steps are the results of researchers reverse engineering one variant of Sinowal: First Sinowal reads the MBR and copies the partition table. Sinowal has its own MBR and incorporates the copied partition table into it. Now the sneaky part, Sinowal appends the original MBR into the last sector of the new MBR it created. Sinowal then writes the newly created MBR to disk. Next Sinowal waits. Like all MBR rootkits, the loader was able to alter only the MBR, and a reboot is required to start Sinowal’s payload boot sequence. The payload boot sequence is an intense process. If you’re interested, the details are expertly explained by Peter Kleissner in his white paper “Analysis of Sinowal.” The reason for the complexity is that ultimately Sinowal will have full control over Window’s boot sequence on the infected computer.

How To Remove The Virus (don't try this at home boys & girls): The following instructions pertain to all current and recent antivirus products. Disable System Restore (Windows Me/XP). Update the virus definitions. Run a full system scan. Delete any values added to the registry. For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to disable or enable Windows Me System Restore How to turn off or turn on Windows XP System Restore Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents. For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions: Obtain the latest virus definitions from your antivirus vendor.

3. To run a full system scan Start your Symantec antivirus program and make sure that it is configured to scan all the files. For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files. For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files. Run a full system scan. If any files are detected, follow the instructions displayed by your antivirus program. Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode.

4. Once you have restarted in Safe mode, run the scan again. After the files are deleted, restart the computer in Normal mode and proceed with the next section. Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following: Title: [FILE PATH] Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

5. To delete the value from the registry (really dangerous stuff) Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry. Click Start > Run. Type regedit Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. Navigate to and delete the following registry entries:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"userinit\" = \"%System%\\ntos.exe\" HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"userinit\" = \"%System%\\ntos.exe\" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Network\\\"UID\" = \"[COMPUTER NAME]_[UNIQUE ID]\" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\"WinCode\" = \"[ENCRYPTION KEY]\" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\"Win32\" = \"[MAIL FLAG VALUE]\" Restore the following registry entry to its previous value: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\"Userinit\" = \"%System%\\userinit.exe, %System%\\ntos.exe\" Exit the Registry Editor

 

Security: System Restore Is No Safe-Haven From Viruses

'Think you can get rid of that malicious software by restoring your computer to an earlier point? Now cyber criminals have rootkits at their disposal that allow their malware to survive even after System Restore is used to revert to its previous clean state. They're using it, along with other exploits, in Internet cafes to steal online gaming credentials that can be worth big bucks. Find out more here:




http://blogs.zdnet.com/security/?p=4423&tag=nl.e550

Serious Internet Explorer Flaw Goes Unpatched

Serious Internet Explorer Flaw Affects XP, Goes Unpatched

Tech Media Network (Tom's Guide) 
By Tom's Guide / Jill Scharr
  •  
  •  
  •  
Serious Internet Explorer Flaw Affects XP, Goes Unpatched
.

View photo

Serious Internet Explorer Flaw Affects XP, Goes Unpatched

Internet Explorer 8 allegedly has a serious security flaw that would allow an attacker to remotely take control of a user's computer. And since Windows XP users can't upgrade to a more modern version of the popular browser and won't be receiving any more official security updates, it's XP users who are most at risk.

 

What's more, Microsoft allegedly knew about this flaw back in October, and did nothing, according to  Zero Day Initiative, an HP-sponsored program that rewards security experts for finding software flaws. Since that time, Microsoft has stopped issuing security updates for Windows XP and all programs for that operating system, effectively leaving XP users stuck with a flaw it allegedly had time to fix.

Discovered by Belgian security researcher Peter Van Eeckhoutte of ZDI, this IE 8 bug reportedly has to do with remote code execution, which is when criminals seize control of an affected computer, allowing them to download malware without the user's knowledge. 

To do so, the criminals would have to trick users into using IE 8 to visit a webpage infected with specially crafted malware designed to seek out and exploit this specific flaw. 

IE 8 is the only version affected by this flaw. Microsoft might still patch IE 8 on its more recent operating systems such as Vista, but it's unlikely that the XP version of IE 8 will ever get another security update, and XP is where IE 8 is most widely used.

On April 8 Microsoft issued its final security patches for Windows XP, including patches for other IE flaws. Even after that, Microsoft released one more emergency patch for Internet Explorer 6 through 11, including Internet Explorer 8 on Windows XP, which addressed a different zero-day flaw.

ZDI says that on May 8 it told Microsoft that it would go public with the Internet Explorer 8 flaw it found. Today it did so, posting an advisory on its website.

The Internet Explorer 8 issue is a "use-after-free" flaw, which has to do with memory allocation. In IE 8, it pertains to the way the browser handles CMarkup objects.

Despite being no longer supported, an estimated 20 to 30 percent of users worldwide still use Windows XP. That means a good number of them use Windows 8, the default browser on that system.

If you're still using Windows XP and you can't update for whatever reason, you should stop using Internet Explorer. Instead, use a browser such as Chrome, Firefox or Aviator, all of which continue to support their XP versions.

You should also be hyper-vigilant about any kind of suspicious emails, hyperlinks or popup advertisements. Do not click on anything unless you trust its source.

Seven Secrets Scammers Don't Want You To Know

(Jim Hood @ ConsumerAffairs) The other day, we got a phone call from a woman who had just discovered the "free government grant money" scam, which has been around since about the time of the Revolutionary War. She claimed to have found the people behind it and wanted to know why we hadn't done something about it.

Well, of course, we have. We've written about it endlessly for the past 15 years or so, which is about all they allow us to do. We're not allowed to send drones out on search-and-destroy missions. 

But the harsher truth is that while there are lots of scams, there are even more scammers. The same old scams are being pulled over and over and over by people who have a lot of nerve even if they aren't necessarily too bright. 

There aren't just two people behind the government grant money scam. And there isn't just one phony Nigerian prince. Shut down one or two and 15 more spring up to take their place.

In fact, the world is full of people who are not your friends. Not only that, many of them are dishonest -- out to make a quick buck any way they can. Sticking up banks isn’t as easy as it used to be and fleecing the government isn’t nearly as easy as it looks, so that makes you the target.

Scams are nothing new. They’ve been around almost as long as the human race. A scam, very simply, is a business proposition that is not what it seems.

A work-at-home “opportunity” is really a way for a scammer to move money from your house to his. A book that tells you the “secrets” of staying healthy is really a secret attempt to get a hand firmly into your pocket and bank account.

So, with all those scammers out there, how can you avoid falling victim? It’s actually pretty simple. Just remember these seven simple secrets scammers don’t want you to know.

1. There are no secrets.

PhotoScammers love to tell you they have the secret to staying healthy, getting rich, finding true love and avoiding bad hair days. But you know what? There are very few secrets in the world. The government may have a few. Coca-Cola keeps its flavor formula secret. That’s about it.

Just think for a minute what’s in the news everyday -- secrets that somebody leaked. Nothing stays secret for long. Besides, ask yourself: if there really was a foolproof cure for cancer, wouldn’t the big drug companies jump on it so they could charge a fortune for it?

2. If it sounds too good to be true …

You’ve heard this a million times: if it sounds to good to be true, it probably is. If someone offers you an “opportunity” to start your own business, working at home for two hours a day in your pajamas while making $10,000 a week, ask yourself: does this sound too good to be true?

If it was that easy to make tons of money stuffing envelopes, don’t you think Bill Gates, Warren Buffett and Hillary Clinton would be doing it instead of chasing all over the world, putting up with shareholders and reporters and answering dumb questions all day?

3. Nothing is free, including “free offers.”

PhotoA free 30-day trial? No obligation? Uh-huh. That guaranteed weight-loss and hair-regrowth program may be just the thing all right but do you really think the first month is free? It might be, but you can bet the next 23 months won’t be.

Most “free trials” are nothing more than a way to get your credit card information. Read the fine print and you’ll find out you’re signing up for a two-year subscription. Or you’re agreeing to pay $234.00 “shipping and handling.” Or you’re agreeing to get 24 magazine subscriptions for $45 each.

If you want to try a little dab of something to see if you like it, go to the store and buy a small package. If you like it, you can buy more. Otherwise, you can just throw it away.

4. Buy stuff in stores. Or from Amazon or Walmart.com.

See that fruit smasher that’s advertised on TV for just $24.95? It will smash just about any kind of fruit you can think of into smithereens. And it’s not sold in stores!

Now, why would that be, do you think? If you had invented the best-ever fruit smasher, wouldn’t you want to sell it anywhere and everywhere? Things that aren’t sold in stores or on well-known name-brand sites like Amazon are nearly always rip-offs.

Plus, you can walk into a store, buy something and walk out. You don’t have to give anybody your name or credit/debit card number. That way, you’re not hounded by offers for similar products and your personal information doesn’t fall into the wrong hands.

5. Don’t be too polite.

Your mother taught you to be polite. Even to strangers. But you know what? It’s not a good policy. If a stranger calls you on the phone or emails you and claims to be from the government, the bank, the hospital or just about anywhere else, hang up or delete the email.

Anyone who says they are trying to “update” your account is really trying to update their list of bank account and credit card numbers. Never give out any personal information on the phone or in an email -- no Social Security numbers, no bank account numbers, no credit card numbers.

Your mother also taught you not to talk to strangers. As usual, she was right.

6. You can’t win if you didn’t enter.

PhotoOne of the oldest and most successful scams out there is the bogus sweepstakes scam. Someone calls or emails you with great news! You’ve just won $757,000 in the Eritrean National Sweepstakes. All you have to do is send $2,300 by money order or Western Union to pay the tax and “processing charge.”

But unless you’ve been to Eritrea and entered a sweepstakes, guess what? It’s a scam. You can’t win a contest you didn’t enter. Which leads us to our seventh and final secret for today:

7. Hang onto your money. Don’t sign anything.

Yes, of course you should pay your bills. On time if possible. But don’t pay anyone else unless you’re absolutely certain you know who you’re paying and you already have at least one hand on the merchandise, whatever it may be. Never, never, never send money to someone you don’t know. You will not get it back. Simple as that.

And when it comes to signing something, like a contract, don’t sign it until you have read it thoroughly. Don’t listen to what anyone tells you -- it’s only what is in writing that counts. The company will hold you to the contract. So be sure to keep a copy and read it every now and then. Sure, it will be boring but it’s better to be bored than broke.

These are just the top seven simple secrets to avoiding scams. There are all kinds of specific scams that we cover daily at ConsumerAffairs. See our Scam Alerts section to research specific scams and stay up to date on new ones.

Share your Comments

Shanghai Government Hacking Based Exposed

Pedestrians walk past the headquarters for the secretive PLA Unit 61398 on the outskirts of Shanghai.
Pedestrians walk past the headquarters for the secretive PLA Unit 61398 (centre) on theoutskirts of Shanghai. Photo: CARLOS BARRIA/REUTERS

(A key military base used by the Chinese to hack into the computer networks of foreign governments and companies has allegedly been uncovered in Shanghai. It may look like any other Shanghai office building, but experts believe this 12-floor tower is actually the nerve centre of one of the world’s most dangerous military cyber-hacking operations.

For the first time, American computer analysts have traced over a hundred attacks on government departments, companies and journalists to this one site around 40 minutes outside Shanghai’s city centre, reportedly the headquarters of People’s Liberation Army Unit 61398.

In a 60-page report, Mandiant, a computer security company, said it believed that a hacking network named the “Comment Crew” or the “Shanghai Group” operated from the compound.

It said there were “hundreds, and perhaps thousands of people” working inside to breach the security not only of global corporations, but also of foreign power grids, gas lines and waterworks.

While the inner-sanctums of the Shanghai PLA base are off-limits to outsiders, the existence of the military compound is no secret in what is a bustling residential neighbourhood.

There is no sign identifying the PLA base by name but clear orders have been placed outside – in Chinese and English. “Restricted military area. No photographing or filming.” Men in PLA uniform guarded the entrance.

Large propaganda posters are pinned to walls around the base between Shanghai’s Datong and Tonggang roads. “Everyone has the duty to defend our country and our home!” reads one poster, featuring a group of young soldiers crawling through mud.

Another poster shows a line of PLA tanks and four fighter jets and is emblazoned with the slogan: “Security and peace protects hundreds of thousands of households!”

Opposite the building identified by Mandiant is a street of hardware shops and a salon carrying a bright pink sign with the name: “Slender Beauty.”

Next door, a residential compound for military families greets visitors with a plaque reading: “Be faithful and loyal to the Party. Love the people. Dedicate yourself to the cause.”

On Tuesday afternoon, a woman who identified herself as a member of ‘Unit 61398’ but refused to produce any identification reprimanded the Daily Telegraph for taking notes on a nearby street corner.

Men who appeared to be undercover security agents photographed reporters outside the base’s main entrance and people carriers with blacked-out windows patrolled nearby streets.

While Mandiant could not trace the hacking attacks to inside the building, the company’s chief executive, Kevin Mandia, told the New York Times: “Either they are coming from inside Unit 61398 or the people who run the most controlled, most monitored internet networks in the world are clueless about thousands of people generating attacks from this one neighbourhood.”

Recent months have seen a succession of media groups, including the New York Times, the Washington Post and the Wall Street Journal report that hackers, with alleged ties to the PLA, had invaded or attempted to compromise their systems.

The Mandiant report claimed that hackers who appeared to be working out of the Shanghai PLA unit had launched over 140 attacks since 2006, stealing “hundreds of terabytes of data”. Most of the targets were in the United States although some were in the UK.

The report is the most concrete confirmation yet that the wave of cyber-attacks emanating from China is sponsored, at least in part, by the Chinese government.

However, a spokesman for the Chinese Foreign ministry dismissed the allegations as “groundless” in a regular press briefing. In the past, the People’s Daily, the mouthpiece of the Communist party, has accused the US of sensationalising China’s cyber threat as an excuse to expand its own “internet army”.

In his recent State of the Union address, US president Barack Obama warned of the threat to the United States from foreign hackers.

“We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”

Read More - Click Here!

Sharing Too Much Information on Social Media

Photo(Mark Huffman @ ConsumerAffairs) We all could use a filter when it comes to posting things online. Just ask New York mayoral candidate Anthony Weiner. Or actor Alec Baldwin. Or journalist Geraldo Rivera.

All have Tweeted, or Facebooked, or shared pictures, thoughts and opinions that they lived to regret. A case of “too much information,” which seems to happen quite a bit in the digital age.

"Sharing itself is not new, but consumers now have unlimited opportunities to share their thoughts, opinions, and photos, or otherwise promote themselves and their self-image online,” said Russell Belk, a York University professor and author of a new study published in the Journal of Consumer Research. “Digital devices help us share more, and more broadly, then ever before."

The good and the bad

And that's not always a good thing. Blogging encourages us to share everything. What is YouTube's slogan? “Broadcast yourself.” Sometimes sharing is good, sometimes it's not so good.

An example of a good kind of sharing is when consumers share their experience with a product or service, on sites like ConsumerAffairs. These reviews can help other consumers make better, more informed decisions.

But on social media sites like Twitter and Facebook, posters sometimes disable their filters. For example, Dianne, of Sunderland, UK, is an artist who says she focuses on “sensual art,” similar to what you see on Khajuraho temples in India – except that the subjects in her art are “elves and extraterrestrials.” She didn't get a good reception when she posted some of her erotic art on Facebook.

“It had started about a year ago, where they would remove my artwork and then block me over a 30-day period,” she shared in a ConsumerAffairs post.

Eye of the beholder

PhotoTo Dianne, her work is art, erotic though it might be. To others viewing her page, however, it might appear to be something else entirely. In Dianne's case, she might do well to consider a different venue for her work, one where her intent and purpose would not be misconstrued.

Alice, of Branchville, N.J., likes to share her politics. She says she's a retired teacher who strongly supports 2nd Amendment rights. She shares those views freely on Facebook, sometimes triggering a sharp reaction from people reading her posts.

“I do not use foul language,” she writes. “I am a Christian. I do not threaten. I do not post pornography. I do urge all to use their legal rights to redress by contacting their representatives through peaceful protesting and boycotting. All of these are legal and it is our right as free Americans. My views may upset the liberals and Socialists; however, I have a right to free speech.”

Facebook, or course, has rights too – including the right to set terms and conditions for the use of its site. After all, consumers aren't paying anything to use it and Facebook has to try and keep 800 million people happy. The bigger issue, however, may be how much and what kind of information should be shared in the first place.

Brave new world

In the normal world, if you climb up on a soap box and deliver a rousing, opinionated speech, only those within earshot are exposed. If you tell a raunchy joke or recount your exploits during a serious night on the town, only a small circle of people know your secret. When you post on the Internet, it can go viral.

"Due to an online disinhibition effect and a tendency to confess to far more shortcomings and errors than they would divulge face-to-face, consumers seem to disclose more and may wind up 'oversharing' through digital media to their eventual regret," Belk said.

Don't press send

Over-sharing happens a lot in the sports world, where egos are large and emotions often run high. Former NFL player and coach Herman Edwards delivered memorable advice to rookies in a seminar at the start of the 2011 season. He warned the young athletes, most of whom had just become millionaires, that expressing themselves in anger on Twitter would lead to unwanted, and perhaps career-damaging publicity.

“You know the little 'send' button on your phone?” he asked. “Instead of 'send' on the phone there should be a button that says 'don't press send.' So when you Tweet all that stuff out and you get ready, you'll stop and think. 'Don't press send.'”

Finally, sharing too much information on Twitter or Facebook could damage your reputation in real and tangible ways. A 2012 study of employers from six different industries revealed that many employers are using the Facebook profiles of job candidates to filter out weaker applicants based on perception of lifestyle, attitudes and personal appearance.

In other words, it could keep you from making the final cut. You can argue the fairness of it, but it's becoming a fact of life.

So when you are tempted to let it all hang out, perhaps it would be wise to remember Herman Edwards' advice: “Don't press send.”

Sharing too much information about your child

 

Photo

Photo © Mat Hayward - Fotoli

(Mark Huffman @ ConsumerAffairs) Some parents – and even grandparents – can't resist the urge to post any and all kinds of photos and information about their kids on Facebook.

You know who you are. But pediatricians as well as privacy advocates have some real concerns about this.

“By the time children are old enough to use social media themselves many already have a digital identity created for them by their parents,” said Sarah J. Clark, associate director of the University of Michigan C.S. Mott Children’s Hospital National Poll on Children’s Health and associate research scientist in the U-M Department of Pediatrics.

There's a term for it – “Sharenting,” and Clark says her survey shows it isn't going away anytime soon. More than half of mothers in the survey and one-third of fathers say they discuss child health and parenting on social media and nearly three quarters of parents say social media makes them feel less alone.

Safety and privacy risks

“Sharing the joys and challenges of parenthood and documenting children’s lives publicly has become a social norm so we wanted to better understand the benefits and cons of these experiences,” Clark said. “On one hand, social media offers today’s parents an outlet they find incredibly useful. On the other hand, some are concerned that oversharing may pose safety and privacy risks for their children.”

It turns out parents have some of these concerns too. Nearly two-thirds said they were concerned someone would pick up private information about their child or share photos. More than half also conceded that what they were posting about their children online could embarrass them when they were older.

Still, parents do it. When asked why, they most often said it was to gain advice. Some of the common questions are how to get kids to go to sleep, how to get them to eat their vegetables and how to handle discipline problems.

“These networks bring parents together in ways that weren’t possible before, allowing them to commiserate, trade tips and advice, share pride for milestones and reassure one another that they’re not alone,” Clark said.

Blurred lines

But it's clearly a double-edged sword. Clark says there is potential for blurring the line between sharing and over-sharing.

“Parents may share information that their child finds embarrassing or too personal when they’re older but once it’s out there, it’s hard to undo,” Clark said. “The child won’t have much control over where it ends up or who sees it.”

While parents don't always see “sharenting” tendencies in themselves, the survey showed they are quick to pick up on it when they see it in others. Three-quarters of the parents in the poll had at least one story about extreme “sharenting,” when another parent posted embarrassing stories, posted photos that could be construed as inappropriate and even gave information that could be used to pinpoint the child's location.

It turns out that parents don't stop embarrassing their children online, even after they become teens and young adults. BuzzFeed collected numerous examples that should provide a sobering wake-up call for any parent tempted to go overboard on social media.

Spoiler alert – it's really funny.

Should Businesses Fear SmartPhones & iPads?

A lot of businesses have secrets that they don’t want getting out, whether that be plans, competitive strategy, private conversations, or any number of things. Now consider all of the things you can do with a smartphone or a tablet. There are apps for all kinds of things that have possibly never even crossed your mind, but the obvious features are cameras microphones, coupled with the fact that it’s just become so common for people to carry these things around.

Read More - Click Here!

Should your web browsing be private

(Jim Hood @ ConsumerAffairs) What happens in your browser stays in your browser, right? Wrong. Your browsing history is tracked by broadband providers like AT&T, T-Mobile, and Comcast and used to serve "behavioral" ads that reflect your recent browsing history.

Besides using the information themselves, internet providers can and do sell it to market research firms that combine the information with other scraps gathered from here and there, forming the so-called Big Data that drives a lot of today's marketing and advertising strategies.

Federal Communications Commission Chairman Tom Wheeler has proposed a rule that would require broadband providers to get your consent before using information about your app usage and web-browsing history to target ads.

It seems a modest enough proposal and would apply only to internet service providers like AT&T, Verizon, and Comcast, not to website operators, which are beyond the FCC's jurisdiction. And that distinction is being used by the ISPs to argue against the proposal.

Unfair to ISPs

The argument is that by regulating the entities it is authorized to regulate -- namely, ISPs -- the FCC would be unfairly singling them out for tougher rules against Google, Facebook, and other website operators, which it is not authorized to regulate. Most websites allow their users to opt out of targeted ads, but they may still draw on the data they collect in one way or another.

In a filing with the FCC, T-Mobile dragged out the "level playing field" argument that is heard whenever one industry segment is jockeying for advantage over another.

T-Mobile said it shouldn't have to obtain consumers' permission before rummaging around in their "non-sensitive" browsing history if unregulated websites are allowed to do so. AT&T and Comcast made similar aguments.

Supporters of the rule, however, say that ISPs have access to more data about consumers than any single search engine or other website and should be expected to abide by stricter rules.

Advertisers object

Wheeler's plan isn't making any friends in adland either. Major advertising trade groups swarmed the FCC last week, saying the plan was a threat to consumers because it would "undermine the internet economy."

Protecting consumers online privacy would "limit consumer choice, and ultimately harm consumers by interrupting the well-functioning Internet economy that provides consumers with free and low cost products and services," the ad group spokesmen told FCC officials,according to Broadcasting & Cable magazine. 

The Federal Trade Commission (FTC) previously regulated consumer privacy issues involving telecommunications carriers, but when the FCC declared the internet to be a public utility in 2015, it assumed that role and Wheeler's proposal is similar to rules the FTC previously had in place.

Technically, the question is what constitutes "sensitive" information. Wheeler's proposal would include web-browsing and app usage in the sensitive categories. Broadband providers say that's unnecessary and puts them at a competitive disadvantage, since they would have less personal information about their customers that they could sell to third parties.

Consumer and privacy advocates generally argue that rule is not only reasonable but necessary to protect individuals' privacy rights.

“These rules will extend crucial protections to broadband customers, who have no choice but to disclose many of their digital activities and communications to broadband providers,”said Chris Calabrese, vice president for policy at the Center for Democracy and Technology.

“Our web browsing and app usage history represents some of our most personal data, making strong privacy protections for it essential. Today’s proposal from the FCC represents real progress in empowering consumers to take control of their data,” Calabrese said.

A vote by the full FCC is expected before the end of the year.

Shred or Keep by Cena Block Sane

The most difficult part of cleaning out your files is determining what to keep and what to shred. To help in your decision making, we suggest you ask yourself the following questions:

Does this document contain information I will need some day?

Will I ever need the document to defend a tax deduction, contract or warranty claim?

As you tackle this year’s filing cleaning, we have provided some general guidance for how long you should retain certain documents. If you have specific questions about a document, we recommend you check with your accountant and/or attorney first.
Toss Now

As a general rule, documents which do not have a tax impact or represent important assets do not have to be maintained and can be shredded once they have been verified and reconciled.

Examples include:

    Credit card statements and receipts
    Investment confirmations once they have been verified with investment statement
    Deposit and ATM receipts
    Cancelled checks and bank statements (be sure to keep those for major purchases and tax deductions)
    Medical Bills/Insurance Payments
    Utility bills – recommend keeping one, to provide easy access to account number and contact information
    Pay stubs

As Long As You Need It

Documents relating to purchases, improvements and tax returns for important assets, like real estate, should be kept until the asset is sold plus three years.

 Records relating to investments, IRAs and retirement plans should be kept until the transaction has been fully completed and/or all funds have been withdrawn (if your annual brokerage statements list the year’s transactions, there is no need to keep monthly or quarterly statements)

Insurance contracts and beneficiary designations should be maintained as long as they are still in effect

Warranties for appliances and vehicles should be kept as long as an item is still owned

Keep Forever

    Adoption and child custody records
    Certificates, birth, marriage, death
    Citizenship or Naturalization documents
    Family health and immunization records
    Legal documents, wills powers of attorney
    Passport
    Receipts for major purchases
    Real Estate deeds and titles
    Separation and/or divorce records
    Social Security cards

Skype Hackers Hijack Passwords

(Mathew Schwartz InformationWeek) Months after being notified of a vulnerability described as "child's play" to exploit, Skype has temporarily addressed the issue by disabling password resets.Despite Microsoft having been warned of the issue, for more than two months Skype has been vulnerable to a bug that enabled attackers to easily hijack any user's Skype account.

Details of the vulnerability were first published in August on an online Russian-language hacking forum. Tuesday, the same Russian hacking forum user posted an update, reporting that the flaw still hadn't been fixed

That finally led Skype Wednesday to acknowledge the security vulnerability and begin working on a fix. "Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address," wrote Skype Web quality assurance engineer Leonas Sendrauskas in a blog post. "We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience."

[ For more on Skype's security bugs, see Skype Bug Divulges IP Addresses. ]

Before Skype made that fix, using the vulnerability to hack into a Skype account was "child's play," according to Rik Ferguson, director of security research and communication at Trend Micro, writing in a blog post.

"The procedure is so simple it could be carried out by even the most inexperienced of computer users. All that was necessary was to create a new Skype ID, and associate it with the email address of your victim," he said. "Once this procedure is complete, a flaw in the password reset procedure allowed the attacker to assume control over the victim account by using the online password reset form. This would lock the victim out of their Skype account and allow the hacker to receive and respond to all messages destined for that victim until further notice. I tested the vulnerability and the entire process took only a matter of minutes."

Before Skype disabled password resets, Mikko Hypponen, chief research officer at F-Secure, noted that the only way to mitigate the vulnerability was to not use a known email address. "If you think somebody would be interested in hijacking your Skype account, change your email address to something the attacker can't guess," he said via Twitter.

But that fix would also have been only temporary. "This is not only security by obscurity, it could theoretically leave you more open to attacks as you are less likely to investigate regularly the inbox of such little-used addresses," said Trend Micro's Ferguson.

The time Microsoft took before issuing a Skype fix has drawn criticism, especially given Microsoft's very vocal campaigning for better sharing of vulnerability information. "I can't believe that it took Microsoft 2-3 months to figure out how to 'solve' the problem by temporarily disabling the reset functionality," tweeted The Grugq, who acts as a broker between vulnerability buyers and sellers.

This isn't the first Skype bug to come to light thanks to the attentions of Russian hackers. In April 2012, a Pastebin post revealed that with a few tweaks to the Skype application's registry keys, an attacker could use the Skype client to reveal the real name and IP address associated with any Skype username. While Skype quickly said that it would be preparing a patch, it had reportedly first been alerted to the bug in November 2010.

Read More - Click Here!

Smart Phone with XRAY Vision Can See Through Walls

(Allison Barrie FoxNews) A new low-cost, imager chip could give your average smartphone the ability to see through walls and objects Superman style.

The chip would not only allow you to see through a wall, but to see what is hidden inside an object and create images of what is inside. Suspicious package left on a bus? You could pull out your smartphone, scan it over the package and reveal whether it is hiding a bomb.

The scanner can detect guns, explosives and razor blades hidden within a range of materials. It can even determine the fat content of chicken tissue -- making you wonder if you could use your smartphone to scan your date, and not just your meal.

This month’s IEEE Journal of Solid-State Circuits details California Institute of Technology electrical engineers Ali Hajimiri and Kaushik Sengupta, who have developed this tiny technology.

The tech uses chips that radiate high-frequency electromagnetic terahertz waves, from 0.3 to 3 THz -- between microwaves and far-infrared radiation on the electromagnetic spectrum.

Terahertz waves can penetrate a whole range of objects and packaging materials and produce high-resolution images of what they find. They can also detect biological weapons, illegal and pharmaceutical drugs or explosives.

It achieves this detection without the ionizing damage that comes with X-rays.

Part of the breakthrough is miniaturizing a terahertz imager cheaply. Current systems are both expensive and giant –unlikely to fit in your smartphone.

Silicon chips are not designed to operate at terahertz frequencies, and the team had to harnesa the collective strength of many transistors operating in unison to boost the strength of the signal.

Their approach means operating at very high frequencies without a large power source, with large elements producing the power.  At such frequencies, traditional tiny wire antennas wouldn’t work, so another challenge was figuring out how to transmit the terahertz signal.

Their solution: make the whole silicon chip into an antenna by integrating small metal segments that can work together simultaneously to achieve the right signal strength.

The terahertz signals that can be dynamically programmed to point in a specified direction.

The publication asserts their new chips make signals a thousand times stronger than current approaches, 300 times faster than today’s cell phone chips and that they achieved operating transistors at approximately forty to fifty percent above the cut-off frequencies.

Beyond security applications and putting the ability to scan for hidden dangers with your smartphone, the chip has potential for wireless communications, health care, and touchless gaming.

CalTech hopes the technology will enable a new generation of sensors and may even lead to noninvasive cancer diagnosis.

Ballet dancer turned defense specialist Allison Barrie has traveled around the world covering the military, terrorism, weapons advancements and life on the front line. You can reach her at mailto:wargames@foxnews.com or follow her on Twitter @Allison_Barrie.


Read More - Click Here!

Smart home devices used as weapons in website attack

Hackers used internet-connected home devices, such as CCTV cameras and printers, to attack popular websites on Friday, security analysts say.

Twitter, Spotify, and Reddit were among the sites taken offline on Friday.

Each uses a company called Dyn, which was the target of the attack, to direct users to its website.

Security analysts now believe the attack used the "internet of things" - web-connected home devices - to launch the assault.

Dyn is a DNS service - an internet "phone book" which directs users to the internet address where the website is stored. Such services are a crucial part of web infrastructure.

On Friday, it came under attack - a dedicated denial of service (DDoS) - which relies on thousands of machines sending co-ordinated messages to overwhelm the service.

The "global event" involved "tens of millions" of internet addresses.

 

Security firm Flashpoint said it had confirmed that the attack used "botnets" infected with the "Mirai" malware.

Many of the devices involved come from Chinese manufacturers, with easy-to-guess usernames and passwords that cannot be changed by the user - a vulnerability which the malware exploits.

"Mirai scours the Web for IoT (Internet of Things) devices protected by little more than factory-default usernames and passwords," explained cybersecurity expert Brian Krebs, "and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users."

The owner of the device would generally have no way of knowing that it had been compromised to use in an attack, he wrote.

Mr Krebs is intimately familiar with this type of incident, after his website was targeted by a similar assault in September, in one of the biggest web attacks ever seen.

Vulnerable to toasters

The incidents mark a change in tactics for online attackers.

DDoS attacks are typically aimed at a single website. Friday's attack on Dyn, which acts as a directory service for huge numbers of firms, affected several of the world's most popular websites at once.

The use of internet-connected home devices to send the attacking messages is also a relatively new phenomenon, but may become more common.

The Mirai software used in these attacks was released publicly in September - which means anyone with the skill could build their own attacking botnet.

On social media, many researchers and analysts expressed frustration with the security gap being exploited by attackers.

"Today we answered the question 'what would happen if we connected a vast number of cheap, crummy embedded devices to broadband networks?'" wrote Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute.

Jeff Jarmoc, head of security for global business service Salesforce, pointed out that internet infrastructure is supposed to be more robust.

"In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters," he tweeted.

Smartphone Creates 3D Model Of Your Home For Thieves

(mit) The power of modern smartphones is one of the technological wonders of our age. These devices carry a suite of sensors capable of monitoring the environment in detail, powerful data processors and the ability to transmit and receive information at high rates. 

So it's no surprise that smartphones are increasingly targeted by malware designed to exploit this newfound power. Examples include software that listens for spoken credit card numbers or uses the on-board accelerometers to monitor credit card details entered as keystrokes.

Today Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the  theft of virtual objects such as financial information, data on computer screens and identity-related information. 

Templeman and co call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system.

Their idea is that the malware would be embedded in a camera app that the user would download and run, a process that would give the malware the permissions it needs to take photos and send them.

PlaceRaider then runs in the background taking photos at random while recording the time, location and orientation of the phone. (The malware mutes the phone as the photos are taken to hide the shutter sound, which would otherwise alert the user.) 

The malware then performs some simple image filtering to get rid of blurred or dark images taken inside a pocket for example, and sends the rest to a central server. Here they are reconstructed into a 3D model of the user's space, using additional details such as the orientation and location of the camera.

A malicious user can then browse this space looking for objects worth stealing and sensitive data such as credit card details, identity data or calender details that reveal when the user might  be away.

Templeman and co have carried out detailed tests of the app to see how well it works in realistic situations. They gave their infected phone to 20 individuals who were unaware of the malware and asked them to use it for various ordinary purposes in an office environment. 

They then evaluated the resulting photos by asking a group of other users to see how much information they could glean from them. Some of these users studied the raw images while the others studied the 3D models, both groups looking for basic information such as the number of walls in the room as well as more detailed info such as QR codes and personal checks lying around.

Templeman and co say the tests went well. They were able to build detailed models of the room from all the data sets. What's more, the 3D models made it vastly easier for malicious users to steal information from the personal office space than from the raw photos alone.

That's an impressive piece of work that reveals some of the vulnerabilities of these powerful devices.And although the current version of the malware runs only on the Android platform, there is no reason why it couldn't be adapted for other systems. "We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone," say Templeman and co.

They go on to point out various ways that the operating systems could be made more secure. Perhaps the simplest would be to ensure that the shutter sound cannot be muted, so that the user is always aware when the camera is taking a picture.

However that wouldn't prevent the use of video to record data in silence. Templeman and co avoid this because of the huge amount of data it would produce but it's not hard to imagine that this would be less of a problem in the near future.

Another option would be a kind of antivirus app for smartphones which actively looks for potential malware and alerts the user.  

The message is clear--this kind of malware is a clear and present danger. It's only a matter of time before this game of cat and mouse becomes more serious.

Read More - Click Here!

Smartphone PIN revealed by camera and microphone

User tapping on smartphone

(bbcnews) The PIN for a smartphone can be revealed by its camera and microphone, researchers have warned.

Using a programme called PIN Skimmer a team from the University of Cambridge found that codes entered on a number-only soft keypad could be identified.

The software watches your face via the camera and listens to clicks through the microphone as you type.

The tests were carried out on the Google Nexus-S and the Galaxy S3 smartphones.

"We demonstrated that the camera, usually used for conferencing or face recognition, can be used maliciously," say the report's authors Prof Ross Anderson and Laurent Simon.

According to the research, the microphone is used to detect "touch-events" as a user enters their PIN. In effect, it can "hear" the clicks that the phone makes as a user presses the virtual number keys.

The camera then estimates the orientation of the phone as the user is doing this and "correlates it to the position of the digit tapped by the user".

"We watch how your face appears to move as you jiggle your phone by typing," said Ross Anderson, professor of security engineering at Cambridge University.

"It did surprise us how well it worked," he told the BBC.

When trying to work out four-digit PINs the programme was successful more than 50% of the time after five attempts. With eight-digit PINs the success rate was 60% after 10 attempts.

Many smartphone users have a pincode to lock their phone but they are increasingly used to access other types of applications on a smartphone, including banking apps.

This raises the question of which resources should remain accessible on a phone when someone is entering a sensitive PIN, say the report's authors.

Randomise keys

"For instance when a call comes in, the user needs to hear the ring tone while unlocking his phone; otherwise he may assume the caller has hung up."

One suggestion to prevent a PIN being identified is to use a longer number but the researchers warn this affects "memorability and usability".

"Randomising" the position of numbers on the keypad is also suggested but the researchers believe this would "cripple usability on phones".

Getting rid of passwords altogether and using fingerprints or face recognition are offered as more drastic solutions.

"If you're developing payment apps, you'd better be aware that these risks exist," warns Prof Anderson.

Smartphone and Tablet data at risk from Hacker Drones

Photo(Jennifer Abel @ ConsumerAffairs) Free wi-fi has become almost a standard feature in coffee shops, fast-food outlets and similar businesses, because a hangout whose customers can't use their smartphones or tablets is a hangout likely to lose customers after awhile.

Of course hackers have figured out ways to use this to their advantage. The latest, which CNN Money reported this week, involves using drones capable of stealing everything on your smartphone — passwords, photographs and more.

More specifically, the technology to strip the data from your smartphone already existed, just not in super-mobile hard-to-avoid drone form.

Fortunately, the hackers who created the drone (named “Snoopy”) are actually security researchers with Senseport Research Labs who intend to present Snoopy to a cybersecurity conference next month. As CNN Money explained:

Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they've accessed in the past.

"Their phone will very noisily be shouting out the name of every network its ever connected to," Sensepost security researcher Glenn Wilkinson said. "They'll be shouting out, 'Starbucks, are you there?...McDonald's Free Wi-Fi, are you there?"

So Snoopy basically poses as Starbucks or McDonald's wifi and shouts back “Here I am,” your phone or tablet makes the connection, and Snoopy (and the hackers controlling him) can read everything you do. CNN opened new accounts with Amazon, PayPal and Yahoo, specifically to see if Snoopy could steal the usernames and passwords; yes, easily.

Fortunately, protecting yourself is almost as easy: shut off the wi-fi connections on your mobile devices when you're not using them, and set it so that it must ask before joining a mobile network

Smartphone picture uploads can reveal the location of your children's home, school, and play areas

From KHSB Action News 41: Pictures you’ve e-mailed or uploaded from your smartphone could be leaking location information threatening your safety or that of your children.

“Perfect, just like that,” cooed NBC Action News staffer Susanne McDonald to her four-year-old daughter Laine as she took a series of smartphone pictures. “Ready? One, two, three! Good Girl.”

We loaned McDonald and Laine a smartphone to see just how threatening a seemingly innocent snapshot could be once loaded online.

Police are concerned

“It's frightening,” said Leawood School Resource Police Officer Mark Chudik when we showed him what we had uncovered.

We combed Twitter and sites like Facebook , Craig's List, and Photobucket .

We searched by entering the names of area cities.  We easily identified the home addresses and play areas of children whose pictures were posted by their parents.

“That is legitimately terrifying,” said McDonald when we showed her information we obtained from pictures she posted of daughter Laine.

It's a new and frightening threat to parents. 

The full risk is even an unknown to many internet crime experts, like Chudik, who said he’d never seen private information shared so quickly in such an unknown manner.

He calls the hidden smartphone data today's biggest risk online.

“It's probably going to be number one for a while,” Chudik said.

Technique involves free, easily available software

Chudik used a free browser add-on to click on pictures of four-year-old Laine.

He not only found her home when he clicked on a picture of her bedroom, but located her day care, favorite fast food shop, and the specific part of the park where she plays.

“The fact that they found the bedroom is terrifying,” McDonald said. “Scary, like terrifying. Especially as a parent because of the fact that you can see the exact place of it.” 

We searched online servers by local cities creating a menu of nearby children and their locations.

With one online bedroom picture, we were able to find the home of two Olathe brothers.

When we went to their home to warn their parents, they declined to comment, but did change the settings on their Photobucket account to private.

How it works

At UMKC, computer science Professor Deep Medhi says smartphones leave a high-tech invisible trail using the same geotracking technology that enables the social website Foursquare and handheld map apps.

“Exactly like in your GPS device in your car,” Medhi said. “When you do it, it can tell you exactly where it is.”

Medhi showed how the easily-obtained software can translate geotagged photos, uploaded or linked from popular websites, into maps.

“Exactly that spot where that picture was taken,” Medhi said.

How to deactivate your geotagging

The site icanstalku.com reposts pictures from unwitting Twitter users in real time, translating their photos into actual addresses and maps.

The site also lists a how to deactivate geotagging on the iPhone, Blackberry with GPS, Google Android, and Palm WebOS.

The site recommends restricting which applications can access GPS marking, or turning off location services altogether, in your smartphone settings.

“You want to be able to do it almost on a picture basis,” Medhi said.

“I don't think you can think of anything worse than a stranger knowing all that information,” said Officer Chudik.

Experts say you can still be perfectly safe by turning off GPS settings before taking pictures you plan to post online and by keeping your online photo servers restricted to private.

Snail Mail Scam (This Happened To Me)

Snail Mail Scam (This Happened To Me)

The other day I received a Snail Mail letter from a real company that looked real official. It said that I won $250,000.00 in a contest and they even sent a $6,000.00 check to cover some of the taxes. WOW - I WON - I WON!!! Hey, I didn’t enter no contest, IS THIS FOR REAL???

First thing I did was check out the company. I went online and searched for the company name and guess what? The company is real and so was the address. The company even had a good B&D rating. MMMMMMMMMM What’s Up? Next, I took the check to the bank and you wouldn’t believe it, THE CHECK for $6,000.00 was a real check drawn on a real bank account with sufficient funds to cover the check. Could this be the real deal? I could really use $250,000.00 or $6,000.00 or whatever I could get! Times are tough you know!

Alright! Calm down Greg, let’s go back to the letter, follow the instructions, and get the money. The instruction says to call a Mr. BlaBlaBla at a certain number. Mr. BlaBlaBla will verify your winnings, collect some information, and get you your money ASAP. What information did Mr. BlaBlaBla want! Full Legal Name, Date of Birth, Social Security Number for tax purposes of course (I’m beginning to smell a fish).

Next Mr. BlaBlaBla informed me that there is a block on the check that he sent to me. He said that the purpose of the check was to reimburse me for Federal and State Taxes on the prize winnings and that I would need to direct-draft to him $6,000.00 from my account first. He said that he would release the lock on the check as soon as the funds were received and that he would send the remainder of the $250,000.00 at that time.

Ok, now we can see the scam for what it is. Mr. BlaBlaBla wants my legal name, date of birth, and social security number for identity theft. He can use it himself and/or sell the name to others so they can use it too. Can you hear that sucking noise? That’s the sound of my live wafting away.

Then, Mr. BlaBlaBla will take my banking information and use it to clean out the bank account, as well as any saving and overdraft accounts that may be attached to it. In addition, he could sell the banking information.

What I failed to mention earlier is that when I checked out the company, I knew that I did not enter any contest and that something was up. I contacted the FTC (Federal Trade Commission) and they told me that there had been a lot of scams lately that looked real good but were totally fraudulent, international fraud. So when I talked to Mr. BlaBlaBla I recoded that conversation, then sent copies of all materials and the recording to the FTC and the South Carolina State Attorney General Office. And of course I didn’t give Mr. BlaBlaBla real information about myself. About a week later the phone number from the letter was disconnected or no longer in service and their bank account was closed.

Bottom line: If it’s too good to be true, it is. You can’t win a contest you didn’t enter.

NEVER NEVER NEVER give your vital information, bank information, social security numbers

Report scams and fraud to the proper authorities.

Starbucks Mobile App Opts for Convenience Over Security With Unencrypted Passwords

Starbucks Mobile App Stores Unencrypted Passwords; Coffee Chain Opts for Convenience Over Security

 
Starbucks Mobile App Stores Unencrypted Passwords; Coffee Chain Opts Convenience Over Security (Photo : Flickr)

Starbucks smartphone application stores customers' information including passwords in plain text format that can be accessed by anyone in possession of a customer's smartphone.

(Sam Lehman @ HNGN) Starbucks has a popular mobile application that lets customers place orders and pay using smartphones. The convenience of simply placing an order without entering the password comes at a great cost. Daniel Wood, a Starbucks customer exposed the vulnerability and shared it with the coffee chain in December. Since the technical team came back with no response, Wood decided to go public by posting his findings online and ComputerWorld reported his post, Tuesday.

Wood, who is a security researcher, found that Starbucks mobile app stores customers' usernames, passwords, and other personal information in plain text format. This puts customers in a dangerous situation where a hacker with basic hacking skills can easily recover the private information by connecting the phone to a laptop.

"The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary," Computer World reported. "And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone."

The well-known coffee chain executives also confirmed to the tech magazine that the vulnerability exists, but no case has been reported yet of customers being exploited.

The mobile app allows customers to make in-store payments without typing their passwords repeatedly. Once the password is entered during the activation and the first log-in, users only need the password again if they need to add more money to the account.

In December, Wood also found that the iOS app for Subway California by ZippyYum puts customers' information at an even greater risk. The app stores the complete street address, email address, geolocation and more importantly the credit card info in plain text, which fallen into wrong hands can do a significant amount of damage to the owner. The news was exposed through SecLists.org.

Stop Phishing Attacks Using Common Sense

( @ IT Security) Despite the warning, phishing attacks are still the favored attack vector of bad guys. It's time to forget technology and rely on good old common sense.

Phishing attacks tap into human eccentricities that bad guys have exploited for thousands of years, which makes them extremely difficult to counter. Case in point; for this article I asked a few friends if it’s alright to click on active links in an email. They all said no. But, I know for a fact that an email with a video link about cats that is circulating among that same group.

Therein lies the problem. Bad guys understand this. Bad guys also know which psychological buttons to push, to improve the odds of getting a victim to click on a malicious link.

A good example of pushing buttons is how phishers are leveraging the FUD created by the Target data breach, sending out thousands of phishing emails offering financial protection. Target is aware of the deception, mentioning the following on their FAQ webpage:

 

“Be wary of scams that may appear to offer protection but are really trying to get personal information from you. If you have any suspicions about the authenticity of an email or text, do not click the links in it. Please go directly to the sites you need to access.”

The fact that phishers are using the Target data breach to their advantage illustrates a fault even I’m guilty of--stressing out about a situation and making a hasty decision I usually end up regretting. The solution is to step back, take a deep breath, and realize that the amazing offer or panic-inducing security alert is likely a phishing email.

Phishers exploiting attachments

Like most con artists, phishers must keep their deceptions fresh. As people learn to avoid active links in unsolicited emails, a phishers are switching to a new lure--email attachments. In a Naked Security post, Paul Duklin urges people to be leery of attachments:

“We urge you to be cautious of email attachments (Duklin's emphasis), especially if you weren't expecting them. That's to protect you from booby-traps, where cybercriminals feed you a crafty file such as a document or image that is deliberately rigged up to crash your browser (or PDF reader, or multimedia player, or whatever) and sneakily infect you with malware.”

Duklin is concerned because warnings about phishing emails often refer to links embedded in the email body, not attachments.

Technology will always be a step behind

A question people have been asking me lately, “Besides stepping back and taking a deep breath, what else can we do?” That is a great question, and I’m afraid my usual answer seems hollow now. I, like many others who write about information security, have preached, “do this and don’t do that.” But, to be honest, it all boils down to being aware.

I say that is because there is precious little that antimalware and IT professionals can do with technology to protect us. Sure, once they get wind of a new phishing attack, they get the word out, and update their software to recognize the latest deception. But what about those unlucky enough to receive a targeted phishing email before the word gets out?

That question is the very reason experts I have talked are becoming convinced that the only proactive deterrent is user awareness. Trust your instincts, if it seems bad, it most likely is. Additional advice, “More often than not, there are ways to check if the email is for real or not. And if there isn’t a phone number or alternative way to authenticate the sender, delete the email.”

Stop Using Microsoft Internet Explorer Until Bug Is Fixed

Stop using Microsoft's IE browser until bug is fixed, US and UK warn

In a rare move that highlights the severity of the security hole in one of the Web's most popular browsers, the US Computer Emergency Readiness Team and its British counterpart tell people to stop using Internet Explorer until Microsoft can fix it.

internetExplorer6.jpg( @ CNET) It's not often that the US or UK governments weigh in on the browser wars, but a new Internet Explorer vulnerability that affects all major versions of the browser from the past decade has forced it to raise an alarm: Stop using IE.

 

The zero-day exploit, the term given to a previously unknown, unpatched flaw, allows attackers to install malware on your computer without your permission. That malware could be used to steal personal data, track online behavior, or gain control of the computer. Security firm FireEye, which discovered the bug, said that the flaw is being used with a known Flash-based exploit technique to attack financial and defense organizations in the US via Internet Explorer 9, 10, and 11. Those versions of the browser run on Microsoft's Windows Vista, Windows 7, and Windows 8, although the exploit is present in Internet Explorer 6 and above.

While the Computer Emergency Readiness Team in England and the US regularly issue browser advisories, this is one of the few times that the CERT team has recommended that people avoid using a specific browser.

FireEye recommends that if you can't switch browsers, then you disable Internet Explorer's Flash plug-in. You also can use IE with Microsoft's Enhanced Mitigation Experience Toolkit security app, but that will not be as secure as simply switching browsers.

Microsoft and the Department of Homeland Security did not immediately respond to requests for comment.

Statistics vary as to how many people actually use Internet Explorer. NetMarketShare puts the total around 55 percent of the desktop browser market, while competitor StatCounter says that 22.58 percent of people use IE. While the disparity is large, in either case the flaw affects a huge number of browsers being actively used.

There will be no fix for Windows XP users (according to Microsoft).

TSL Keeps Your Email Safe

Explained: How ‘TLS’ Keeps Your Email Secure(Rob Pegoraro @ Yahoo Tech) From its start in 1971, Internet-based email has not been known for its high security. As security researcher Bruce Schneier wrote in a 1995 essay for Macworld on the privacy perils of email: “It’s like a postcard that anyone can read along the way.” 

That unfortunate fact is finally fracturing. Email is getting safer for you — provided that your mail service and your correspondent’s both use a standard called “TLS,” short for Transport Layer Security. Finally, Google and other providers are starting to turn on TLS for the public.

TLS, then and now
The move to the use of TLS could have happened more than five years ago: A 1.0 version of the TLS specification emerged only four years after Schneier’s essay, and the current 1.2 version dates to 2008. But even as mail services secured people’s log-ins, they did not take the extra step of scrambling their messages while in transit.

Those who knew this would commonly comfort themselves with the lost-in-the-crowd theory of security: With some 183 billion messages a day sent back and forth, who would possibly have the time to look for one in particular? 

Then one year ago, Edward Snowden began giving a crash course in National Security Agency surveillance, which had the policy and, for the first time in history, the technology to collect everything first and index it later. 

After a few weeks of Snowden’s revelations, CNET’s Declan McCullagh made a simple observation: Gmail supported TLS, but other major email services did not, meaning that a huge chunk of the world’s email could be inspected by the NSA and its ilk, because for TLS to work, both sides of an email conversation have to support it.

To make it more difficult for the NSA to simply absorb the world’s email, more tech companies took an active interest in TLS, including Yahoo Tech’s publisher, Yahoo, which had lagged in its support for encryption, according to the Washington Post.

Progress and confusion
With the growing use of TLS, the odds are now lower that your email is going out on a postcard. In mid-May, a study by Facebook found that58 percent of the social network’s email notifications to members were going out encrypted. And last week, Google posted similar numbers: 71 percent of messages from Gmail to elsewhere went out encrypted, while 50 percent of those received by Gmail also arrived locked.

There’s your good news: We’ve fixed a core defect in email and reduced the capability of well-meaning friends, family, and business partners to inadvertently risk your privacy by sending sensitive data about you in their own email. And with TLS, you don’t have to install any software or change any settings to get its advantage.

The bad news: It’s hard to figure out if your own provider has done its part. 

Google’s regularly updated transparency report now includes a section on “encryption in transit” that lets you check to see if other large mail services do TLS. But it can yield confusing results, and smaller systems (say, your employer’s) don’t show up. 

You can also check for TLS use on any site at STARTTLS.info.

Should you switch?
If you spend any time experimenting with STARTTLS.info, you’ll quickly see how badly many consumer Internet providers’ mail services lag behind webmail. Comcast is turning on TLS one provider at a time, and CenturyLink already supports it. But Time Warner Cable, Verizon, and Cox have not announced plans to enable TLS.

Among webmail companies, Yahoo followed Gmail by turning on TLS in the first quarter of this year, AOL has done the same, and Microsoft is “currently rolling out TLS,” a spokesperson said. 

Checks of Apple’s services show patchy support, and the company did not answer a request for clarification.

There are good reasons to separate your email from your ISP — starting with not having to worry about running out of online storage or having to send hundreds of change-of-address notices if you switch providers. But webmail has its own privacy issue: Most of these services are paid for by ads that target the words in your messages. 

In the future, we will discuss email security choices...

Tech Support Claims Your Hard Disk Will Be Deleted

Symantec warns that tech support scams are getting more sophisticated by the month: "These scams remain one of the major and evolving forces in the computer security landscape. Between January 1 and April 30 this year, the Internet Crime Complaint Center (IC3) received 3,668 complaints related to tech support scams, which amounted to adjusted losses of almost US 2.27m dollars."

Recently, Symantec has observed a new feature in the tech support scams it is detecting – the use of code obfuscators. Early tech support scams had their entire malicious code clearly visible. Now code obfuscation, which was mostly seen with exploit kits, has made its way to tech support scams.

So, what is this new scam?

A warning that a victim's hard drive will be wiped of all data... unless, of course, they call the fake customer support number. This scam kicks off when a user visits a compromised website. Immediately, it tries to scare the victim with an unusual tactic, Symantec explains:

"The web page displays a fake 'hard drive delete timer' that warns the user that their hard drive will be deleted within five minutes. A warning audio tone is also played in the background, which again warns the user that their system is infected."

The scam also displays a pop-up alert in the browser that the user's computer has been infected by a virus and that they must call a support number to resolve the issue.

I suggest you send this to your employees, friends and family

"Bad guys are coming up with new ways to scam you out of your money all the time. Their latest trick is a Tech Support scam that puts a big warning screen on your computer, claiming that if you do not call the support number, your whole hard disk will be deleted in 5 minutes.

There are variations of this scam that claim they are your Internet Service Provider, or claim to be Microsoft and you need an urgent update you need to call in for, or they show you a blue screen that claims your computer needs to be repaired. There is always a number to call, and these scammers will try to put hundreds of dollars on your credit card.

Don't fall for it! If you see error messages on the screen, follow policy and contact the person in your organization responsible for IT problems. If you see this on a computer at the house, ignore these messages and do not call the fake tech support number!"

From January 1 2016 through October, Symantec’s IPS blocked more than 157 million tech support scams. Their figures also showed that the countries targeted the most by tech support scams were the US, UK and Canada.

PS: For KnowBe4 Customers, did you know we have a new campaign that takes the most recent Scam Of The Week, and sends this automatically to your users? Set-it-and-forget-it! And there is also another new campaign; we take the Top 10 real phishing attacks of the last week, de-fang them, and send random ones to your users to inoculate them.

Tech Support Fraud

(KnowBe4) We spotted an unusual phishing email which revealed a new scam your users will soon find in their inbox. Time to inoculate them before it becomes a problem! 

Many online service providers like Microsoft, Google, Facebook, Twitter, and PayPal have adopted a policy to warn users via email when there is a possible security-related event like "unusual sign-in activity". 

Copies of these emails have been used for credential phishing for a few years, but the problem is these security notifications are now being used by bad guys as a new attack vector for a tech support scam. 

These new "phish" point victims to a 1-800 number where either a scammer picks up, or the victim gets sent to voice mail hell for a while and their number is queued for a fraudulent follow-up call like the one below, which was sent to us by one of our customers -- who were well trained -- and did not fall for the scam. 

So, I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit: 

"There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer. 

Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately. 

If you do, two things may happen: 

1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, "fix" it, and ask for your credit card. 

2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you and try the same scam. 

Remember, if you get any emails that either promise something too good to be true, OR look like you need to prevent a negative consequence, Think Before You Click and in this case before you pick up the phone. 

If you decide to call any vendor, go to their website and call the number listed there. Never use a phone number from any email you may have received. Here is a real example of such a call. Dont' fall for it!

Tech support scam new wrinkle

The tech support scam is nothing new, but it continues to take different forms as scammers figure out new ways to panic computer users into handing over their credit card information.

Security site Malwarebytes reports an increase in these tech support scams attacking Chrome users with fake virus warnings. In a new twist, these scams sometimes successfully lock up users’ browser.

As the browser freezes, a message appears warning the computer user to call Microsoft tech support for help immediately. The message also provides a toll free number -- but instead of connecting the frightened consumer to Microsoft, a scammer is waiting on the other end who requires a credit card payment before providing assistance.

The screen grab below, provided by Malwarebytes, shows what the computer user sees when the scammer strikes and how their computer's performance is affected.

Photo
Photo via Malwarebytes

Dubious websites and ads

A consumer encounters this frightening scam when they visit a website that has embedded the malicious code, or when they come across an advertisement that launches the warning.

Consumers can avoid this scam -- and most tech support scams in general -- by avoiding unfamiliar websites. If users do get an onscreen warning, they should never call the number on the screen.

Microsoft, meanwhile, would like to know about any tech support scams consumers encounter that mention the company’s name. You can report it here.

Law enforcement stepping up

Law enforcement has successfully cracked down on tech support scammers in recent months. In January, a federal court seized the assets of an alleged tech support scam operation and ordered it distributed to the scam's victims.

The Federal Trade Commission (FTC) had accused the defendants of using internet ads and popups that claimed to be from major tech companies like Microsoft and Apple to trick consumers into calling the defendants and buying tech support services.

States have also been active in pursuing tech support scammers. In 2016, Florida Attorney General Pam Bondi joined with the FTC in securing a $27 million settlement with two companies accused of selling bogus software for $30 to fix non-existent computer problems

Tell if a Link Is Safe Without Clicking on It

Even the best security software can’t protect you from the headaches you’ll encounter if you click an unsafe link. Unsafe links appear to be shortcuts to funny videos, shocking news stories, awesome deals, or “Like” buttons, but are really designed to steal your personal information or hijack your computer. Your friends can unknowingly pass on unsafe links in emails, Facebook posts, and instant messages. You’ll also encounter unsafe links in website ads and search results. Use these link-scanning tips to check suspicious links. All of these solutions are free, fast, and don’t require you to download anything.

Read More - Click Here!

Ten Dangerous Search Terms

Can you really get in trouble just by conducting an Internet search? If you click on the links in those results, you can, especially when you use certain search terms or look for certain products...

It probably doesn't come as a big surprise that “free music downloads" carries a big risk that you'll find sites containing malware, but did you know that "iPhone” is another of the most dangerous search terms? AV vendor McAfee recently conducted a study to determine the top ten riskiest search terms and categories, and this what they found:

http://www.telegraph.co.uk/comment/5406066/The-top-10-most-dangerous-internet-search-terms.html

These Hackers Make 6 Figures

Who’s paying these prices? Western governments, and specifically the U.S., says the Grugq, who himself is a native of South Africa. He limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more. “Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money,” he says, explaining that he has no contacts in the Russian government. ”Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily.”

As for China, he says that the country has too many hackers who sell only to the Chinese government, pushing down prices. “The market is very depressed,” he says. Other regions like the Middle East and the rest of Asia can’t match Western prices either.

As a result, the Grugq earns 80% of his revenue from the U.S., though occasionally the developers who work with him have asked that he sell only to Europeans. Over more than a decade in the hacker scene, he’s met enough federal agents to have contacts at multiple U.S. agencies, and he knows how to package his developer’s exploits for sale to those buyers, with professional marketing and support. “You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation,” he says. “The only difference is that you only sell one license, ever, and everyone calls you evil.”

Read More - click Here!

They Say You have no privacy or security so get over it

Security

 

( @ Tech Republic) Adultery has always been a precarious act, but it became even more so this past week as pro-infidelity site Ashley Madison was hacked. Ironically, the hackers, who have threatened to release all personal information on users of the site, weren't so much incensed by the infidelity as Ashley Madison's privacy policies.

Welcome to the wonderful world of (in)security. Or, to paraphrase former Sun Microsystems CEO Scott McNealy, "You have zero security. Get over it."

Unfortunately, enterprises are overestimating their ability to secure their data, even as they paper over years of buggy code. No amount of security software can overcome poorly architected code.

Overestimating security

At least, that's what we think about other organizations. Security professionals, as highlighted in a recent The Aspen Institute and Intel Security survey, are bullish on their own ability to secure their enterprises, despite apparently contradictory evidence.

For example, security professionals look back on the bad old days of security breaches and 50% acknowledge their organizations were "very or extremely" vulnerable three years ago, but only 27% believe that their organizations are currently "very or extremely" vulnerable.

And yet, over 70% believe the security threat level is rising against their enterprise, while a third had an incident upset availability. Meanwhile, 89% of respondents had at least one attack on a (secure) system within the past three years, with a median of close to 20 attacks per year. Of these, 59% said at least one of these attacks resulted in physical damage.

This isn't to suggest that security professionals are clueless—rather, that security is hard.

Because it's hard, often we fail to do the things necessary to deliver security. As ITS Partners data security architect Jonathan Jesse told me, "There are a lot of things that can be done to deliver strong enterprise security. It is just a lot of work and most people don't [do it]."

Of these things enterprises can do to improve security, Black Hat review board memberChris Rohlf cites two:

 

Figure A

(Two-factor authentication (also known as 2FA) provides identification of users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user.)

Everything else, from imposing password complexity to filtering mail attachments, largely fails, as WiKID Systems CEO Nick Owen confirms.

Unfortunately, things only look worse as we move to the devices used to access enterprise data. As John Leyden highlights, "The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws."

But let's be clear: this isn't really about Android vs. iOS fragmentation or underlying security credentials. It's about people and how we use our devices.

Or how we code.

Bad code all the way down

This might ultimately be the biggest problem with security: our software sucks, to quote Professor Zeynep Tufekci.

It's not that anyone sets out to write bad software, filled with security holes. We simply fall into this mess due to "Software engineers do[ing] what they can, as fast as they can," because that's what the market (and managers) expects of them.

As developers code, they build on others' code, often poorly documented, which results in "a lot of equivalent of 'duct-tape' in the code, holding things together." Or, Tufecki colorfully describes:

"Think of it as needing more space in your house, so you decide you want to build a second story. But the house was never built right to begin with, with no proper architectural planning, and you don't really know which are the weight-bearing walls. You make your best guess, go up a floor and... cross your fingers. And then you do it again. That is how a lot of our older software systems that control crucial parts of infrastructure are run. This works for a while, but every new layer adds more vulnerability. We are building skyscraper favelas in code—in earthquake zones."

The right thing to do is likely to rewrite the software, but who has time? As she concludes, there's "not much interest in spending real money in fixing the boring but important problems with the software infrastructure." We want new features, not removal of technical debt.

And this may be one big reason that our enterprises remain non-secured. There are ways to improve security, as stated, but ultimately, we may be building on a porous foundation. Nor does it help that plenty of security problems are an inside job, as the Ashley Madison breach seems to be.

In sum, security problems are ultimately people problems: those we hire, those who code, those who refuse to protect their passwords, etc. If our systems aren't secure, it's because they're built and enforced by people.

Think MACs are Safe from Viruses - One in Five

One in five Mac computers is carrying malware that could spread to PCs, according to a new research from security vendor Sophos.

The security team ran its Mac antivirus software on 100,000 Mac computers. It found that most of the malware found is directed at Windows PCs, so Macs harboring the infections don't show any symptoms, unless perhaps the Mac is also running Windows. However, those computers can also spread malware to Windows PCs.

Sophos also found that one in 36 Macs, or 2.7 percent, were carrying Mac OS X malware. Of those, 75 percent harbored the Flashback malware. Numbers vary on Flashback's spread, but some estimates pegged the number at 650,000 Macs infected over the past few months. It's installed when it tricks users into downloading a fake version of Adobe (Nasdaq: ADBE) Flash Player. Apple (Nasdaq: AAPL) issued a Java update for Mac OS X to help remove the infection.

Another 18 percent of the Mac computers analyzed by Sophos were found with MacDefender scareware. The remaining threats included fake antivirus attacks, which can obtain credit card information from users.

Read More - Click Here!

Tired of being spied on? Spy back with a dashboard camera

Photo(James R. Hood @ ConsumerAffairs) Do you feel like everybody's spying on you? Don't worry, you're not paranoid, you're right. Everybody is spying on you -- the government, retailers and those elusive Internet sleuths who track your every move, among others.

 

 

Even our very own beloved local cops are spying on us, using fender-mounted cameras to go clickety-click each time another license plate goes by. Most police cars also have forward-pointing cameras to record what goes on when they pull you over.

Well, guess what, it's about time we returned the favor and started spying on everybody else. One way to do that is to take a page from the cops and mount a dashboard camera in your car -- something that will just sit there quietly recording your every move behind the wheel and, of course, the actions of every car, bike, pedestrian, traffic light and stray deer you run across, or into.

Get the right camera and you'll have a built-in defense against traffic tickets, assuming of course that you really didn't do whatever it is you're accused of. Many cameras come with time and GPS stamps and many also record your speed. Not only can you prove you didn't run that red light at Spruce and Main, you can also prove that you were on the Jersey Turnpike at the very moment someone ransacked your ex-spouse's home in Massachusetts. 

Also, in the event of an accident, a good dashboard camera will show exactly what happened -- whether that speeding Porsche ran the light as you say it did or whether that delivery truck really backed into you in the parking lot (the truck driver, of course, says you slammed into him).

Always awake

Most cameras will even protect your car while it's parked. The good ones automatically come to life at any sign of an impact. So that dodo who backs into your cream-colored Lexus and speeds off won't get away with it.

Oh, and let's not forget others who drive your car -- your spouse and children, perhaps. These cameras quickly fade into the woodwork so your family members' true driving habits will soon be visible. It's a dead-certain way to make sure your 17-year-old isn't doing anything he or she shouldn't (not that he or she would, of course. Just saying ...).

I had been afraid the dashboard cameras would quickly become a magnet for crooks. But after trying out a few, I now see a different concern -- once installed with the two-sided tape that accompanies most models, they are nearly impossible to remove. So make sure it's where you want it before you do the deed. 

You may want to get a professional installer to hard-wire the device into your car's electrical circuits. Plugging it into the cigarette lighter is really ugly and makes it too easy for your 17-year-old to disable it. 

Also, these things get hot. Even when my cars were parked in a dark garage, the cameras were warm to the touch after they had been sitting overnight. Not sure what would happen if the car was parked on Camelback Avenue in Phoenix. 

Black box questions

One final thing: there has been some controversy about the "black box" that resides silently in many newer cars. Sometimes prosecutors and personal injury lawyers subpoena the devices to build a case against you. While that could happen with a dashboard camera, it at least is under your control. If you want to rip it out and back over it before the cops get there, go ahead. But don't say we told you to do it.

The folks at SpyTec were nice enough to loan me several cameras for this article. I wasn't able to test all of them extensively but I put two through their paces and found them both more than up to the task. 

DR-32

PhotoThe DR-32 is a mid-range model, listed at $134.95 on the SpyTec site. Instalation was a snap, as was set-up. Actualy, there really is no set-up, other than finding the best location for the camera, taping it to the windshield and plugging it into what we still quaintly call the cigarette lighter. The camera uses a Micro SD card, which is not included, so be sure to order one before trying to use the camera.

The camera works well enough but I found the video choppy, the audio inconsistent and the general video quality not on a par with the other models I tested. Also, when I played the video back on my laptop, it displayed date and time but not speed and other essential information. 

In this brief demo, the camera is mounted on the right side of the mirror in a Volkswagen Tiguan as my wife drives it sedately on a Sunday-morning errand.

 

The Lukas Cuty

PhotoThis is one mean-looking camera. It looks like it belongs in a Porsche or a Ferrari. I couldn't scare up a Ferrari but I mounted it in my 1999 Porsche 911. It worked great but the windshield in the Porsche is raked at a pretty sharp angle and I realized after pasting the thing to the glass that the wide-angle lens was picking up the corner of the rear-view mirror. 

Other than that, the Cuty was cute as could be. It fired right up and starting shooting crisp video and recording every exhaust burble. The Cuty uses a standard-size SD card, which is a point in its favor in my opinion. Unless you are a brain surgeon, the tiny Micro SD card that many cameras use is just too hard to handle. 

Perhaps more important, the Cuty includes the time/date stamp, speed and other information on the video read-out. It also displays your speed while you're driving and starts beeping at you if if detects excessive foot-heaviness.

For $199, this one gets a Best Value award in my book. 

Here's a brief spin in the Porsche:

 

Pittasoft Blackvue

PhotoAT $299, this is the most expensive of the cameras I examined and may be the best for car enthusiasts who want the very highest performance and, perhaps more significantly, drive cars with sharply-angled windshields, like my old Porsche. Its unique cylindrical shape lets you slide it in front of the rear-view mirror, slipping into spaces that are too tight for bigger cameras.

I found it a bit complex to set up and sort of ran out of time. If it interests you, here's a fairly comprehensive review and set-up guide from a British car enthusiasts' site.

I suspect these will soon be standard equipment on most cars, but if security is important to you -- or if you just like to watch videos of your trips to the liquor store -- these cameras offer a lot of technology for just a few bucks. Besides, when they become standard equipment, they'll probably include a chip that sends a record of your activities to the NSA or Google or somebody, so there's a real advantage to being an early adopter.

Full disclosure: SpyTec loaned me the cameras for this review and I returned them promptly after finishing this article. There was no other promotional or monetary consideration.

Tonight is Patch Tuesday October 11, 2011

Tonight is Patch Tuesday October 11, 2011. Microsoft will ship 8 security bulletins to address at least 23 documented vulnerabilities affecting the Internet Explorer browser, the Microsoft Windows operating system, .NET Framework and Silverlight, Microsoft Forefront UAG, and Microsoft Host Integration Server.

Two patches affecting IE, Windows and .Net Framework and Silverlight are rated “critical”, usually meaning that vulnerabilities can be exploited remotely to launch code execution attacks without user knowledge.
Six bulletins will are rated “important”.
Some of these patches will require a restart after the affected machine is updated.

So leave your computer on tonight and be sure to restart it in the morning.

Track SmartPhone Location with Cheap Hardware and Open Source Software

Researchers have shown it is easy for a third party to track a mobile phone user's locatio...

Researchers have shown it is easy for a third party to track a mobile phone user's location using a cheap phone and some open source software (Image: Shutterstock)

While cop shows have shown us that it's easy for service providers to track a person's location via their mobile phone, researchers at the University of Minnesota have revealed it's also an easy task for hackers. Using a cheap phone and open source software, the researchers were able to track the location of mobile phone users without their knowledge on the GSM network, which is estimated to serve 80 percent of the global mobile market.

According to the new research by computer scientists in the University of Minnesota's College of Science and Engineering, a third party could easily track the location of a mobile phone user without their knowledge because cellular mobile phone networks "leak" the locations of mobile phone users.

"Cell phone towers have to track cell phone subscribers to provide service efficiently," Foo Kune explained. "For example, an incoming voice call requires the network to locate that device so it can allocate the appropriate resources to handle the call. Your cell phone network has to at least loosely track your phone within large regions in order to make it easy to find it."

Read More - Click Here!

Twitter restores blocking function after outcry

twitter block(Charles Riley @ cnn) Twitter said late Thursday that it had reversed course after an intense public outcry and will restore a feature that allows users to "block" unwanted followers.

 

The company was responding to a virtual revolt led by users who had experienced harassment on the popular social media network.

The offending change removed the ability of individuals to block unwanted followers and hide tweets from that user. Instead, the new rules rendered any blocked account invisible to the user -- similar in function to a "mute" button.

The new policy created the possibility that an abusive user would be able to continue their behavior -- but the target would be unaware.

Critics of the new policy said it was the digital equivalent of wearing a blindfold or plugging your ears. The practice, they said, would have questionable benefits to victims of abuse.

Related story: Instagram launches direct messaging

Twitter (TWTR) countered that the new policy would help users who wanted to silence abusive users, but feared retaliation when the offender noticed they had been blocked.

Company executives met Thursday night in San Francisco to discuss the outcry, according to Reuters. A short time later, Twitter said it would reverse the changes.

"We have decided to revert the change after receiving feedback from many users," Michael Sippey, vice president of product, said in a blog post. "We never want to introduce features at the cost of users feeling less safe."

Jack Dorsey on NSA letter to Obama
 

The company said it would continue to explore features designed to protect users from abuse and prevent retaliation. Users still have the option to make their account "private," which restricts all content to approved followers.

Related story: Why I'm quitting social media

The backlash comes after Twitter pledged in August to implement changes that would make its users safer.

In that case, the company was responding to rape threats made against prominent women in the United Kingdom and bomb threats made against journalists.

In response, Twitter introduced an "in-tweet" report abuse button and added extra staff to the teams that handle abuse reports. To top of page

Twitter users reveal too much information

Photo(Mark Huffman @ ConsumerAffairs) Social media users compromise their privacy all the time. They post pictures while they are on vacation, for example, advertising the fact they aren't at home. They reveal other personal information that ought to be private.

 

But the social media infrastructure may also present some privacy problems. Chris Weidemann, a graduate student at the University of Southern California (USC), has focused his efforts on Twitter, finding that some Twitter users may be inadvertently revealing their location through updates on the social media channel.

“Really there are four ways a user can give away information,” Weidemann said in an interview. “The first, a user can geo-enable their tweets – meaning they include GPS coordinates. Roughly four to eight percent of all Tweets are geo-enabled - that's 30 million Tweets a day that have GPS coordinates associated with them. This provides accuracy down to the five to 50 foot level, depending on the mobile device the user is using and if they're indoors or outdoors.”

This vulnerability in compounded when a user with geo-enabled Tweets makes reference to a personally identifiable feature that provides additional metadata about the location. For example, someone might Tweet "I just got home from a long day and now I just want to watch TV." Weidemann says that could tell someone, should they want to know, where “home” is.

TMI: A third way users provide location data is when they simply broadcast too much information. For example, someone may Tweet they are meeting friends at a particular restaurant for dinner.

“A process known as natural language geo-coding is used on the text to try and derive location coordinates for these locations,” Weidemann said. “This can be taken one step further when you have a user who provides some geo-ebabled Tweets for location reference. For instance, if a user enables GPS sharing on one Tweet, but not the others, I can then use their known locations to narrow down the geo-coding search results for the Tweets without locations.”

The fourth way is far less risky, Weidemann concedes. It uses information gleaned from a public Twitter profile to determine what country and time zone a Tweeter is in.

As part of a research project, Weidemann and fellow researchers developed an application called Twitter2GIS, to analyze the metadata collected by Twitter, including details about the user's hometown, time zone and language. It was then processed by a software program, which mapped and analyzed the data, searching for trends.

Results

PhotoHere's what they found: during a one-week sampling period, some 20% of the Tweets they collected showed the user's location to an accuracy of street level or better. Many also revealed their physical location directly through active location monitoring or GPS coordinates.

An additional 2.2% of all Tweets – about 4.4 million a day – provided so-called "ambient" location data, where the user might not be aware that they are divulging their location.

"The downside is that mining this kind of information can also provide opportunities for criminal misuse of data," Weidemann said. "My intent is to educate social media users and inform the public about their privacy."

As a grad school project Weidemann has developed a site called geosocialfootprint.com to keep social media users informed on privacy issues.

Decreasing geo-social footprint

“Not only does the site help them visualize that risk in a map, but it also points out areas of concern, provides a basic risk assessment, and also tries to provide some dynamic suggestions on decreasing a geo-social footprint,” he said.

For Twitter users worried that they might be revealing too much information, the social media site provides some documentation on how to disable geo Tweets and instructions for deleting your old Tweets. 

In the meantime, Weidemann hopes social media users, include those active on Twitter, begin to think more about privacy and exercise more caution. There's a lot more information out there than you think.

“I think most people would be shocked at the results if they paid an investigator to collect information on themselves,” Weidemann said. “I have received feedback already from shocked users, and for now I'm doing nothing more than helping them visualize their Tweets.”

It's especially worrisome, he says, for teenagers and children who use social media. Not only do they open themselves up to location privacy matters but also general privacy concerns.

U.S. intelligence agencies warn against buying Huawei and ZTE phones

Things are still looking pretty bleak for Huawei’s plans to conquer the U.S. market. Earlier this week, half a dozen top members of intelligence agencies, including the FBI, CIA and NSA reaffirmed surveillance concerns about the company and fellow Chinese smartphone maker ZTE.

All of this is nothing new, of course. The companies’ troubles date back at least as far back as 2012, when a House Intelligence Committee cited both as a potential security risks over close ties to the Chinese government. The following year, they were both barred from selling product to the U.S. government.

FBI director Chris Wray echoed those concerns during a hearing Tuesday, stating, “We're deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don't share our values to gain positions of power inside our telecommunications networks.”

Huawei has since issued a response, accusing the government of “inhibiting [its] business in the U.S. market” and adding, "Huawei is trusted by governments and customers in 170 countries worldwide and poses no greater cybersecurity risk than any ICT vendor, sharing as we do common global supply chains and production capabilities.”

The letter closely echoed the statements of an angry Richard Yu on stage last month at CES. “We’ve won the trust of the Chinese carriers,” Yu fumed at the company’s keynote. “We’ve also won spots on all of the European carriers.”

That off-the-cuff speech came after an AT&T deal fell through last second, seemingly at the behest of the same lawmakers warning against purchasing the company’s hardware. It was a big blow for the company, given that a majority of U.S. phone purchases still go through carriers.

Meantime, Huawei has attempted to double down on non-carrier retailers here the States. That aggressive push, however, has put the company in even more hot water, as fake reviews for its flagship the Mate 10 Pro have reportedly surfaced on Best Buy’s website, apparently linked to a Facebook contest spurred on by Huawei. 

This article originally appeared on TechCrunch.

Origional Article

U.S. intelligence chiefs advise Americans to avoid products and services from Huawei and ZTE
by Mike Dano | Feb 14, 2018 10:34am

Six of the nation’s top intelligence chiefs told a Senate committee that they would recommend that Americans not use products and services from Chinese companies like ZTE and Huawei for fear of espionage.

"We're deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don't share our values to gain positions of power inside our telecommunications networks," FBI Director Chris Wray told the Senate Intelligence Committee this week, according to CNBC. "That provides the capacity to exert pressure or control over our telecommunications infrastructure. … It provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage."

The FBI director was joined by the heads of the CIA, NSA and the director of national intelligence, among other intelligence agencies.

"This is a challenge I think that is only going to increase, not lessen over time for us," NSA director Adm. Michael Rogers said, according to CNBC. "You need to look long and hard at companies like this."

For its part, Huawei told CNBC that it poses no more security risk than other tech companies because such companies share the same global supply chains and production capabilities.

To be clear, such concerns are not new. A 2011 U.S. government report recommended U.S. companies avoid using equipment from Chinese vendors Huawei and ZTE due to national security concerns. And more recently, both Verizon and AT&T dropped plans this year to sell smartphones from Huawei, a situation mentioned by Huawei’s CEO as a “big loss” during the recent CES show in Las Vegas.

Nonetheless, the statements this week from the nation’s top intelligence officials represent a notable repudiation of those companies’ efforts to break into the U.S. market. Indeed, a number of wireless operators sell smartphones from ZTE, and unlocked Huawei phones are available for sale on Amazon and other stores.

According to IDC, Huawei was the world’s third largest smartphone vendor in the fourth quarter.

UN Votes To Support Internet Eavesdropping

(Declan McCullah c/net) Deep packet inspection standard adopted despite Germany's warning that it will "empower" censorship. Other uses: detecting BitTorrent transfers and identifying "copyright protected audio content." A United Nations summit has adopted confidential recommendations proposed by China that will help network providers target BitTorrent uploaders, detect trading of copyrighted MP3 files, and, critics say, accelerate Internet censorship in repressive nations.

Approval by the U.N.'s International Telecommunications Union came despite objections from Germany, which warned the organization must "not standardize any technical means that would increase the exercise of control over telecommunications content, could be used to empower any censorship of content, or could impede the free flow of information and ideas."

The ITU adopted the confidential Y.2770 standard for deep packet inspection -- only members, not the public, currently have access to the document -- last month during a meeting in Dubai. A related ITU meeting in Dubai, which has drawn sharp criticism from the U.S. government and many Internet companies, began this week.

Because Y.2770 is confidential, many details remain opaque. But a document (PDF) posted by a Korean standards body describes how network operators will be able to identify "embedded digital watermarks in MP3 data," discover "copyright protected audio content," find "Jabber messages with Spanish text," or "identify uploading BitTorrent users." Jabber is also known as XMPP, an instant messaging protocol.

In a joint blog post, Alissa Cooper and Emma Llansó from the Center for Democracy and Technology say that the U.N. agency "barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated."

DPI is, of course, deep packet inspection, a technology that serves many useful purposes, including fending off network attacks, detecting malware, and prioritizing critical applications over ones that are less time-sensitive. But it's controversial when used for legal and extra-legal government surveillance, and some network operators -- including Verizon Wireless -- have edged in this direction for advertising-related purposes as well.

Cooper and Llansó add: "Mandatory standards are a bad idea even when they are well designed. Forcing the world's technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users' rights."

Germany had asked a European telecommunications body called CEPT, which includes 48 member nations, to "take a stand" against the ITU proposal, which was advanced by China's Fiberhome network provider. Germany's concerns about Y.2770, which is formally titled "Requirements for Deep Packet Inspection in Next Generation Networks," appear in a document (MS Word) made available by CEPT.

After discussions, CEPT decided that its member "countries consider that they cannot oppose" Y.2770, according to a report (MS Word) from its October meeting in Istanbul, meaning that no Europe-wide position would be taken against the ITU proposal.

ITU representatives did not immediately respond to requests for comment this morning from CNET (we'll update the article if they do). But an ITU study group describes its mission as developing recommendations for "requirements, architectures, mechanisms, and functionalities" used in deep packet inspection: "This includes study on flexible and effective DPI mechanisms that allow network devices to look at the packet header and payload."

Another controversial section of Y.2770 is that it contemplates having network operators decrypt their customers' Internet traffic so it can be inspected.

A partial early draft (PDF) of Y.2770, called Y.dpireq at the time, that was made public in 2009 does not mention encryption, BitTorrent, or inspecting the contents of instant message communications.

One reason why deep packet inspection is so controversial is that it has been used by repressive regimes -- dozens of which are members of the ITU -- to conduct extensive surveillance against their own citizens.

A Wall Street Journal report last year described how Amesys, a unit of French technology firm Bull SA, helped Moammar Gadhafi spy on his people. Boeing's Narus unit was in talks with Libya about controlling Skype, censoring YouTube, and blocking proxy servers, the Journal reported. In August, The New York Times reported that malware known as FinSpy, sold by a British company called the Gamma Group, could activate computer cameras and microphones and had been linked to repressive governments including Turkmenistan, Brunei, and Bahrain.

This isn't the first time that an ITU proposal has been criticized for its implications for Internet censorship. In 2008, CNET disclosed that the ITU was quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.

leaked document showed the trace-back mechanism was designed to be used by a government that "tries to identify the source of the negative articles" published by an anonymous author.

Read More - Click Here!

UN tells NSA to CUT IT OUT - Can they do that

NSA spying.jpg

(Associated Press) The United Nations has advanced a resolution protecting the right to privacy against unlawful surveillance in the digital age -- a clear response to news of widespread spying by the NSA. (AP GraphicsBank)

UNITED NATIONS –  The U.N. General Assembly's human rights committee on Tuesday unanimously adopted a resolution sponsored by Brazil and Germany to protect the right to privacy against unlawful surveillance, following months of reports about U.S. eavesdropping abroad.

The symbolic resolution, which seeks to extend personal privacy rights to all people, followed a series of disclosures of U.S. eavesdropping on foreign leaders, including Brazilian President Dilma Rousseff and German Chancellor Angela Merkel, that surprised and angered allies.

Brazil's Ambassador Antonio de Aguiar Patriota said the resolution "establishes for the first time that human rights should prevail respective of the medium, and therefore need to be protected online and offline."

The resolution expresses deep concern at "the negative impact" that such surveillance, "in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights."

German Ambassador Peter Wittig asked, "Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?"

The consensus adoption of the resolution means will it also unanimously pass the whole 193-member General Assembly in December. General Assembly resolutions aren't legally binding but reflect world opinion and carry political weight.

The United States did not fight the measure after it engaged in lobbying last week with Britain, Canada, Australia and New Zealand, which comprise the "Five Eyes" intelligence-sharing group, to dilute some of the draft resolution's language.

The key compromise dropped the contention that the domestic and international interception and collection of communications and personal data, "in particular massive surveillance," may constitute a human rights violation.

U.S. delegate Elizabeth Cousens told the committee that the United States welcomed Brazil and Germany's sponsorship of the resolution and was pleased to support "privacy rights and the right to freedom of expression."

The draft resolution directs the U.N. human rights chief to report to the Human Rights Council and the General Assembly on the protection and promotion of privacy "in the context of domestic and extraterritorial surveillance ... including on a mass scale."

Last week, five major human rights and privacy groups -- Amnesty International, Human Rights Watch, The Electronic Frontier Foundation, Access and Privacy International -- said this will guarantee that the privacy issue stays on the front burner at the United Nations.

The U.S. has been trying to smooth over tensions with Brazil and Germany over the reported spying.

Rousseff canceled a state visit to Washington after classified documents leaked by former National Security Agency analyst Edward Snowden showed that the NSA hacked the computer network of Brazil's state-run oil company Petrobras and scooped up data on emails and telephone calls flowing through the country.

Merkel and other European leaders expressed anger after reports that the NSA allegedly monitored Merkel's cellphone and swept up millions of French telephone records.

US Taxpayers targeted by phone scam

Photo(James Limbach @ ConsumerAffairs) A sophisticated phone scam targeting taxpayers, including recent immigrants, is making the rounds throughout the country.

According to the Internal Revenue Service (IRS) the targets are told they owe money to the tax agency and must pay promptly through a pre-loaded debit card or wire transfer. Any taxpayer who refuses to cooperate is then threatened with arrest, deportation or suspension of a business or driver’s license. In many cases, the caller becomes hostile and insulting.

“This scam has hit taxpayers in nearly every state in the country. We want to educate taxpayers so they can help protect themselves. Rest assured, we do not and will not ask for credit card numbers over the phone, nor request a pre-paid debit card or wire transfer,” says IRS Acting Commissioner Danny Werfel. “If someone unexpectedly calls claiming to be from the IRS and threatens police arrest, deportation or license revocation if you don’t pay immediately, that is a sign that it really isn’t the IRS calling.”

In actuality, Werfel notes, the first IRS contact with taxpayers on a tax issue is likely to occur via mail

Recognizing the scam

Other characteristics of this scam include:

  • Scammers use fake names and IRS badge numbers. They generally use common names and surnames to identify themselves.

  • Scammers may be able to recite the last four digits of a victim’s Social Security Number.

  • Scammers spoof the IRS toll-free number on caller ID to make it appear that it’s the IRS calling.

  • Scammers sometimes send bogus IRS emails to some victims to support their bogus calls.

  • Victims hear background noise of other calls being conducted to mimic a call site.

  • After threatening victims with jail time or driver’s license revocation, scammers hang up and others soon call back pretending to be from the local police or DMV, and the caller ID supports their claim.

What to do

If you get a phone call from someone claiming to be from the IRS, here’s what you should do:

  • If you know you owe taxes or you think you might owe taxes, call the IRS at 800-829-1040. The IRS employees at that line can help you with a payment issue -- if there really is such an issue.

  • If you know you don’t owe taxes or have no reason to think that you owe any taxes (for example, you’ve never received a bill or the caller made some bogus threats as described above), then call and report the incident to the Treasury Inspector General for Tax Administration at 800-366-4484.

  • If you’ve been targeted by this scam, you should also contact the Federal Trade Commission and use their “FTC Complaint Assistant” at FTC.gov. Add "IRS Telephone Scam" to the comments of your complaint.

This isn't the only scam targeting taxpayers. There are other unrelated scams (such as a lottery sweepstakes) and solicitations (such as debt relief) that fraudulently claim to be from the IRS.

The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels. The agency also does not ask for PINs, passwords or similar confidential access information for credit card, bank or other financial accounts. Recipients should not open any attachments or click on any links contained in the message. Instead, forward the e-mail to phishing@irs.gov.

Browsing Topic: IRS Regulations

USB Computer Killer

 

(Christopher Maynard @ ConsumerAffairs) About a year ago, one Russian hacker showed how a tool that looks like a small USB drive could disable any electronic device with a USB port. This “USB Killer” worked by sending a high-voltage charge through a USB port, effectively frying the internal components.

Now, a Hong Kong company going by the name of USBKill.com has created a similar device called the USB Killer 2.0, and it is making it commercially available to anyone. The company is also releasing another product called the USB Killer Test Shield, which can be used to test devices to see if they are vulnerable to the first device.

The reason for releasing the product, company officials say, is to shine a light on the shortcomings of hardware manufacturers. They say that although the danger of these devices has been known for some time, little has been done to increase product safety.

“To this day, according to our testing, the only company that releases hardware protected against a USB power-surge attack is Apple, on their Laptop and Desktop ranges. This means – despite adequate warning, and time to respond – the majority of consumer-level hardware manufacturers choose not to protect their customer’s devices. We are disheartened by this lack of respect for customers,” said the company in a blog post.

USB Killer 2.0

The USB Killer 2.0 works in a similar way to the original model. After being plugged in, it quickly gains a charge through the USB power source and then discharges it back through the host device’s data lines. The process can take as little as one second and persists until it is removed from the machine.

The process effectively fries the inner components of any machine with a USB port, rendering it useless. The company is selling the USB Killer 2.0 for $49.95 and the Test Shield for $13.95; however, consumers can get free shipping and a 50% discount if they buy the products together.

“As is standard in the InfoSec industry, we are releasing the USB Killer 2.0 publicly, after one year of disclosure. We hope the attention will force manufacturers to respect a customer’s investment in their product, and work to resolve the issue,” the company said.

Protecting against attack

Current protections against this type of attack are lacking, but tech companies are trying to create new ways to counter the threat. For example, experts are currently working on USB Type-C Authentication, which would stop unauthorized devices like a USB drive from connecting to a host device. However, some experts say that it may not be the best solution.

“Nothing would stop a would-be attacker from duplicating a signature – and I would imagine that it would depend on the implementation. If the host device allows any type of communication via the data lines, this could be vulnerable to a power surge,” said Steve Benson of USBKill.com.

Instead, Benson says that a cheap component that is used on Apple devices, which are already safe from such attacks, provides the best means of protection.

“The ultimate solution, and that which vendors in the enterprise field (and Apple, in the commercial field) – have implemented – is the humble optocoupler: a plentifully available, cheap component – made exactly for this purpose.”

What to do

While these new additions may aid consumers in the future, many will probably be wondering how they can protect themselves now. Luckily, by following a few basic steps, anyone can ensure that their device is kept safe from these types of attacks.

First, consumers should never trust any piece of unknown hardware. Unless you’re certain about what a device does and it comes from a trusted source, you shouldn’t use it with any of your own belongings.

For those worried about others plugging malicious devices into their electronics, using a USB condom or capping the USB ports can ensure that they are protected from outside influences.

Unconnected Power Plant Computer Network Gets Virus

BOSTON (Reuters) - A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website.

The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.

It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.

DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.

In addition to not identifying the plants, a DHS spokesman declined to say where they are located.

Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran's nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.

Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are "air gapped," or cut off from the public Internet.

"This is yet another stark reminder that even if a true ‘air gap' is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur," he said.

AGING SYSTEMS

Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have "auto run" features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.

The Department of Homeland Security's Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical U.S. infrastructure, described the incident in a quarterly newsletter that was accessed via its website on Wednesday.

The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as "sophisticated" viruses on workstations that were critical to the operations of a power generation facility.

The report did not say who the agency believed was behind the sophisticated virus or if it was capable of sabotage. DHS uses the term "sophisticated" to describe a wide variety of malicious software that is designed to do things besides commit routine cyber crimes. They include viruses capable of espionage and sabotage.

A DHS spokesman could not immediately be reached to comment on the report.

The Department of Homeland Security almost never identifies critical infrastructure operators that are hit by viruses, or even their locations, but it does provide statistics.

It said ICS-CERT responded to 198 cyber incidents reported by energy companies, public water districts and other infrastructure facilities in the fiscal year ending September 30, 2012.

Attacks against the energy sector represented 41 percent of the total number of incidents in fiscal 2012. According to the report, ICS-CERT helped 23 oil and natural gas sector organizations after they were hit by a targeted spear-phishing campaign - when emails with malicious content are specifically targeted at their employees.

The water sector had the second highest number of incidents, representing 15 percent.

(Reporting By Jim Finkle in Boston; Additional reporting by Deborah Charles in Washington; Editing by Tim Dobby and Bob Burgdorfer)

Update Firefox now

(Truman Lewis @ ConsumerAffairs) Mozilla has released a security patch for the Firefox browser after a  serious vulnerability was discovered "in the wild."

"A Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine," Firefox security lead Daniel Veditz said in a blog posting.

Veditz said the vulnerability allows malicious attackers to use some JavaScript magic to “search for and upload potentially sensitive” data from your hard drive to their servers.

"The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys. ... People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used," he said.

Mozilla is asking all Firefox users to upgrade immediately. Instructions are on Mozilla's support page

Update Firefox now

(Truman Lewis @ ConsumerAffairs) Mozilla has released a security patch for the Firefox browser after a  serious vulnerability was discovered "in the wild."

"A Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine," Firefox security lead Daniel Veditz said in a blog posting.

Veditz said the vulnerability allows malicious attackers to use some JavaScript magic to “search for and upload potentially sensitive” data from your hard drive to their servers.

"The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys. ... People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used," he said.

Mozilla is asking all Firefox users to upgrade immediately. Instructions are on Mozilla's support page

Verizon Says Skyrocketing Attacks On U.S. Infrastructure Are Real Cyber Threat

The computer security industry tends to produce security reports with the frequency that Main Street produces parades. Still among the cacophony of security organizations trumpeting their data, Verizon’s Data Breach Investigations Report has stood out, thanks to the breadth of its network and the depth of its data.

 

Waste water treatment plant in Morgantown WV along the Monongahela River (Photo credit: Wikipedia)

Since 2008, the DBIR has provided a snapshot of data breaches in the United States. In recent years, Verizon’s RISK Team, which is responsible for the report, has recorded attacks motivated by hacktivisim, financial gain and espionage. Early last year, however, Bryan Sartin, the director of Verizon’s RISK team, noticed a disturbing new pattern.

The Shanghai Army Unit That Hacked 115 U.S. Targets Likely Wasn't Even China's 'A-Team'
U.S. Cybersecurity Debate Risks Leaving Critical Infrastructure in the Dark

Cyber attacks against critical infrastructure had skyrocketed. “It was around the second week of March when we noticed that nearly five out of every six attacks were against critical infrastructure,” Sartin recalled. Among the targeted infrastructure was everything from systems that control traffic lights in large cities to nuclear plants, water treatment plants, large manufacturers, defense contractors and high tech companies. Of particular interest: air traffic controllers.

“Overnight, something changed,” Sartin said, noting that nation states like China appear to be behind more than 25 percent of the attacks.

A series of high profile corporate hacks targeting brands have dominated recent headlines. Both Burger King and Jeep lost control of their Twitter accounts over the last week. But the exploits of so-called hactivists, who were the focus of last year’s DBIR report, are increasingly treated as no more than nuisances thanks to rising concern about more serious threats.

On Monday, Senator Diane Feinstein affirmed a report by a Mandiant, a security firm, that a hacker group affiliated with China’s People’s Liberation Army and known as APT1 had systematically stolen hundreds of terabytes of data from at least 141 organizations. “I read the Mandiant report,” Feinstein said. “I’ve also read other reports, classified out of Intelligence, and I think the Mandiant Report, which is now unclassified, it’s public, is essentially correct.”

APT1 is believed to be one of a dozen or more hacker groups that are affiliated with the Chinese army.

According to Mandiant, the Chinese hackers conducted sporadic attacks on U.S. corporate and government networks since at least 2006, stealing everything from technology blueprints to clinical trial results. But recently, they’ve been increasingly turning their attention to critical infrastructure like the electrical power grid and gas lines, the New York Times wrote in a recent report on the hacker group.

Earlier this month, President Obama signed an executive order that directed federal agencies to improve information sharing about cyber threats with companies that own and operate critical infrastructure.

Joining Verizon in its data collection efforts this year are 17 global security organizations. The organizations include the CERT Coordination Center, the Electricity Sector Information Sharing and Analysis Center, the European Cyber Crime Center, the Malaysia Computer Emergency Response Team, the Australian Federal Police and the Irish Reporting and Information Security Service. “Their data looks strikingly similar to ours,” Sartin said.

Verizon provided a preview of the DBIR report on Tuesday at the annual RSA security conference in San Francisco.

Read More - Click Here!

Verizon and AT&T secretly track ALL retail cell phone customers

Photo

© LoloStock - Fotolia

(Jennifer Abel @ ConsumerAffairs) If you count yourself among the nearly 9 out of 10 web users (as of September 2013) who periodically clears your cookies, disables your browser history, or otherwise takes steps to maintain some semblance of privacy and anonymity online, bear in mind that if you're a cellular customer of AT&T or Verizon, your efforts are most likely useless: they're tracking all your online phone-based activities anyway.

 

The Washington Post reported Monday night that Verizon and AT&T have been tracking the activities of up to 100 million of their cellular customers with so-called “supercookies” — tracking markers so powerful, even conscientious and tech-savvy users find them hard to avoid:

The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.

Short-term serial number

What the Post calls “supercookies,” Wired and Forbes call “perma-cookies”; on Oct. 27, Wired warned its readers that “Verizon's 'perma-cookie' is a privacy-killing machine.” But how does it actually work?

Verizon Wireless has been subtly altering the web traffic of its wireless customers for the past two years, inserting a string of about 50 letters, numbers, and characters into data flowing between these customers and the websites they visit.

The company—one the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers—calls this a Unique Identifier Header, or UIDH. It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program. But critics say that it’s also a reckless misuse of Verizon’s power as an internet service provider—something that could be used as a trump card to obviate established privacy tools such as private browsing sessions or “do not track” features.

Of course, the only people who seem to think “Internet privacy” is a good thing are actual Internet users; everyone else, from hackers and identity thieves to the advertising industry and the United States government (particularly the FBI andNSA) would prefer to collect as much information about people as they possibly can.

A Verizon spokeswoman told Wired that there's no way to turn this perma-cookie feature off. But a spokeswoman for AT&T told the Washington Post that AT&T, unlike Verizon, changes its “supercookie” every 24 hours to protect privacy.

Yet the program has been around, though largely unnoticed, for months; back in May, Ad Agereported that Verizon's marketing arm, Precision Market Insights, was forming a partnership with three other companies to sell a “tool to advertisers for mobile ad campaigns.” At the time, Ad Age described that advertising tool as “a cookie alternative for a marketing space vexed by the absence of cookies.”

Translation: a way to track users who vexingly do not want to be tracked.

Incidentally, these cookie alternatives are only found on so-called “retail” accounts – corporate and government phone accounts are not being tracked by these supercookies or perma-cookies. As Jacob Hoffman-Andrews, a senior staff technologist for the pro-privacy Electronic Frontier Foundation, observed on Twitter when he called attention to the MayAd Age story in late October:

"Corporate and government subscribers are excluded from the new marketing solution." In other words: we know this is bad.

Verizon tracks ALL smartphone customers

Photo(Jim Hood @ ConsumerAffairs) Google and the NSA, among others, have taken a lot of heat for tracking Americans' activities. Ah, but they're not really able to track every step you take, every move you make, as the old song has it.

So, who can? Why, your cell phone carrier, of course, and it turns out they're doing just that.

Verizon has a new division called Precision Marketing Insights that will initially help sports clubs and venues learn more about their fans by tracking their activities before and after the game.

Do all those ringside ads and promotions on the scoreboards really cause fans to stop off at Pizza King on the way home? Do NASCAR fans stop off at a Sunoco station after a day at the races?

The NBA Phoenix Suns tested the service last season, Ad Age reports today, and the Portland Trail Blazers are said to be thinking about it.

A byproduct

The technology behind this is pretty simple, once you have a massive cellular network in place. As Colson Hillier, VP of Verizon Precision Market Insights, explained it to Ad Age, tracking customers is really just "a byproduct of being a network operator."

That's because, even when you're not using it, your smartphone is constantly pinging the network, letting it know that it's available to take calls and receive text messages. 

"We can tie a device back to the cell towers which it registers against," said Hillier, and that pretty much tells you where each customer is, within a block or two.

While this could be a game-changer for sports teams, it could be an even more effective tool for retailers, as Hillier sees it. "There's no reason a retailer couldn't try to understand what's happening around their location," he said.

It's anonymized

Does this mean Home Depot would know that after you kicked the tires on all those lawn tractors, you ended up buying one at Costco?

Well, as usual, the official answer is no. Verizon says it "anonymizes" the data, scrubbing it of individual identities. However, and it's a fairly big however, it adds in demographic data that it gets from Big Data venders like Experian, so that the behavior patterns of, say, suburban married white males 25-49 with two children, would become evident.

Frequent stops at McDonald's perhaps?

Verizon executives at a recent conference said they had thought through all the privacy issues and didn't find any problems. Besides, they said, the terms and conditions section of their wireless service contracts makes it clear that they're allowed to do this. So, no problem.

Virus Hits US Drones and Nobody Cares (enough)

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech.. Read More - Click Here!

Virus Plays Random Radio Ads in the background

 
 

Malware which plays audio advertisements is nothing new. We constantly receive emails from our readers reporting that their PCs were producing unusual sounds and playing audio/sound ads even with no programs open or running at the time. Audio ads usually last 10-20 seconds and blast at random times or regularly two to five times an hour. It could be 30 seconds of music or clips of commercials and even repeated insults like 'you are fool' and other impolite noises. Generally, PC users call it the 'audio ads virus'. However, this really isn't a correct classification because a computer virus, by strict definition, is a program which spreads by attaching copies of itself to executable objects. Ads, including audio advertisements, are very often caused by adware, Trojan horses and rootkits.

Despite scanning compromised computers several times with anti-virus software, the audio ads virus escaped detection although it continues to play ads. What is more, malware which plays these annoying audio of advertisements, may redirect users to spam or infected websites and even disconnect from the Internet. This clearly indicates malware present. Unfortunately, not all antivirus companies detect or remove this deceptive software because it is different from malware. Besides, sometimes it could be a browser helper object (BHO) or a browser extension that cause audio advertisements and redirects. So, it's not necessarily because of the malware infection. If you hear audio ads on certain websites only, it could be that webmasters use Pay Per Play marketing method to earn some cash.

It's not too hard to imagine why the 'Audio Ads Virus' problem is very annoying and persistent. There's simply not way to fix it using a single utility. The following removal procedure has been created to help you to remove malware which plays audio advertisements. Please follow the steps bellow very carefully. Good luck and be safe online!
 


Audio Ads Virus removal instructions:

1. Manage Internet Explorer add-ons. Remove or disable unknown/suspicious add-ons and browser extensions. Open Internet Explorer. In Internet Explorer go to: Tools->Manage Add-ons. Uninstall unknown or suspicious Toolbars.

You should remove potentially harmful add-ons in all web browsers.

2. Scan your computer with TDSSKiller and ZeroAccess removal utility to remove rootkits from your computer (if exist).

TDSSKiller: http://support.kaspersky.com/downloads/utils/tdsskiller.exe
ZeroAccess removal utility: http://anywhere.webrootcloudav.com/antizeroaccess.exe

Wait for the scan and disinfection process to be over. It might be necessary to reboot your computer after the disinfection is over.

3. Run a thorough check for malware.download recommended anti-malware software and run a full system scan to remove this audio ads virus from your computer.
 

4. Use CCleaner to remove unnecessary system/temp files and browser cache. CCleaner is a freeware system optimization. It’s always a good idea to get rid of unnecessary internet/system files or corrupter Windows registry values that may cause various problems to your computer. Downlaod CCleaner.

If neither anti-malware software or self help did resolve the issue, you can leave a comment below and ask for help or start a new tread in computer tech and malware removal forums.

Warning - Apps That Collect and Share Health Data Not Covered By Privacy Law

 

Photo

Photo (c) ave_mario - Fotolia

(Christopher Maynard @ ConsumerAffairs) New technologies are constantly making it easier for the average consumer to track and manage their own health. There are numerous apps, tests, and devices that cover everything from measuring your blood sugar to tracking your weight-loss goals.

These devices have helped millions of people save time and energy by letting them take their health into their own hands. Consumers beware, though: much of the personal information that you put into these health-based technologies can easily be picked up by third parties on the web. And the worst part? None of this information is currently protected by medical data privacy laws.

No coverage

This information was discovered quite accidentally by a security expert, according to a ProPublica report. While examining the tech used for a home paternity test that she'd purchased, the expert found that making a small change to the information in the browser's address bar allowed her to see health information for over 6,000 other consumers.

As surprised as she was about this apparent breach of medical data privacy law, the fact that she could access this health directory is not actually illegal. In the U.S., health data is something that is very stringently protected by the government. The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to keep your health information private and secure. Those that fail to due so face stiff penalties for their negligence.

However, HIPAA is not a universal law. Only certain organizations – such as health care practitioners, health insurance companies, and “health care clearinghouses” – have to follow it, along with any employees that work for them. Any apps or devices that record health data do not have to be so careful with your information. In fact, they can do anything they want with that data.

Glaring weakness

After making her discovery, the security expert immediately reported what she thought was a violation to the Department of Human Services. They replied, telling her that there was nothing they could do about the breach since at-home apps and personal devices do not fall under their jurisdiction.

But why is there such a glaring weakness in this privacy law? When HiPAA was first created, those who drew it up did their best to make sure that there were as few loopholes as possible that could be exploited. Unfortunately, the law was created more than 20 years ago when much of the technology that we have now did not even exist. There were no provisos made for things like apps or personal health devices, so they simply aren't covered under the law.

This giant loophole has been a problem for years now in different areas of the world. ProPublica reports that the full paternity and drug test records of an Australian business were easily found using a Google search in 2011. Police were able to use public genealogy records just last year to match DNA to crime suspects. Of course, there is always the threat that a third party could do something much more insidious things with the personal information and health data of many consumers.

In order to rectify this lack of coverage, Congress asked the HHS and FTC in 2009 to make recommendations on how to update HIPAA. The organizations were charged with working together to find a solution on how to handle health data that is collected by new technologies - but six years later that report has still not been completed.

Warning - Apps That Collect and Share Health Data Not Covered By Privacy Law

 

Photo

Photo (c) ave_mario - Fotolia

(Christopher Maynard @ ConsumerAffairs) New technologies are constantly making it easier for the average consumer to track and manage their own health. There are numerous apps, tests, and devices that cover everything from measuring your blood sugar to tracking your weight-loss goals.

These devices have helped millions of people save time and energy by letting them take their health into their own hands. Consumers beware, though: much of the personal information that you put into these health-based technologies can easily be picked up by third parties on the web. And the worst part? None of this information is currently protected by medical data privacy laws.

No coverage

This information was discovered quite accidentally by a security expert, according to a ProPublica report. While examining the tech used for a home paternity test that she'd purchased, the expert found that making a small change to the information in the browser's address bar allowed her to see health information for over 6,000 other consumers.

As surprised as she was about this apparent breach of medical data privacy law, the fact that she could access this health directory is not actually illegal. In the U.S., health data is something that is very stringently protected by the government. The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to keep your health information private and secure. Those that fail to due so face stiff penalties for their negligence.

However, HIPAA is not a universal law. Only certain organizations – such as health care practitioners, health insurance companies, and “health care clearinghouses” – have to follow it, along with any employees that work for them. Any apps or devices that record health data do not have to be so careful with your information. In fact, they can do anything they want with that data.

Glaring weakness

After making her discovery, the security expert immediately reported what she thought was a violation to the Department of Human Services. They replied, telling her that there was nothing they could do about the breach since at-home apps and personal devices do not fall under their jurisdiction.

But why is there such a glaring weakness in this privacy law? When HiPAA was first created, those who drew it up did their best to make sure that there were as few loopholes as possible that could be exploited. Unfortunately, the law was created more than 20 years ago when much of the technology that we have now did not even exist. There were no provisos made for things like apps or personal health devices, so they simply aren't covered under the law.

This giant loophole has been a problem for years now in different areas of the world. ProPublica reports that the full paternity and drug test records of an Australian business were easily found using a Google search in 2011. Police were able to use public genealogy records just last year to match DNA to crime suspects. Of course, there is always the threat that a third party could do something much more insidious things with the personal information and health data of many consumers.

In order to rectify this lack of coverage, Congress asked the HHS and FTC in 2009 to make recommendations on how to update HIPAA. The organizations were charged with working together to find a solution on how to handle health data that is collected by new technologies - but six years later that report has still not been completed.

Warning - Apps That Collect and Share Health Data Not Covered By Privacy Law

 

Photo

Photo (c) ave_mario - Fotolia

(Christopher Maynard @ ConsumerAffairs) New technologies are constantly making it easier for the average consumer to track and manage their own health. There are numerous apps, tests, and devices that cover everything from measuring your blood sugar to tracking your weight-loss goals.

These devices have helped millions of people save time and energy by letting them take their health into their own hands. Consumers beware, though: much of the personal information that you put into these health-based technologies can easily be picked up by third parties on the web. And the worst part? None of this information is currently protected by medical data privacy laws.

No coverage

This information was discovered quite accidentally by a security expert, according to a ProPublica report. While examining the tech used for a home paternity test that she'd purchased, the expert found that making a small change to the information in the browser's address bar allowed her to see health information for over 6,000 other consumers.

As surprised as she was about this apparent breach of medical data privacy law, the fact that she could access this health directory is not actually illegal. In the U.S., health data is something that is very stringently protected by the government. The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to keep your health information private and secure. Those that fail to due so face stiff penalties for their negligence.

However, HIPAA is not a universal law. Only certain organizations – such as health care practitioners, health insurance companies, and “health care clearinghouses” – have to follow it, along with any employees that work for them. Any apps or devices that record health data do not have to be so careful with your information. In fact, they can do anything they want with that data.

Glaring weakness

After making her discovery, the security expert immediately reported what she thought was a violation to the Department of Human Services. They replied, telling her that there was nothing they could do about the breach since at-home apps and personal devices do not fall under their jurisdiction.

But why is there such a glaring weakness in this privacy law? When HiPAA was first created, those who drew it up did their best to make sure that there were as few loopholes as possible that could be exploited. Unfortunately, the law was created more than 20 years ago when much of the technology that we have now did not even exist. There were no provisos made for things like apps or personal health devices, so they simply aren't covered under the law.

This giant loophole has been a problem for years now in different areas of the world. ProPublica reports that the full paternity and drug test records of an Australian business were easily found using a Google search in 2011. Police were able to use public genealogy records just last year to match DNA to crime suspects. Of course, there is always the threat that a third party could do something much more insidious things with the personal information and health data of many consumers.

In order to rectify this lack of coverage, Congress asked the HHS and FTC in 2009 to make recommendations on how to update HIPAA. The organizations were charged with working together to find a solution on how to handle health data that is collected by new technologies - but six years later that report has still not been completed.

Warning - Apps That Collect and Share Health Data Not Covered By Privacy Law

 

Photo

Photo (c) ave_mario - Fotolia

(Christopher Maynard @ ConsumerAffairs) New technologies are constantly making it easier for the average consumer to track and manage their own health. There are numerous apps, tests, and devices that cover everything from measuring your blood sugar to tracking your weight-loss goals.

These devices have helped millions of people save time and energy by letting them take their health into their own hands. Consumers beware, though: much of the personal information that you put into these health-based technologies can easily be picked up by third parties on the web. And the worst part? None of this information is currently protected by medical data privacy laws.

No coverage

This information was discovered quite accidentally by a security expert, according to a ProPublica report. While examining the tech used for a home paternity test that she'd purchased, the expert found that making a small change to the information in the browser's address bar allowed her to see health information for over 6,000 other consumers.

As surprised as she was about this apparent breach of medical data privacy law, the fact that she could access this health directory is not actually illegal. In the U.S., health data is something that is very stringently protected by the government. The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to keep your health information private and secure. Those that fail to due so face stiff penalties for their negligence.

However, HIPAA is not a universal law. Only certain organizations – such as health care practitioners, health insurance companies, and “health care clearinghouses” – have to follow it, along with any employees that work for them. Any apps or devices that record health data do not have to be so careful with your information. In fact, they can do anything they want with that data.

Glaring weakness

After making her discovery, the security expert immediately reported what she thought was a violation to the Department of Human Services. They replied, telling her that there was nothing they could do about the breach since at-home apps and personal devices do not fall under their jurisdiction.

But why is there such a glaring weakness in this privacy law? When HiPAA was first created, those who drew it up did their best to make sure that there were as few loopholes as possible that could be exploited. Unfortunately, the law was created more than 20 years ago when much of the technology that we have now did not even exist. There were no provisos made for things like apps or personal health devices, so they simply aren't covered under the law.

This giant loophole has been a problem for years now in different areas of the world. ProPublica reports that the full paternity and drug test records of an Australian business were easily found using a Google search in 2011. Police were able to use public genealogy records just last year to match DNA to crime suspects. Of course, there is always the threat that a third party could do something much more insidious things with the personal information and health data of many consumers.

In order to rectify this lack of coverage, Congress asked the HHS and FTC in 2009 to make recommendations on how to update HIPAA. The organizations were charged with working together to find a solution on how to handle health data that is collected by new technologies - but six years later that report has still not been completed.

Was PureVPN Hack Report A Fake

purevpn logo

(Ingrid Lunden @ CrunchBase) Earlier today, VPN service PureVPN was dealt a double blow by malicious hackers: a zero-day exploit; and the mailing of a subsequent, fake email alleging account closure and a data compromise. Uzair Gadit, the founder of the VPN tunneling service — which assigns new IP addresses to users’ connected devices, enabling them to access the Internet in firewalled countries or to use services that are usually geo-restricted at their current locations – tells us that there is no issue with PureVPN. ”Our VPN service is functioning 100% fine and there is no interruption whatsoever,” he wrote in an email.

While the company is investigating the cause of the email, he continued, “we hereby confirm that, as we do not store any of our users’ credit card nor PayPal information in our on-site databases, there has been no compromise in our users’ personal billing information.”

The incident highlights how, while VPN tunneling services are often thought to be more secure routes for those worried about data compromises, they are not immune from attacks themselves. Perception of these services can be especially precarious considering that they have not been immune to crack-downs from restrictive governments in the past, such as in this incident in China from December 2012.

The PureVPN story was brought to TechCrunch’s attention by one of PureVPN’s customers who is based in China. Several hours ago, he sent over the following letter, noting that his account was closed, and that his billing information was being handed over to authorities, who might be contacting him in future:

purevpn fake email

A couple of hours later, his first email was followed up with another, which noted that the earlier email was fake:

“We are sending this note as a clarification,” the note said. “We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor do we store our user’s personal data to share with anyone.” The company says that while the VPN service remains fully operational “secure to the highest possible levels of encryption,” it has disabled the billing portal and client area while it is investigating the issue. The company is also posting updates on its blog.

We reached out to PureVPN about the two emails, and Gadit gave us a bit more information about what has happened.

He says that the email appears to have hit only a subset of all of PureVPN’s users, but the fact that our tipster was in China is not an indication that it’s only users in that country who may have been affected, with email IDs and names being the only data that appears to have been accessed.

“I confirm that the subset is NOT limited to Chinese users,” he says. “The motive is yet unclear.” Gadit says that PureVPN has hundreds of thousands of users from over 100 countries worldwide.

“There is NO issue with the service, there has been a fake email sent to some of our users talking about legal issues and other misleading stuff. Our VPN service is functioning 100% fine and there is no interruption whatsoever,” he wrote. “While we are investigating the cause of the email we hereby confirm that, as we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users personal billing information. Similarly, service troubleshoot logs (connection attempts, users IPs and location) are safe and intact as we do not store such logs on site. Furthermore as we vouch for privacy, security and anonymity on the internet we do not store actual VPN service usage logs so there is no point in users’ privacy or anonymity being breached.”

He says that initial reports “suggest that we [were] hit with a zero day exploit, found in WHMCS.” This is a third-party CRM service used by PureVPN on its site. WHMCS had to release a security patch on October 3. At the time, it noted that “the vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information.”

So far, this, combined with PureVPN’s growth itself, are Gadit’s two reasons for the breach. “Clearly we are getting more and more popular crossing new heights too fast,” he wrote. “Such attacks are not unexpected with popular services these days. Such incidents only add to our resolve to emerge as more securer and faster privacy and security VPN service.”

He said that PureVPN is working on posting a complete report when it has completed its investigation.

In the meantime, if you’re a PureVPN user, be extra vigilant in looking out for any emails that ask you to reconfirm any billing details that you use for the service; they may be related to data collected during the zero-day exploit. That is in addition to being vigilant of the many other kinds of phishing emails you may get every day.

Wearables Acceptance At Work

(Verizon) For years there has been talk of the growing spread of the cloud in the enterprise, but now it's reached a tipping point.

Early on, organizations only trusted the cloud with generic, non-crucial workloads. However, more and more companies are trusting the cloud with their key workloads. According to Verizon's recently released State of the Market: Enterprise Cloud 2016 report, 87% of enterprises are trusting the cloud with at least one mission critical workloads, up from the 60% in 2013 and 71% in 2014.

In addition to the growth of cloud used for critical workloads, it is growing for general use as well. Of those surveyed for the report, 84% said their cloud use had increased over the past year. Also, around half of the companies said they'll be using cloud for 75% of their workloads, or more, by 2018.

Going even further, the report said: "In just a couple of years, we believe that over half of all workloads—across organizations of all kinds—will be running in the cloud."

"These statistics shows the change in perception amongst enterprise as a few years ago, it was considered risky to transform businesses via cloud, whereas now where it tends to be riskier for people who do nothing because they end up getting left behind," said Ryan Shuttleworth, cloud CTO for Verizon Enterprise Solutions.

So, what did it take to get to this point of trust between the cloud and the enterprise? For starters, attitudes around cloud security have begun to change. In fact, some have even argued that cloud-based security offerings trump their on-premise counterparts.

Respondents for this report seem to agree??% of those surveyed said they believed their cloud environment was as secure, or more secure than their on premise infrastructure.

Another shift has been in perceived reliability of the clouds. According to the report, 87% said that the cloud was as reliable and available as on-premise offerings, if not more so.

Now that it's gotten to this point, the question becomes why these enterprises have moved their mission critical workloads to the cloud and what are they hoping to accomplish. Responses broke down the following way:

Improving responsiveness to business needs -      88%
Improving operations -                                         65%
Saving money -                                                   41%
Keeping pace/responding to competition -              35%
Addressing lack of internal skills -                         29%
Simplifying regulatory compliance -                       18%
Improving security -                                             18%

The top four responses are fairly common reasons for moving to the cloud, but the bottom three are significantly more interesting. "Addressing lack of internal skills" means that enterprises are looking to cloud providers, or private cloud capabilities, to fill the gaps in their workforce. "Simplifying regulatory compliance" and "Improving security" are equally as important because they point to a shift taking place in that, for some organizations, the cloud is eliminating more work than it is creating.

In terms of how they're implementing the cloud, 53% use between two and four cloud providers. Additionally, 69% said they are reengineering their business processes with the help of cloud technology.

Private cloud is becoming increasingly more common. The report cited lower barriers to entry and a lower cost difference as the main reason why. More respondents said they're currently using private rather than public, and a larger number have firm plans to implement private than public.

"In the past, the approach taken by many companies roughly followed a similar model: public for non-sensitive workloads; private cloud for more sensitive stuff; and traditional on-premises for difficult-to-move and highly sensitive workloads. Because the cost of private cloud is falling, it now makes sense for many companies to move more of their workloads to private cloud," the report said.

However, the report author did note that Verizon believes there will always be a need for public cloud, especially when elasticity is an issue.

Hybrid cloud seems to be growing, too. About half of the respondents said they either now use hybrid cloud or can readily move the workloads between multiple clouds. The Verizon report also cited a recent survey by cloud financial management company Cloud Cruiser, where 75% of companies said that they "planned to include hybrid cloud as part of their strategy."

Cloud users were broken down into three categories: Skeptics, natives, and pragmatists. Skeptics are those who are not fully convinced of the value the cloud holds for their industry. Natives are those who are considered cloud-first, or cloud-only businesses. In between those extremes are the pragmatists—organizations that take a more measured approach to their cloud strategy.

This growth in cloud means that the playing field is leveled. Only 16% of respondents said the cloud is a "significant advantage," which is a number down from 30% who said the same thing last year. However, 77% believed it's at least a "competitive advantage," but it seems cloud itself is getting closer and closer to becoming table stakes in the enterprise.

And, as more companies fully embrace the cloud, Shuttleworth said, the emphasis on the network will be greater.

"Connectivity is critical to the success of cloud projects," Shuttleworth said. "Some organizations have already switched to dedicated cloud connection services but, through 2015, at least 50% of cloud deployments will suffer from business-impacting performance issues, requiring extensive network redesign to address them."

Website Responsible for 50 percent of worldwide spam taken down

Computer security experts on Wednesday revealed that they had successfully taken down Grum, the world’s third-largest botnet, which was responsible for roughly 18% of global spam, according to The New York Times. According to CNNMoney, that figure could be as high as 50%. The security experts were able to block the botnet’s command and control servers in both the Netherlands and Panama. While the service was successfully shut down, it wasn’t long before Grum’s architects set up seven new command and control centers throughout Russia and Ukraine. The team, however, was able to successfully block those servers, too.

The researchers were able to kill the botnet again by tracing it back to its servers and alerting various Internet service providers. Most botnets are able to come back online within weeks, however the team still counts the shutdown as a massive win.

“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye. “They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”

Read More - Click Here!

What Is Gramm Leach Biley Act GLB

The Gramm–Leach–Bliley Act (GLB), also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999) or the Citigroup Relief Act[1] is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. The legislation was signed into law by President Bill Clinton.

A year before the law was passed, Citicorp, a commercial bank holding company, merged with the insurance company Travelers Group in 1998 to form the conglomerate Citigroup, a corporation combining banking, securities and insurance services under a house of brands that included Citibank, Smith Barney, Primerica, and Travelers. Because this merger was a violation of the Glass–Steagall Act and the Bank Holding Company Act of 1956, the Federal Reserve gave Citigroup a temporary waiver in September 1998.[2] Less than a year later, GLB was passed to legalize these types of mergers on a permanent basis. The law also repealed Glass–Steagall's conflict of interest prohibitions "against simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank."[3]

Legislative history

Final Congressional vote by chamber and party, November 4, 1999

The banking industry had been seeking the repeal of the 1933 Glass–Steagall Act since the 1980s, if not earlier. In 1987 the Congressional Research Service prepared a report that explored the cases for and against preserving the Glass–Steagall act.[4]

Respective versions of the legislation were introduced in the U.S. Senate by Phil Gramm (Republican of Texas) and in the U.S. House of Representatives by Jim Leach (R-Iowa). The third lawmaker associated with the bill was Rep. Thomas J. Bliley, Jr. (R-Virginia), Chairman of the House Commerce Committee from 1995 to 2001.

During debate in the House of Representatives, Rep. John Dingell (Democrat of Michigan) argued that the bill would result in banks becoming "too big to fail." Dingell further argued that this would necessarily result in a bailout by the Federal Government.[5]

The House passed its version of the Financial Services Act of 1999 on July 1, 1999, by a bipartisan vote of 343-86 (Republicans 205–16; Democrats 138–69; Independent 0–1),[6][7][note 1] two months after the Senate had already passed its version of the bill on May 6 by a much-narrower 54–44 vote along basically-partisan lines (53 Republicans and 1 Democrat in favor; 44 Democrats opposed).[9][10][11][note 2]

When the two chambers could not agree on a joint version of the bill, the House voted on July 30 by a vote of 241-132 (R 58-131; D 182-1; Ind. 1–0) to instruct its negotiators to work for a law which ensured that consumers enjoyed medical and financial privacy as well as "robust competition and equal and non-discriminatory access to financial services and economic opportunities in their communities" (i.e., protection against exclusionary redlining).[note 3]

The bill then moved to a joint conference committee to work out the differences between the Senate and House versions. Democrats agreed to support the bill after Republicans agreed to strengthen provisions of the anti-redlining Community Reinvestment Act and address certain privacy concerns; the conference committee then finished its work by the beginning of November.[10][13] On November 4, the final bill resolving the differences was passed by the Senate 90-8,[14][note 4] and by the House 362-57.[15][note 5] The legislation was signed into law by President Bill Clinton on November 12, 1999.[16]

Changes caused by the Act

Many of the largest banks, brokerages, and insurance companies desired the Act at the time. The justification was that individuals usually put more money into investments when the economy is doing well, but they put most of their money into savings accounts when the economy turns bad. With the new Act, they would be able to do both 'savings' and 'investment' at the same financial institution, which would be able to do well in both good and bad economic times.

Prior to the Act, most financial services companies were already offering both saving and investment opportunities to their customers. On the retail/consumer side, a bank called Norwest which would later merge with Wells Fargo Bank led the charge in offering all types of financial services products in 1986. American Express attempted to own almost every field of financial business (although there was little synergy among them). Things culminated in 1998 when Citibank merged with Travelers Insurance creating CitiGroup. The merger violated the Bank Holding Company Act (BHCA), but Citibank was given a two-year forbearance that was based on an assumption that they would be able to force a change in the law. The Gramm–Leach–Bliley Act passed in November 1999, repealing portions of the BHCA and the Glass–Steagall Act, allowing banks, brokerages, and insurance companies to merge, thus making the CitiCorp/Travelers Group merger legal.

Also prior to the passage of the Act, there were many relaxations to the Glass–Steagall Act. For example, a few years earlier, commercial Banks were allowed to pursue investment banking, and before that banks were also allowed to begin stock and insurance brokerage. Insurance underwriting was the only main operation they weren't allowed to do, something rarely done by banks even after the passage of the Act.

Much consolidation occurred in the financial services industry since, but not at the scale some had expected. Retail banks, for example, do not tend to buy insurance underwriters, as they seek to engage in a more profitable business of insurance brokerage by selling products of other insurance companies. Other retail banks were slow to market investments and insurance products and package those products in a convincing way. Brokerage companies had a hard time getting into banking, because they do not have a large branch and backshop footprint. Banks have recently tended to buy other banks, such as the 2004 Bank of America and Fleet Boston merger, yet they have had less success integrating with investment and insurance companies. Many banks have expanded into investment banking, but have found it hard to package it with their banking services, without resorting to questionable tie-ins which caused scandals at Smith Barney.

Remaining restrictions

Crucial to the passing of this Act was an amendment made to the GLB, stating that no merger may go ahead if any of the financial holding institutions, or affiliates thereof, received a "less than satisfactory [sic] rating at its most recent CRA exam", essentially meaning that any merger may only go ahead with the strict approval of the regulatory bodies responsible for the Community Reinvestment Act (CRA).[17] This was an issue of hot contention, and the Clinton Administration stressed that it "would veto any legislation that would scale back minority-lending requirements." [18]

The GLB also did not remove the restrictions on banks placed by the Bank Holding Company Act of 1956 which prevented financial institutions from owning non-financial corporations. It conversely prohibits corporations outside of the banking or finance industry from entering retail and/or commercial banking. Many assume Wal-Mart's desire to convert its industrial bank to a commercial/retail bank ultimately drove the banking industry to back the GLB restrictions.

Some restrictions remain to provide some amount of separation between the investment and commercial banking operations of a company. For example, licensed bankers must have separate business cards, e.g., "Personal Banker, Wells Fargo Bank" and "Investment Consultant, Wells Fargo Private Client Services". Much of the debate about financial privacy is specifically centered around allowing or preventing the banking, brokerage, and insurances divisions of a company from working together.

In terms of compliance, the key rules under the Act include The Financial Privacy Rule which governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies, appraisers, and mortgage brokers – that receive customer information from other financial institutions.

Privacy

  • GLB compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.
  • Major components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information include:

Financial Privacy Rule

(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 68016809)

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.

On November 17, 2009, eight federal regulatory agencies released the final version of a model privacy notice form to make it easier for consumers to understand how financial institutions collect and share information about consumers.

Financial institutions defined

The GLB defines "financial institutions" as: "…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance." The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:

  • non-bank mortgage lenders,
  • real estate appraisers,
  • loan brokers,
  • some financial or investment advisers,
  • debt collectors,
  • tax return preparers,
  • banks, and
  • real estate settlement service providers.

These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution".

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLB. State law can require greater compliance, but not less than what is otherwise required by the GLB.

Consumer vs. customer defined

The Gramm–Leach–Bliley Act defines a ‘consumer’ as

"an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual." (See 15 U.S.C. § 6809(9).}

A ‘customer’ is a consumer that has developed a relationship with privacy rights protected under the GLB. A ‘customer’ is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a ‘consumer’ might have; i.e., a mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the GLB. A business, however, may be liable for compliance to the GLB depending upon the type of business and the activities utilizing individual’s personal nonpublic information.

Definition: A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

Examples of Consumer Relationships:

  • Applying for a loan
  • Obtaining cash from a foreign ATM, even if it occurs on a regular basis
  • Cashing a check with a check-cashing company
  • Arranging for a wire transfer[19]
Definition: A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.

Examples of Establishing a Customer Relationship:

  • Opening a credit card account with a financial institution
  • Entering into an automobile lease (on a non-operating basis for an initial lease term of at least 90 days) with an automobile dealer
  • Providing personally identifiable financial information to a broker in order to obtain a mortgage loan
  • Obtaining a loan from a mortgage lender
  • Agreeing to obtain tax preparation or credit counseling services

"Special Rule" for Loans: The customer relationship travels with ownership of the servicing rights.[19]

Consumer/client privacy rights

Under the GLB, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The privacy notice must also explain to the customer the opportunity to ‘opt-out’. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out’ opportunity, but the privacy notice must inform the customer of this right under the GLB. The client cannot opt-out of:

  • information shared with those providing priority service to the financial institution
  • marketing of products or services for the financial institution
  • when the information is deemed legally required.

Safeguards Rule

(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 68016809)

The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule applies to information of any consumers past or present of the financial institution's products or services.) This plan must include:

  • Denoting at least one employee to manage the safeguards,
  • Constructing a thorough risk analyis on each department handling the nonpublic information,
  • Develop, monitor, and test a program to secure the information, and
  • Change the safeguards as needed with the changes in how information is collected, stored, and used.

This rule is intended to do what most businesses should already be doing: protecting their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLB.

Pretexting protection

(Subtitle B: Fraudulent Access to Financial Information, codified at 15 U.S.C. §§ 68216827)

Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a phony website or email to collect data). The GLB encourages the organizations covered by the GLB to implement safeguards against pretexting. For example, a well-written plan designed to meet GLB's Safeguards Rule ("develop, monitor, and test a program to secure the information") would likely include a section on training employees to recognize and deflect inquiries made under pretext. In fact, the evaluation of the effectiveness of such employee training probably should include a follow-up program of random spot-checks, "outside the classroom", after completion of the [initial] employee training, in order to check on the resistance of a given (randomly chosen) student to various types of "social engineering" -- perhaps even designed to focus attention on any new wrinkle that might have arisen after the [initial] effort to "develop" the curriculum for such employee training. Under United States law, pretexting by individuals is punishable as a common law crime of False Pretenses.

Effect on usury law in Arkansas & other states

Section 731 of the GLB, codified as subsection (f) of 12 U.S.C. § 1831u, contains a unique provision aimed at Arkansas, whose usury limit was set at five percent above the Federal Reserve discount rate by the Arkansas Constitution and could not be changed by the Arkansas General Assembly. When the Office of the Comptroller of the Currency ruled that interstate banks established under the Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994 could use their home state's usury law for all branches nationwide with minimal restrictions,[20] Arkansas-based banks were placed at a severe competitive disadvantage to Arkansas branches of interstate banks; this led to out-of-state takeovers of several Arkansas banks, including the sale of First Commercial Bank (then Arkansas' largest bank) to Regions Financial Corporation in 1998.

Under Section 731, all banks headquartered in a state covered by that law may charge up to the highest usury limit of any state that is headquarters to an interstate bank which has branches in the covered state. Therefore, since Arkansas has branches of banks based in Alabama, Georgia, Mississippi, Missouri, North Carolina, Ohio and Texas,[21] any loan that is legal under the usury laws of any of those states may be made by an Arkansas-based bank under Section 731. The section does not apply to interstate banks with branches in the covered state, but headquartered elsewhere; however, Arkansas-based interstate banks like Arvest Bank may export their Section 731 limits to other states.

Due to Section 731, it is generally regarded that Arkansas-based banks now have no usury limit for credit cards or for any loan of greater than $2,000 (since Alabama, Regions' home state, has no limits on those loans), with a limit of 18% (the minimum usury limit in Texas) or more on all other loans.[22] However, once Wells Fargo fully completes its proposed purchase of Century Bank (a Texas bank with Arkansas branches), Section 731 will do away with all usury limits for Arkansas-based banks since Wells Fargo's main bank charter is based in South Dakota, which repealed its usury laws many years ago.

Though designed for Arkansas, Section 731 may also apply to Alaska and California whose constitutions provide for the same basic usury limit, though unlike Arkansas their legislatures can (and generally do) set different limits. If Section 731 applies to those states, then all their usury limits are inapplicable to banks based in those states, since Wells Fargo has branches in both states.

Controversy

Criticisms

Many believe that the Act directly helped cause the 2007 subprime mortgage financial crisis. President Barack Obama has stated that GLB led to deregulation that, among other things, allowed for the creation of giant financial supermarkets that could own investment banks, commercial banks and insurance firms, something banned since the Great Depression. Its passage, critics also say, cleared the way for companies that were too big and intertwined to fail.[23] Economists Robert Ekelund and Mark Thornton have also criticized the Act as contributing to the crisis. They state that "in a world regulated by a gold standard, 100% reserve banking, and no FDIC deposit insurance" the Financial Services Modernization Act would have made "perfect sense" as a legitimate act of deregulation, but under the present fiat monetary system it "amounts to corporate welfare for financial institutions and a moral hazard that will make taxpayers pay dearly."[24]

Nobel Prize-winning economist Joseph Stiglitz has also argued that the Act helped to create the crisis.[25] An article in the liberal publication The Nation asserted that the Gramm-Leach-Bliley Act was responsible for the creation of entities that took on more risk due to their being considered “too big to fail."[26]

Defense

According to a 2009 policy report from the libertarian Cato Institute authored by one of the institute's directors, Mark A. Calabria, critics of the legislation feared that, with the allowance for mergers between investment and commercial banks, GLB allowed the newly-merged banks to take on riskier investments while at the same time removing any requirements to maintain enough equity, exposing the assets of its banking customers.[27][non-primary source needed] Calabria claimed that, prior to the passage of GLB in 1999, investment banks were already capable of holding and trading the very financial assets claimed to be the cause of the mortgage crisis, and were also already able to keep their books as they had.[27] He concluded that greater access to investment capital as many investment banks went public on the market explains the shift in their holdings to trading portfolios.[27] Calabria noted that after GLB passed, most investment banks did not merge with depository commercial banks, and that in fact, the few banks that did merge weathered the crisis better than those that did not.[27]

In February 2009, one of the act's co-authors, former Senator Phil Gramm, also defended his bill:

[I]f GLB was the problem, the crisis would have been expected to have originated in Europe where they never had Glass–Steagall requirements to begin with. Also, the financial firms that failed in this crisis, like Lehman, were the least diversified and the ones that survived, like J.P. Morgan, were the most diversified. Moreover, GLB didn't deregulate anything. It established the Federal Reserve as a superregulator, overseeing all Financial Services Holding Companies. All activities of financial institutions continued to be regulated on a functional basis by the regulators that had regulated those activities prior to GLB.[28]

Bill Clinton, as well as economists Brad DeLong and Tyler Cowen have all argued that the Gramm–Leach–Bliley Act softened the impact of the crisis.[29][30] Atlantic Monthly columnist Megan McArdle has argued that if the act was "part of the problem, it would be the commercial banks, not the investment banks, that were in trouble" and repeal would not have helped the situation.[31] An article in the conservative publication, National Review, has made the same argument, calling liberal allegations about the Act “folk economics.”[32]

What Is HIPPA

Summary of the HIPAA Privacy Rule

What is HIPAA? In 1996, the Health Insurance Portability and Accountability Act or the HIPAA was endorsed by the U.S. Congress. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use/disclosure of an individual's health information. Essentially, the Privacy Rule defines how covered entities use individually-identifiable health information or the PHI (Personal Health Information). 'Covered entities' is a term often used in HIPAA-compliant guidelines. This definition of a covered entity is specified by [45 CFR § 160.102] of the Privacy Rule. A covered entity can be a:

  • Health plan
  • Healthcare clearinghouse
  • Healthcare provider

Overview of the Privacy Rule

  • Gives patients control over the use of their health information
  • Defines boundaries for the use/disclosure of health records by covered entities
  • Establishes national-level standards that healthcare providers must comply with
  • Helps to limit the use of PHI and minimizes chances of its inappropriate disclosure
  • Strictly investigates compliance-related issues and holds violators accountable with civil or criminal penalties for violating the privacy of an individual's PHI
  • Supports the cause of disclosing PHI without individual consent for individual healthcare needs, public benefit and national interests

HIPAA realizes that there is a critical need to balance the steps taken for the protection of an individual's health information along with provision of proper healthcare faculties. The Privacy Rule strives hard to regulate the sharing of PHI without making it a deterrent for accessing healthcare facilities. Thus, the Privacy Rule does permit disclosures, under special circumstances, wherein individual authorization is not needed by public healthcare authorities.

 

What Is Phonebill Cramming

"Cramming" used to be what you did the night before a big test. Now the word has a more sinister meaning like placing unauthorized charges on your telephone bill.

"I have a phone bill that says Voicemail Monthly fee $12.95. I want to know what that is for and if it's not suppose to be on there, I want it off my phone bill," said Deborah of Johnson City, Tennessee, one of hundreds of consumers who have written to ConsumerAffairs.com to complain about mysterious, unauthorized charges appearing on their telephone bills.

"I got my phone bill and ILD charged me $30.88 for some kind of internet service that I never authorized," said Christie, of Connel, Washington. "When I called them, I was kept on hold for over 30 minutes and have not been able to dispute these charges."

Of all the cramming complaints received at ConsumerAffairs.com, nearly 800 are about ILD TeleServices, whose name and telephone number appear next to the unauthorized charge on their phone bills -- and the number of complaints is steadily rising, with 80 filed in just the last three months.

ILD TeleServices claims that it is merely a billing "clearinghouse," meaning it is collecting the money on behalf of other companies some legitimate and some, perhaps, not who deliver their services through your local phone company.

If it all sounds confusing, you can blame the Telecommunications Act of 1996. That piece of landmark (others might suggest a different adjective) legislation changed the telecommunications landscape not entirely for the better, at least not for consumers. Fortunately, there are some little-publicized provisions that give consumers an effective way to fight back.

In deregulating the local telephone markets, the new law required big telephone companies like SBC Communications and Verizon to lease their lines to smaller companies and to bill their customers on behalf of companies providing such deregulated services as pay phones, collect calls and long-distance calls from public places, like hotels, hospitals, airports and prisons.

The purpose was to open local phone markets to competition and create more services at less cost to the consumer. But an unintended consequence has been an outbreak of profiteering by companies eager to fleece captive or unsuspected consumers.

Many of the new entrants are companies that attempt to bill unsuspecting consumers for things they never asked for -- like voice mail -- hoping they will not look that closely at their monthly phone bill and just pay it.

Other shameless profiteers are the hotels, hospitals, universities and prisons that add outrageously expensive charges for the use of their telephone equipment.

With so many layers in the billing process, the system has been open to abuse from the start. The company placing the charge does not bill the consumer directly. Instead, the charge is billed by a "clearinghouse," like ILD, which in turn contracts with your local phone company to place the charge on your bill.

The local telephone company makes nothing but a small administrative fee and has little choice in the matter; it is required to provide billing for these supposedly "competitive" entities.

In the case of ILD, the company says it executes hundreds of thousands of bills each month for a wide variety of companies, and that only a tiny fraction of the charges produce complaints. Company officials say they work with complaining consumers to resolve disputes, and that if one of its clients produces a large number of complaints, it is dropped.

Read More - Click Here!

What Is SAS 70

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 (also commonly referred to as a "SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.

SAS No. 70 provides guidance to enable an independent auditor ("service auditor") to issue an opinion on a service organization's description of controls through a Service Auditor's Report (see below). SAS 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting. A SAS 70 Audit is not a "checklist" audit.

SAS No. 70 is generally applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). Service organizations that impact a user organization's system of internal controls could be application service providers, bank trust departments, claims processing centers, data centers, third party administrators, or other data processing service bureaus.

In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control sufficient to plan the audit as required in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach. If a service organization provides transaction processing, data hosting, IT infrastructure or other data processing services to the user organization, the user auditor may need to gain an understanding of the controls at the service organization in order to properly plan the audit and evaluate control risk.

SAS 70 FAQ

What is a SAS 70?
SAS (Statement on Auditing Standards) No. 70 is the authoritative guidance issued by the American Institute of Certified Public Accountants (AICPA) that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm.

SAS No. 70 also provides guidance on the factors that an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions. It also provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors. A SAS 70 report is also referred to as a Service Auditor’s report.

Who needs a SAS 70 Service Auditor’s report?
A SAS 70 Service Auditor’s report is typically required by companies (“user organizations”) and their auditors (“user auditors”) that obtain significant services from another organization (“service organization”). Service organizations provide services to another corporation. Service organizations are often handling sensitive or private data and potentially conducting transactions with this data. Examples include: application service providers, claims processing centers, real estate title and closing companies, bank trust departments, payroll and billing service providers, investment management firms, market research firms, Internet data centers, or other data processing service bureaus.

What are the benefits to a service organization in obtaining a SAS 70 Service Auditor’s report?

  • Obtaining a SAS 70 Service Auditor’s report differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities.
  • A SAS 70 Service Auditor’s report ensures that all user organizations and their auditors have access to the same information, and in many cases, will satisfy the user auditor’s requirements.
  • Absence of a current SAS 70 Service Auditor’s report means that a service organization may have to entertain multiple audit requests from customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization’s resources.

Who will use a SAS 70 Service Auditor’s report?
The auditors of the service organization’s customers can use the SAS 70 Service Auditor’s report to gain an understanding of the internal controls in operation at the service organization. SAS 70 Service Auditor’s reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit.

Are there different types of SAS 70 reports?
Yes. There are two types of SAS 70 reports – a Type I and a Type II report.

  • A Type I Service Auditor’s report is issued for a particular date, and states that the control objectives are in operation and that the supporting controls are suitably designed to achieve the objectives as of that date. However, in the course of performing a Type I engagement, the service auditor does NOT test the operating effectiveness of controls. Thus, a limitation of a Type I Service Auditor’s report is that the user auditor cannot rely on the report to reduce assessment of control risk below the maximum.
  • A Type II Service Auditor’s report is issued covering a period of time, and states that the control objectives are in operation as of a specified date, and that the supporting controls are suitably designed to achieve the objectives. It also states that the controls were tested and were operating with sufficient effectiveness to provide reasonable assurance that control objectives were achieved during the specified period. Type II Service Auditor’s reports may be used by user auditors to reduce assessment of control risk below the maximum.

What are the contents of a SAS 70 Service Auditor’s report?
There are typically four sections of a SAS 70 Service Auditor’s report as detailed in the table below:

Section Name Responsibility
Section I Independent Service Auditor’s Report Service Auditor
Section II Service Organization’s Description of Controls Service Organization
Section III Control Objectives, Related Controls and Tests of Operating Effectiveness Service Auditor
Section IV Other Information Provided by the Service Organization Service Organization

How long is a SAS 70 report valid?
SAS 70 Type I and Type II reports do not technically expire. However, your client’s auditor may or may not choose to rely on the report, based on the amount of time that has passed since the period covered by the Service Auditor’s report. Management of service organizations may issue an update letter stating that management has incurred no changes to the control environment since the date covered by the Service Auditor’s report. User auditors will have to use professional judgment to determine the extent of reliance on Service Auditors’ reports.

What is Statement on Standards for Attestation Engagements (SSAE) No. 16?
SSAE No. 16, Reporting on Controls at a Service Organization, supersedes the guidance for service auditors within SAS 70 and is effective for Service Auditors’ reports for periods ending on or after June 15, 2011. SSAE No. 16 contains the requirements and guidance for a service auditor reporting on a service organization’s controls. Key changes that service organizations should be aware of include a requirement that management of the service organization provide a written assertion, and that management identify risks that threaten the achievement of the control objections stated in the description of the service organization’s controls.

 

What Is SSAE 16

Fact  is SSAE 16 seems to be the chatter of late for many CPA firms, service organizations, and other interested parties.  Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is the new "attest" standard put forth by the Auditing Standards  Board (ASB) of the American Institute of Certified Public Accountants (AICPA).  For reporting periods ending on or after June 15, 2011, SSAE 16 will become the new standard for reporting on controls at service organizations, essentially replacing Statement on Auditing Standards no. 70, simply known as SAS 70.

SSAE 16 represents an adoption towards more globally accepted accounting principles, which clearly can be seen when comparing the new U.S. standard from the AICPA to that of its international equivalent, ISAE 3402, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC).  
SSAE 16 also brings about a number of requirements for which service organizations will need to be well aware, most importantly that management of the service organization must provide a description of its "system" along with a written statement of assertion.  Both of these requirements differ from the previous SAS 70 auditing standard in the following manner:

Key Differences between SAS 70 and SSAE 16 Auditing Stardard

•    The SAS 70 auditing standard only called for a description of "controls", while the SSAE 16 attest standard now requires a description of its "system", which is considered to be more comprehensive and expansive than that of the SAS 70 description    of "controls.
•    SSAE 16 requires a written statement of assertion, something that was not required under SAS 70 Type I or Type II audits.  This written statement of assertion must be crafted by management and contain a number of essential clauses for which management of the service organization will effectively "assert" to.  What's important to note is that the written statement of assertion can be included within or attached to the description of the "system".  A competent, well-qualified CPA firm can help assist you with this matter.

SSAE 16 differs from SAS 70 in a number of areas; the most fundamentally important aspect being that SSAE 16 is an “attestation” standard, while SAS 70 is an “auditing” standard.  The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) felt that examining a service organization’s “system” and their controls is not considered an audit of financial statements, thus it should not be categorized as that.

Additionally, the ISAE 3402 standard, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC), is an “assurance” standard, which is essentially equivalent to the SSAE 16 “attestation” standard.

As for reporting requirements for service organizations, SSAE 16 requires a description of one’s “system” along with a written assertion by management, whereas SAS 70 requires a description of “controls” and no written assertion.  The key difference between the SSAE 16 description of its “system” and the SAS 70 auditing standard’s description of “controls” is that many organizations may find themselves having to revise their prior descriptions to meet the new requirements for SSAE 16 reporting.

Generally, most practitioners seem to agree that the SSAE 16 requirements for a description of its “system” are considered more comprehensive and expansive than the SAS 70 auditing standards description of “controls”.

What Law Enforcement Can Recover From A Seized iPhone

 

The call log of an iPhone seized by Immigration and Customs Enforcement officers, with numbers redacted.

(Andy Greenberg @ Forbes) You may think of your iPhone as a friendly personal assistant. But once it’s alone in a room full of law enforcement officials, you might be surprised at the revealing things it will say about you.

On Tuesday the American Civil Liberties Union published a report it obtained from a drug investigation by the Immigration and Customs Enforcement (ICE) agency, documenting the seizure and search of a suspect’s iPhone from her bedroom. While it’s no surprise that a phone carries plenty of secrets, the document presents in stark detail a list of that personal information, including call logs, photos, videos, text messages, Web history, eight different passwords for various services, and perhaps most importantly, 659 previous locations of the phone invisibly gathered from Wifi networks and cell towers.

“We know the police have started using tools that can do this. We’ve known the iPhone retains records of the cell towers it contacts. But we’ve never before seen the huge amount of data police can obtain,” says ACLU technology lead Chris Soghoian, who found the report in a court filing. “It shouldn’t be shocking. But it’s one thing to know that they’re using it. It’s another to see exactly what they get.”

In this case, ICE was able to extract the iPhone’s details with the help of the forensics firm Cellebrite. The suspect doesn’t seem to have enabled a PIN or passcode. But even when those login safeguards are set up in other cases, law enforcement have still often been able to use tools to bypass or brute-force a phone’s security measures. Google in some cases helps law enforcement to get past Android phones’ lockscreens, and if law enforcement can’t crack a seized phone, officers will in some cases mail the phone to Apple, who extract the data and return it stored on a DVD along with the locked phone.

The phone search and seizure described in the documented case required a warrant. But the legality of warrantless phone searches remains an open issue. At U.S. borders or when arresting a suspect, for instance, police and government officials have argued that no such warrant is required.

Failing legal protections, the ACLU’s Soghoian says those who’d like to keep prying eyes away from their handsets’ data should use long, complex passcodes and encrypt their phone’s storage disk. “While the law does not sufficiently protect the private data on smartphones, technology can at least provide some protection,” Soghoian writes.

Here’s the full court document detailing the iPhone’s forensic search.

Read More - Click Here!

What You Should Know About The Equifax Class Action Suit

As 143 million compromised Equifax customers either scramble to freeze their credit, seek security services, or wait to see happens next, some are electing to take legal action.

Attorneys throughout the U.S. have filed more than a dozen class action lawsuits against the credit bureau.

Oakland, California-based Scott Cole & Associates filed a class action claiming "negligence, violations of fair credit reporting and deceptive business practices."

The Doss Firm LLC has filed a class action suit on behalf of the estimated 28 million small business owners who may have been affected by the data breach. Attorney Jason Doss said small business operators are particularly vulnerable since they rely on personal and business credit to operate.

What is a class action?

Unlike an individual lawsuit, a class action is filed on behalf of a "class" of plaintiffs who all have the same or similar grievances. In a case affecting as many people as the Equifax breach, it is very likely that many of the suits will be combined into a smaller number of cases.

Unlike an individual lawsuit, a plaintiff does not have to hire an attorney or incur any legal costs. And unlike an individual lawsuit, members of the "class" don't have to take much action at all.

If you are among the 143 million consumers whose data may have been exposed, you are already a member of the "class."

"At some point, [Equifax customers] will get a notice asking whether we want to opt out of the class action," said Vanderbilt University law professor Brian Fitzpatrick. "As a general matter, I recommend that people do not opt out. It will be very hard to sue Equifax on your own. The nice thing about a class action is someone does all the work for us."

Consumers are free to sue on their own

Because there are millions of potential plaintiffs, any class action settlement may result in a rather small individual judgment. If you think you have a major case against Equifax, you are free to sue the company individually. In that case, Fitzpatrick says you might consider opting out of the class action.

"If you do not opt out of the class action when you have the chance and the class action is unsuccessful, then you lose your right to sue Equifax on your own," he said.

Most people, he says, will be better off remaining in the class, having a good chance to share in a settlement without having to hire a lawyer.

Fitzpatrick suggests consumers document how much time and money they have spent placing freezes and fraud alerts, or otherwise dealing with the data breach. He says they may be able to use that information to increase their recovery sum in any settlement.

What cyber warfare means for consumers

Photo(Mark Huffman @ ConsumerAffairs) Chances are, when you're scanning the news you don't spend a lot of time reading about the latest cyber warfare attack. After all, it's just countries battling one another with computers – doesn't affect consumers, right?

 

 

Don't be too sure about that. In late March a massive cyber attack took place, not between warring nations but between an anti-spam group and a hosting service that rents server space to spammers. It resulted in what experts are calling the largest denial-of-service attack in the history of the Internet.

The players were Spamhous, a European group fighting spam, and Cyberbunker, a Dutch company that rents server space to a wide variety of clients, including those that send out spam. When Spamhous added Cyberbunker to its blacklist, war broke out.

It's war!

Swarms of computers suddenly started sending out huge data streams. In this latest attack, cyber warriors exploited the Internet's Domain Naming System (DNS), bombarding Spamhous' servers with data requests. Very soon, the servers couldn't be reached by anyone else.

But the effects didn't stop there. Many Internet users in Europe and North America found the Internet suddenly slowed or ground to a halt. Some found streaming a video on Netflix next to impossible. Others had trouble reaching websites they visit on a daily basis.

According to Chester Wisniewski, a senior security advisor at Sophos Canada, Tier One service providers, who carry the bulk of Internet traffic, were simply overwhelmed by the volume of traffic from this attack. The signals you send from your computer to reach a particular place on the network had to contend with this huge overload of traffic. In this case consumers were collateral damage.

Life and death

But more may be at stake than inconvenience. Some believe that money and lives could be at risk due to the rising levels of cyber warfare. One of these people is former Defense Secretary Leon Panetta, who, from his seat in the Pentagon, was getting an up-close view of the threat every day.

Photo
Leon Panetta

Before leaving office Panetta told Time Magazine that Americans tend to wait for a crisis before acting. In this case, he says, that could be dangerous. Sophisticated cyber warriors can turn loose worms, bots and malware that can infect networks all over the Internet, causing major damage.

“It is the kind of capability that can basically take down a power grid, take down a water system, take down a transportation system, take down a financial system,” Panetta told the magazine. “We are now in a world in which countries are developing the capability to engage in the kind of attacks that can virtually paralyze a country.”

That's because consumers – not just businesses – are heavily dependent on the web in a way they were not just a decade ago. Think about it – when was the last time you wrote a check?

Hackers one step ahead

Experts at Georgia Tech -- the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI) -- constantly work to stay one step ahead of the hackers. They say 2013 is posing some steep challenges.

One of their concerns is the increase in cloud-based botnets. For example, attackers can use stolen credit card data to purchase cloud computing resources and create dangerous clusters of temporary virtual attack systems.

Cyber criminals can even manipulate search engine algorithms and other automated mechanisms that control what information you see when you do a search. Moving beyond typical search engine poisoning, researchers believe that manipulating users’ search histories may be a next step in ways that attackers use legitimate resources for illegitimate gains.

Fertile ground

PhotoThe most fertile ground may be in mobile browser and mobile wallet vulnerabilities. While only a very small number of U.S. mobile devices show signs of infection, the explosive proliferation of smartphones will continue to tempt attackers into exploiting user and technology-based vulnerabilities, particularly with the browser function and digital wallet apps.

The threat could be made worse because employers appear too willing to allow employees to access corporate systems through their personal devices. This, the experts fear, could be a virtual Trojan horse, giving hackers unfettered access to private data and vital infrastructure systems.

To combat this global threat INTERPOL is stepping up its cooperation with companies in the cyber security industry. INTERPOL's Global Complex for Innovation (IGCI) announced earlier this month it will equip international law enforcement with the tools and knowledge needed to better deal with the escalating problem. Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, says his company will help.

“I have been pushing for the creation of what I used to call an ‘Internet-INTERPOL’ for over a decade now, and at last it has finally come to pass,” Kaspersky said. “It should come as no surprise that we wholeheartedly support this initiative.”

The new international policing effort is expected to be operational early next year.

What to do

There's very little consumers can do about a cyber battle that slows the Internet or doesn't allow them to visit a particular site. Of more pressing concern is the security of your personal devices.

Make sure you have up to date anti-virus software installed on all devices, not just desktop PCs. Mobile devices are increasingly vulnerable to attack. Mobile security software packages cost as little as $15.

What is Sarbanes Oxley (SOX)

The Sarbanes–Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 29, 2002), also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It is named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).

The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.

The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. Harvey Pitt, the 26th chairman of the SEC, led the SEC in the adoption of dozens of rules to implement the Sarbanes–Oxley Act. It created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. The nonprofit arm of Financial Executives International (FEI), Financial Executives Research Foundation (FERF), completed extensive research studies to help support the foundations of the act.

The act was approved by the House by a vote of  423 in favor, 3 opposed, and 8 abstaining and by the Senate with a vote of  99 in favor, 1 abstaining. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law."[1]

As a testament to the need for stricter financial governance SOX-type laws have been subsequently enacted in Japan, Germany, France, Italy, Australia, India, South Africa, and Turkey.

Debate continues over the perceived benefits and costs of SOX. Opponents of the bill claim it has reduced America's international competitive edge against foreign financial service providers, saying SOX has introduced an overly complex regulatory environment into U.S. financial markets.[2] Proponents of the measure say that SOX has been a "godsend" for improving the confidence of fund managers and other investors with regard to the veracity of corporate financial statements.[3]

Outlines

Sarbanes–Oxley contains 11 titles that describe specific mandates and requirements for financial reporting. Each title consists of several sections, summarized below.

  1. Public Company Accounting Oversight Board (PCAOB)
    Title I consists of nine sections and establishes the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services ("auditors"). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.
  2. Auditor Independence
    Title II consists of nine sections and establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts auditing companies from providing non-audit services (e.g., consulting) for the same clients.
  3. Corporate Responsibility
    Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 requires that the company's "principal officers" (typically the Chief Executive Officer and Chief Financial Officer) certify and approve the integrity of their company financial reports quarterly.[4]
  4. Enhanced Financial Disclosures
    Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.
  5. Analyst Conflicts of Interest
    Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest.
  6. Commission Resources and Authority
    Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer.
  7. Studies and Reports
    Title VII consists of five sections and requires the Comptroller General and the SEC to perform various studies and report their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions.
  8. Corporate and Criminal Fraud Accountability
    Title VIII consists of seven sections and is also referred to as the “Corporate and Criminal Fraud Accountability Act of 2002”. It describes specific criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers.
  9. White Collar Crime Penalty Enhancement
    Title IX consists of six sections. This section is also called the “White Collar Crime Penalty Enhancement Act of 2002.” This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.
  10. Corporate Tax Returns
    Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.
  11. Corporate Fraud Accountability
    Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002”. It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to resort to temporarily freezing transactions or payments that have been deemed "large" or "unusual".

History and context: events contributing to the adoption of Sarbanes–Oxley

A variety of complex factors created the conditions and culture in which a series of large corporate frauds occurred between 2000–2002. The spectacular, highly-publicized frauds at Enron, WorldCom, and Tyco exposed significant problems with conflicts of interest and incentive compensation practices. The analysis of their complex and contentious root causes contributed to the passage of SOX in 2002.[5] In a 2004 interview, Senator Paul Sarbanes stated:

"The Senate Banking Committee undertook a series of hearings on the problems in the markets that had led to a loss of hundreds and hundreds of billions, indeed trillions of dollars in market value. The hearings set out to lay the foundation for legislation. We scheduled 10 hearings over a six-week period, during which we brought in some of the best people in the country to testify...The hearings produced remarkable consensus on the nature of the problems: inadequate oversight of accountants, lack of auditor independence, weak corporate governance procedures, stock analysts' conflict of interests, inadequate disclosure provisions, and grossly inadequate funding of the Securities and Exchange Commission."[6]
  • Auditor conflicts of interest: Prior to SOX, auditing firms, the primary financial "watchdogs" for investors, were self-regulated. They also performed significant non-audit or consulting work for the companies they audited. Many of these consulting agreements were far more lucrative than the auditing engagement. This presented at least the appearance of a conflict of interest. For example, challenging the company's accounting approach might damage a client relationship, conceivably placing a significant consulting arrangement at risk, damaging the auditing firm's bottom line.
  • Boardroom failures: Boards of Directors, specifically Audit Committees, are charged with establishing oversight mechanisms for financial reporting in U.S. corporations on the behalf of investors. These scandals identified Board members who either did not exercise their responsibilities or did not have the expertise to understand the complexities of the businesses. In many cases, Audit Committee members were not truly independent of management.
  • Securities analysts' conflicts of interest: The roles of securities analysts, who make buy and sell recommendations on company stocks and bonds, and investment bankers, who help provide companies loans or handle mergers and acquisitions, provide opportunities for conflicts. Similar to the auditor conflict, issuing a buy or sell recommendation on a stock while providing lucrative investment banking services creates at least the appearance of a conflict of interest.
  • Inadequate funding of the SEC: The SEC budget has steadily increased to nearly double the pre-SOX level.[7] In the interview cited above, Sarbanes indicated that enforcement and rule-making are more effective post-SOX.
  • Banking practices: Lending to a firm sends signals to investors regarding the firm's risk. In the case of Enron, several major banks provided large loans to the company without understanding, or while ignoring, the risks of the company. Investors of these banks and their clients were hurt by such bad loans, resulting in large settlement payments by the banks. Others interpreted the willingness of banks to lend money to the company as an indication of its health and integrity, and were led to invest in Enron as a result. These investors were hurt as well.
  • Internet bubble: Investors had been stung in 2000 by the sharp declines in technology stocks and to a lesser extent, by declines in the overall market. Certain mutual fund managers were alleged to have advocated the purchasing of particular technology stocks, while quietly selling them. The losses sustained also helped create a general anger among investors.
  • Executive compensation: Stock option and bonus practices, combined with volatility in stock prices for even small earnings "misses," resulted in pressures to manage earnings.[8] Stock options were not treated as compensation expense by companies, encouraging this form of compensation. With a large stock-based bonus at risk, managers were pressured to meet their targets.

Timeline and passage of Sarbanes–Oxley

Before the signing ceremony of the Sarbanes–Oxley Act, President George W. Bush met with Senator Paul Sarbanes, Secretary of Labor Elaine Chao and other dignitaries in the Blue Room at the White House on July 30, 2002

The House passed Rep. Oxley's bill (H.R. 3763) on April 24, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President George W. Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673.

Senator Sarbanes’ bill passed the Senate Banking Committee on June 18, 2002, by a vote of 17 to 4. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $3.8 billion during the past five quarters (15 months), primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 97–0 less than three weeks later on July 15, 2002.

The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes's bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes–Oxley Deskbook § 2–31.)

The Committee approved the final conference bill on July 24, 2002, and gave it the name "the Sarbanes–Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." [1]

[edit] Analyzing the cost-benefits of Sarbanes–Oxley

A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings.[9][10] Conclusions from several of these studies and related criticism are summarized below:

[edit] Compliance costs

  • FEI Survey (Annual): Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs. These costs have continued to decline relative to revenues since 2004. The 2007 study indicated that, for 168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue).[11] The 2006 study indicated that, for 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million (0.043% of revenue), down 23% from 2005. Cost for decentralized companies (i.e., those with multiple segments or divisions) were considerably more than centralized companies. Survey scores related to the positive effect of SOX on investor confidence, reliability of financial statements, and fraud prevention continue to rise. However, when asked in 2006 whether the benefits of compliance with Section 404 have exceeded costs in 2006, only 22 percent agreed.[12]
  • Foley & Lardner Survey (2007): This annual study focused on changes in the total costs of being a U.S. public company, which were significantly affected by SOX. Such costs include external auditor fees, directors and officers (D&O) insurance, board compensation, lost productivity, and legal costs. Each of these cost categories increased significantly between FY2001 and FY2006. Nearly 70% of survey respondents indicated public companies with revenues under $251 million should be exempt from SOX Section 404.[13]
  • Butler/Ribstein (2006): Their book proposed a comprehensive overhaul or repeal of SOX and a variety of other reforms. For example, they indicate that investors could diversify their stock investments, efficiently managing the risk of a few catastrophic corporate failures, whether due to fraud or competition. However, if each company is required to spend a significant amount of money and resources on SOX compliance, this cost is borne across all publicly traded companies and therefore cannot be diversified away by the investor.[14]
  • A 2011 SEC study found that Section 404(b) compliance costs have continued to decline, especially after 2007 accounting guidance.[15]

[edit] Benefits to firms and investors

  • Arping/Sautner (2010): This research paper analyzes whether SOX enhanced corporate transparency.[16] Looking at foreign firms that are cross-listed in the US, the paper indicates that, relative to a control sample of comparable firms that are not subject to SOX, cross-listed firms became significantly more transparent following SOX. Corporate transparency is measured based on the dispersion and accuracy of analyst earnings forecasts.
  • Iliev (2007): This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reduced—rightly or wrongly—stock valuations of small firms.[17] Lower earnings often cause the share price to decrease.
  • Skaife/Collins/Kinney/LaFond (2006): This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).[18]
  • Lord & Benoit Report (2006): Do the Benefits of 404 Exceed the Cost? A study of a population of nearly 2,500 companies indicated that those with no material weaknesses in their internal controls, or companies that corrected them in a timely manner, experienced much greater increases in share prices than companies that did not.[19][20] The report indicated that the benefits to a compliant company in share price (10% above Russell 3000 index) were greater than their SOX Section 404 costs.
  • Institute of Internal Auditors (2005): The research paper indicates that corporations have improved their internal controls and that financial statements are perceived to be more reliable.[21]

[edit] Effects on exchange listing choice of non-U.S. companies

Some have asserted that Sarbanes–Oxley legislation has helped displace business from New York to London, where the Financial Services Authority regulates the financial sector with a lighter touch. In the UK, the non-statutory Combined Code of Corporate Governance plays a somewhat similar role to SOX. See Howell E. Jackson & Mark J. Roe, “Public Enforcement of Securities Laws: Preliminary Evidence” (Working Paper January 16, 2007). The Alternative Investment Market claims that its spectacular growth in listings almost entirely coincided with the Sarbanes Oxley legislation. In December 2006 Michael Bloomberg, New York's mayor, and Charles Schumer, a U.S. senator from New York, expressed their concern.[22]

The Sarbanes–Oxley Act's effect on non-U.S. companies cross-listed in the U.S. is different on firms from developed and well regulated countries than on firms from less developed countries according to Kate Litvak.[23] Companies from badly regulated countries see benefits that are higher than the costs from better credit ratings by complying to regulations in a highly regulated country (USA), but companies from developed countries only incur the costs, since transparency is adequate in their home countries as well. On the other hand, the benefit of better credit rating also comes with listing on other stock exchanges such as the London Stock Exchange.

Piotroski and Srinivasan (2008) examine a comprehensive sample of international companies that list onto U.S. and U.K. stock exchanges before and after the enactment of the Act in 2002. Using a sample of all listing events onto U.S. and U.K. exchanges from 1995–2006, they find that the listing preferences of large foreign firms choosing between U.S. exchanges and the LSE's Main Market did not change following SOX. In contrast, they find that the likelihood of a U.S. listing among small foreign firms choosing between the Nasdaq and LSE's Alternative Investment Market decreased following SOX. The negative effect among small firms is consistent with these companies being less able to absorb the incremental costs associated with SOX compliance. The screening of smaller firms with weaker governance attributes from U.S. exchanges is consistent with the heightened governance costs imposed by the Act increasing the bonding-related benefits of a U.S. listing.[24]

[edit] Implementation of key provisions

[edit] Sarbanes–Oxley Section 302: Disclosure controls

Under Sarbanes–Oxley, two separate sections came into effect—one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Id..

The SEC interpreted the intention of Sec. 302 in Final Rule 33–8124. In it, the SEC defines the new term "disclosure controls and procedures," which are distinct from "internal controls over financial reporting."[25] Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions.[26]

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

[edit] Sarbanes–Oxley Section 303: Improper Influence on Conduct of Audits

a.Rules To Prohibit. It shall be unlawful, in contravention of such rules or regulations as the Commission shall prescribe as necessary and appropriate in the public interest or for the protection of investors, for any officer or director of an issuer, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading. [2]

[edit] Sarbanes-Oxley Section 401: Disclosures in periodic reports (Off-balance sheet items)

The bankruptcy of Enron drew attention to off-balance sheet instruments that were used fraudulently. During 2010, the court examiner's review of the Lehman Brothers bankruptcy also brought these instruments back into focus, as Lehman had used an instrument called "Repo 105" to allegedly move assets and debt off-balance sheet to make its financial position look more favorable to investors. Sarbanes-Oxley required the disclosure of all material off-balance sheet items. It also required an SEC study and report to better understand the extent of usage of such instruments and whether accounting principles adequately addressed these instruments; the SEC report was issued June 15, 2005.[27][28] Interim guidance was issued in May 2006, which was later finalized.[29] Critics argued the SEC did not take adequate steps to regulate and monitor this activity.[30]

[edit] Sarbanes–Oxley Section 404: Assessment of internal control

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.[31]

Under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262(a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” To do this, managers are generally adopting an internal control framework such as that described in COSO.

To help alleviate the high costs of compliance, guidance and practice have continued to evolve. The Public Company Accounting Oversight Board (PCAOB) approved Auditing Standard No. 5 for public accounting firms on July 25, 2007.[32] This standard superseded Auditing Standard No. 2, the initial guidance provided in 2004. The SEC also released its interpretive guidance [33] on June 27, 2007. It is generally consistent with the PCAOB's guidance, but intended to provide guidance for management. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. This gives management wider discretion in its assessment approach. These two standards together require management to:

  • Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
  • Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise;
  • Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
  • Perform a fraud risk assessment;
  • Evaluate controls designed to prevent or detect fraud, including management override of controls;
  • Evaluate controls over the period-end financial reporting process;
  • Scale the assessment based on the size and complexity of the company;
  • Rely on management's work based on factors such as competency, objectivity, and risk;
  • Conclude on the adequacy of internal control over financial reporting.

SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems. For example, the 2007 FEI survey indicated average compliance costs for decentralized companies were $1.9 million, while centralized company costs were $1.3 million.[34] Costs of evaluating manual control procedures are dramatically reduced through automation.

[edit] Sarbanes–Oxley 404 and smaller public companies

The cost of complying with SOX 404 impacts smaller companies disproportionately, as there is a significant fixed cost involved in completing the assessment. For example, during 2004 U.S. companies with revenues exceeding $5 billion spent 0.06% of revenue on SOX compliance, while companies with less than $100 million in revenue spent 2.55%.[35]

This disparity is a focal point of 2007 SEC and U.S. Senate action.[36] The PCAOB intends to issue further guidance to help companies scale their assessment based on company size and complexity during 2007. The SEC issued their guidance to management in June, 2007.[33]

After the SEC and PCAOB issued their guidance, the SEC required smaller public companies (non-accelerated filers) with fiscal years ending after December 15, 2007 to document a Management Assessment of their Internal Controls over Financial Reporting (ICFR). Outside auditors of non-accelerated filers however opine or test internal controls under PCAOB (Public Company Accounting Oversight Board) Auditing Standards for years ending after December 15, 2008. Another extension was granted by the SEC for the outside auditor assessment until years ending after December 15, 2009. The reason for the timing disparity was to address the House Committee on Small Business concern that the cost of complying with Section 404 of the Sarbanes–Oxley Act of 2002 was still unknown and could therefore be disproportionately high for smaller publicly held companies.[37] On October 2, 2009, the SEC granted another extension for the outside auditor assessment until fiscal years ending after June 15, 2010. The SEC stated in their release that the extension was granted so that the SEC’s Office of Economic Analysis could complete a study of whether additional guidance provided to company managers and auditors in 2007 was effective in reducing the costs of compliance. They also stated that there will be no further extensions in the future.[38]

On September 15, 2010 the SEC issued final rule 33-9142 the permanently exempts registrants that are neither accelerated nor large accelerated filers as defined by Rule 12b-2 of the Securities and Exchange Act of 1934 from Section 404(b) internal control audit requirement.[39]

[edit] Sarbanes–Oxley Section 802: Criminal penalties for influencing US Agency investigation/proper administration

Section 802(a) of the SOX, 18 U.S.C. § 1519 states:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

 

[edit] Sarbanes–Oxley Section 906: Criminal Penalties for CEO/CFO financial statement certification

§ 1350. Section 906 states: Failure of corporate officers to certify financial reports

(a) Certification of Periodic Financial Reports.— Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m (a) or 78o (d)) shall be accompanied bySection 802(a) of the SOX a written statement by the chief executive officer and chief financial officer (or equivalent thereof) of the issuer.

(b) Content.— The statement required under subsection (a) shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of [1] 1934 (15 U.S.C. 78m or 78o (d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.

(c) Criminal Penalties.— Whoever— (1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or

(2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both. [3]

[edit] Sarbanes–Oxley Section 1107: Criminal penalties for retaliation against whistleblowers

Section 1107 of the SOX 18 U.S.C. § 1513(e) states:[40]

Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense, shall be fined under this title, imprisoned not more than 10 years, or both.

 

[edit] Criticism

Congressman Ron Paul and others such as former Arkansas governor Mike Huckabee have contended that SOX was an unnecessary and costly government intrusion into corporate management that places U.S. corporations at a competitive disadvantage with foreign firms, driving businesses out of the United States. In an April 14, 2005 speech before the U.S. House of Representatives, Paul stated, "These regulations are damaging American capital markets by providing an incentive for small US firms and foreign firms to deregister from US stock exchanges. According to a study by a researcher at the Wharton Business School, the number of American companies deregistering from public stock exchanges nearly tripled during the year after Sarbanes–Oxley became law, while the New York Stock Exchange had only 10 new foreign listings in all of 2004. The reluctance of small businesses and foreign firms to register on American stock exchanges is easily understood when one considers the costs Sarbanes–Oxley imposes on businesses. According to a survey by Korn/Ferry International, Sarbanes–Oxley cost Fortune 500 companies an average of $5.1 million in compliance expenses in 2004, while a study by the law firm of Foley and Lardner found the Act increased costs associated with being a publicly held company by 130 percent." [41]

A research study published by Joseph Piotroski of Stanford University and Suraj Srinivasan of Harvard Business School titled "Regulation and Bonding: Sarbanes Oxley Act and the Flow of International Listings" in the Journal of Accounting Research in 2008 found that following the act's passage, smaller international companies were more likely to list in stock exchanges in the U.K. rather than U.S. stock exchanges.[24]

During the financial crisis of 2007–2010, critics blamed Sarbanes–Oxley for the low number of Initial Public Offerings (IPOs) on American stock exchanges during 2008. In November 2008, Newt Gingrich and co-author David W. Kralik called on Congress to repeal Sarbanes–Oxley.[42]

A December 21, 2008 Wall St. Journal editorial stated, "The new laws and regulations have neither prevented frauds nor instituted fairness. But they have managed to kill the creation of new public companies in the U.S., cripple the venture capital business, and damage entrepreneurship. According to the National Venture Capital Association, in all of 2008 there have been just six companies that have gone public. Compare that with 269 IPOs in 1999, 272 in 1996, and 365 in 1986."

Hoover's IPO Scorecard notes 31 IPOs in 2008.[43]

The editorial concludes that: "For all of this, we can first thank Sarbanes–Oxley. Cooked up in the wake of accounting scandals earlier this decade, it has essentially killed the creation of new public companies in America, hamstrung the NYSE and Nasdaq (while making the London Stock Exchange rich), and cost U.S. industry more than $200 billion by some estimates." [44]

Previously the number of IPOs had declined to 87 in 2001, well down from the highs, but before Sarbanes–Oxley was passed.[45] In 2004, IPOs were up 195% from the previous year to 233.[46] There were 196 IPOs in 2005, 205 in 2006 (with a sevenfold increase in deals over $1 billion) and 209 in 2007.[47][48]

A 2012 Wall St. Journal editorial stated, "One reason the U.S. economy isn't creating enough jobs is that it's not creating enough employers... For the third year in a row the world's leading exchange for new stock offerings was located not in New York, but in Hong Kong... Given that the U.S. is still home to the world's largest economy, there's no reason it shouldn't have the most vibrant equity markets—unless regulation is holding back the creation of new public companies. On that score it's getting harder for backers of the Sarbanes-Oxley accounting law to explain away each disappointing year since its 2002 enactment as some kind of temporary or unrelated setback."[49]

[edit] Praise

Former Federal Reserve Chairman Alan Greenspan praised the Sarbanes–Oxley Act: "I am surprised that the Sarbanes–Oxley Act, so rapidly developed and enacted, has functioned as well as it has...the act importantly reinforced the principle that shareholders own our corporations and that corporate managers should be working on behalf of shareholders to allocate business resources to their optimum use.”[50]

SOX has been praised by a cross-section of financial industry experts, citing improved investor confidence and more accurate, reliable financial statements. The CEO and CFO are now required to unequivocally take ownership for their financial statements under Section 302, which was not the case prior to SOX. Further, auditor conflicts of interest have been addressed, by prohibiting auditors from also having lucrative consulting agreements with the firms they audit under Section 201. SEC Chairman Christopher Cox stated in 2007: "Sarbanes–Oxley helped restore trust in U.S. markets by increasing accountability, speeding up reporting, and making audits more independent."[51]

The FEI 2007 study and research by the Institute of Internal Auditors (IIA) also indicate SOX has improved investor confidence in financial reporting, a primary objective of the legislation. The IIA study also indicated improvements in board, audit committee, and senior management engagement in financial reporting and improvements in financial controls.[52][53]

Financial restatements increased significantly in the wake of the SOX legislation, as companies "cleaned up" their books. Glass, Lewis & Co. LLC is a San Francisco-based firm that tracks the volume of do-overs by public companies. Its March 2006 report, "Getting It Wrong the First Time," shows 1,295 restatements of financial earnings in 2005 for companies listed on U.S. securities markets, almost twice the number for 2004. "That's about one restatement for every 12 public companies—up from one for every 23 in 2004," says the report.[54]

One fraud uncovered by the Securities and Exchange Commission (SEC) in November 2009 [55] may be directly credited to Sarbanes-Oxley. The fraud, which spanned nearly 20 years and involved over $24 million, was committed by Value Line (NASDAQVALU) against its mutual fund shareholders. The fraud was first reported to the SEC in 2004 by the Value Line Fund (NASDAQVLIFX) portfolio manager who was asked to sign a Code of Business Ethics as part of SOX.[56][57][58] Restitution totalling $34 million will be placed in a fair fund and returned to the affected Value Line mutual fund investors.[59] No criminal charges have been filed.

Sarbanes Oxley Act has been praised for nurturing an ethical culture as it forces top management be transparent and employees to be responsible for their acts and also protects whistle blowers.[60]

[edit] Legal challenges

A lawsuit (Free Enterprise Fund v. Public Company Accounting Oversight Board) was filed in 2006 challenging the constitutionality of the PCAOB. The complaint argues that because the PCAOB has regulatory powers over the accounting industry, its officers should be appointed by the President, rather than the SEC.[61] Further, because the law lacks a "severability clause," if part of the law is judged unconstitutional, so is the remainder. If the plaintiff prevails, the U.S. Congress may have to devise a different method of officer appointment. Further, the other parts of the law may be open to revision.[62][63] The lawsuit was dismissed from a District Court; the decision was upheld by the Court of Appeals on August 22, 2008.[64] Judge Kavanaugh, in his dissent, argued strongly against the constitutionality of the law.[65] On May 18, 2009, the United States Supreme Court agreed to hear this case.[66] On December 7, 2009, it heard the oral arguments.[67] On June 28, 2010, the United States Supreme Court unanimously turned away a broad challenge to the law, but ruled 5–4 that a section related to appointments violates the Constitution's separation of powers mandate. The act remains "fully operative as a law" pending a process correction.[68]

[edit] Legislative information

What is Smurfing

(webopedia) Smurf attacks are illegal! It is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.

Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.

When You Read eBooks Are They Reading You

(James Hood ConsumerAffairs) When you were a child, your parents and teachers kept track of what you read. They encouraged you to read more things you didn't want to read and fewer things you did want to read. And they probably looked over your shoulder and rifled through your backpack ... just to be sure.

Now that you're a grown-up, you can read whatever you want. But that doesn't mean no one is looking over your shoulder or rummaging through your library. Quite the opposite, in fact.

Each year, the Electronic Frontier Foundation (EFF), a privacy group, studies the  tracking and data-sharing practices of major e-book distributors like Amazon, Barnes & Noble and Google.  It's not an easy task, as each company has multiple license agreements, privacy policies and other legalese-encumbered documents that must be found and deciphered.

As in years past, EFF this year finds the distributors' policies "frustratingly vague and long-winded" but it's pretty easy to sum up the findings: you have a lot less privacy reading e-books than reading "real" books you find in a library or bookstore.

A free country

PhotoYou may think this doesn't matter, and perhaps it doesn't. If your reading consists largely of how-to books, maybe you don't care if you wind up on all kinds of lists that mark you as someone who might be in the market for a box saw or a slow cooker.

If, on the other hand, you are a gun enthusiast or a student of muslim culture or--let's say--one who enjoys reading slightly salacious fiction, you may not want this information shared with anyone and everyone.

It's a free country, as they say, and most of us are accustomed to thinking that, thanks to those inalienable rights and all that, we can say, think and read just about anything we want without worrying very much about what others think. It's a little hard to change this thinking since it's what we grew up with and still enjoy in many aspects of everyday life.

You can, after all, walk into any bookstore that has somehow managed to stay in business, pay cash for any book you want and walk out without anyone knowing what you have purchased or looked at. Libraries are almost as secure, as librarians are rabid, in their own mild way, about protecting their patrons' privacy.

Opaque. Unclear too

Ah, but browse for a book on Google and it will log your IP address and, if you are logged into your Google account, will associate the search with your account, EFF reports in its annual round-up of bookseller spying practices

PhotoOr go traipsing through the virtual stacks at Amazon and it will--as Amazon so melodiously puts it--log data "on products viewed and/or searched for."  As we all know, Amazon will then immediately begin making bone-headed suggestions based on superficial characteristics of your recent searches. You know, novels about one-armed detectives in Oklahoma.

Barnes & Noble's policies are even more opaque. It "probably" does not record searches made on the Nook and does not say if it records searches made by logged-in customers, EFF found. 

Nearly all the booksellers surveyed by EFF were unclear about what they do without browing data they acquire from other sources. 

Other sources? Oh, you know, those consumer profilers who follow your every step on the Web and add it to all the other information they have on you. 

Maybe none of this matters to you. After all, 1 in 5 of us already have e-books and probably the rest of us soon will have. You don't have to be a big reader to find yourself with an e-reader--you're more likely to get a Kindle or a Nook than a necktie this holiday season, so while sipping egg nog around the fire, you might want to meditate on your privacy policy and see how it meshes with the privacy policies of the Amazons and Googles of the world.

It might be enough to send you dashing to the library when it opens on Dec. 26.   

Want to know more? See EFF's 2012 Reader Privacy Chart here.

Read More - Click Here!

Who is watching you and from Where

Screenshot of the new iPhone app SpyMeSat, which lets users track overhead imaging satellites.

(Leonard David @ Space.com) In case you're hungry for personal space situational awareness, or are just plain paranoid, a new iPhone app can tell you when and what imaging spacecraft might have you in sight.

Orbit Logic of Greenbelt, Md., has created SpyMeSat, an app that provides notifications when spy satellites and unclassified imaging satellites are zooming above your head and may be taking your picture. A dynamic map shows orbit tracks and the location of remote sensing satellites with upcoming passes over a user's specified location.

Alex Herz, president of Orbit Logic, said that SpyMeSat is the firm's first app designed for everyday folks, and a product that extends the company's customer base beyond the aerospace, defense and government intelligence communities. [The Top 10 Space Apps]

"I actually got the idea for the app from talking to friends outside the aerospace industry who were always very interested in space and satellites and imaging from space. This app answers those questions in a fun and interactive way," Herz told SPACE.com.

Multiple sources
The SpyMeSat app makes use of multiple sources, including orbit data from the North American Aerospace Defense Command (NORAD). The NORAD spacecraft data come viaCelesTrak, a website designed to provide current orbital software, educational materials and links to software to support tracking satellites and understanding orbital mechanics.

That information is melded with available public information about commercial and international imaging satellites.

The iPhone app user can see a satellite’s trajectory around his or her location, as well as get an alert when a camera-snapping or radar-scanning satellite might be in range.

Moreover, the app user can learn more details about each imaging opportunity, and also peruse a page describing the satellite that's zooming by overhead. According to Orbit Logic, SpyMeSat users can organize the app in several ways, such as modifying the location of interest.

An artist's interpretation of Canada's Radarsat-2 Earth observation satellite in orbit.
CSA-MDA
An artist's interpretation of Canada's Radarsat-2 Earth observation satellite in orbit.

Making a pass
All of the imaging satellites in SpyMeSat are in low-Earth orbit at an altitude of about 500 miles (805 kilometers). Enabled SpyMeSat satellites include such zoom-lens notables as GeoEye, the French space agency’s SPOT-5, India's CartoSat-2A, DigitalGlobe's WorldView satellites and Canada's RADARSAT-2.

Of course, a SpyMeSat imaging-pass notification doesn't necessarily mean that a satellite is taking your picture. An identified satellite could have its camera in off mode or pointed elsewhere along its ground track.

SpyMeSat does not include all imaging spacecraft. No classified imaging satellites, from any nation, have their orbit information published, so these satellites do not show up in the app.

The app does include imaging satellites with resolution capabilities of some 16 feet (5 meters) or better for which orbit information is published by NORAD. For the most part, these are commercial satellites or openly acknowledged government satellites from other countries.

Compatibility needs
When pondering the potential uses of this app, might it not help hide nefarious actions from orbiting eyes — say by a terrorist group, somebody whipping up a batch of plutonium or perhaps those involved in human rights wrongdoing?

Herz said that people have already mentioned possible use of the app by terrorists.

"We were careful to only include satellites that are unclassified and whose orbits are published by NORAD. Even the sensor data — resolution, etc. — was taken only from the websites published by the satellite operators. So everything SpyMeSat is using is open and public. Even the computations are basic orbit math taught in colleges everywhere," Herz said.

"We can also track app downloads by country through the Apple App Store," he added. "So far, no terrorist countries — unless you consider Brazil, Switzerland, Canada, Germany or Australia, terrorist havens."

Responding to a SPACE.com query, John Pike, a leading expert on defense, space and intelligence policy and director of GlobalSecurity.org, said: "Anyone who was trying to hide from such satellites was already doing so."

SpyMeSat requires iOS 6.0 or later. The app is compatible with iPhone, iPad and iPod touch and is optimized for iPhone 5.

Cost of this app is $1.99 in the iTunes App Store.

Why Ransomware Is Expoding

Broken down by industry, some 38 percent of attacks are in the services field, which includes health care. About 17 percent of attacks are in manufacturing, just over 10 percent are in public administration, and nearly 10 percent are in finance, insurance, and real estate, according to Symantec. The US is the most affected region, with 28 percent of global infections, the report found.

One of the most popular vehicles for ransomware is a phishing email telling the user they have an invoice that requires payment, Haley said. Another common way is to infect a website, or redirect one website to another hosting the malware.

Haley expects to see more targeted attacks against businesses over the next year, and for other devices to come into play. Strikes on computers and smartphones are the norm, but they could also occur on any IoT device, from smart TVs to refrigerators to watches.

"Ransomware is real, and it's going to affect your organization," Haley said. "Most of the steps to protect yourself are not unique -- in the end, protecting yourself against ransomware will protect you against other security issues as well."

Best practices for your company

IT leaders should continuously seek out innovative technologies to add to their customized, layered defense, said James Scott, senior fellow and co-founder of the Institute for Critical Infrastructure Technology. "Look at where your valuable data is, who is trying to exploit it, and what vulnerabilities are there in protecting it," he added.

To prevent a ransomware attack on your company, experts say IT leaders should do the following:

  • Use a layered security approach, with all endpoints protected, as well as protection at the mail server and gateway. "If you can stop these things from ever showing up in an end user's mailbox, you're ahead of the game," Haley said.
  • Educate your employees. "The human element is always going to be the weakest element," Scott said. "The organization's infosec team has to continuously update their education for other staff with relevant threats."
  • Run risk analyses, and patch vulnerabilities, especially on browsers, browser plugins, and operating systems. "Infosec teams should be savvy enough to continuously pen test the organization to hunt for vulnerabilities," Scott said. "It's important that they do that with the same vigor as the adversary would."
  • Build a comprehensive backup solution, and backup often. "If your files get encrypted, you don't have to pay the ransom--you just restore the files," Haley said. Most businesses back up, but some have not tested whether or not these backups work in an emergency.
  • Track behavior analytics to detect abnormalities among users.
  • Limit access to file shares to only those who absolutely need access.

Some organizations are using AI products to predict threats, Scott added. "A year ago, the technology to detect and respond to threats was what everyone was talking about," he said. "Now, it's detect, respond, and predict."

Why Small Business I Caught Off-Guard In Cyberattacks

Small and medium-sized businesses (SMBs) do not consider themselves targets of cyberattacks, and thus are not implementing safeguards to protect their information, a Symantec survey concludes. “Getting hit by a banking trojan, having cybercriminals empty your bank account, is a huge risk for small businesses. They are not protected by the bank like an end user is. An online banking attack could really crush their business”, Haley told Infosecurity.

Read More - Click Here!

 

Why parents' use of media devices is just as bad as their children

(Christopher Maynard @ ConsumerAffairs) Researchers found that parents spend an exorbitant amount of time looking at screens.

The use of media devices is higher than it has ever been before, and one of the groups commonly associated with all that screen time is children and teenagers. It often falls to parents to try and limit the amount of screen exposure and set a good example, but a new study shows that their media use may be just as bad.

Researchers at the Common Sense Census conducted surveys on over 1,700 parents with children between the ages of 8 and 18. They found that parents spent roughly 9 hours and 22 minutes on some sort of media device. The vast majority of that time wasn’t work-related either; the researchers said that only 18%, or 1 hour and 22 minutes, of that time was work-related screen time. The rest was used on “personal screen media” – activities like watching TV, playing games, or surfing the web.

Perhaps ironically, over half of participating parents said that they were worried that their children would become addicted to technology or that it would affect their quality of sleep. Seventy-eight percent also said that they thought they were good role models when it came to media use.

“These findings are fascinating because parents are using media for entertainment just as much as their kids, yet they express concerns about their kids’ media use while also believing that they are good role models for their kids,” said James P. Steyer, CEO of Common Sense Census.

Parental concerns

Social media and internet use stood out as big concerns for parents in the study. Around half of the respondents said that they thought too much time on social media negatively affected physical activity, and a smaller faction said that it hurt children’s ability to focus (35%), impeded face-to-face communication (34%), and worsened behavior (24%), school performance (22%), emotional well-being (20%), and relationships with friends (20%). However, 44% of parents thought social media made friendships stronger.

Parents who were concerned about general internet use said they were “moderately” or “extremely” worried about four major things: spending too much time online (43%), over-sharing personal details (38%), accessing online pornography (36%), and exposure to violent content (36%).

Other concerns connected to media use primarily focused on addiction and health. Fifty-six percent of parents said they were worried that their children could become addicted to technology, while 34% said they were specifically worried about their children not getting enough sleep because of media devices.

Double standard?

While parents have all these concerns about their children’s media use, they tend to have a much more cavalier stance when it comes to their own consumption. The study found that, on average, parents spent 3 hours and 17 minutes watching TV, DVDs, or video on a daily basis. Video gaming came in at the next highest use (1:30), followed by social networking (1:06), browsing websites (0:51), and other activities on computers, smartphones, and tablets (0:44).

The researchers found that level of education and income were factors that affected media use. Parents that had a BA degree or more spent 1 hour and 33 minutes less on personal screen media than parents with a high school diploma or less. Parents who made under $35,000 per year had the most logged personal screen time with 9 hours and 15 minutes, compared to parents making between $35,000 and $100,000 (7:42) and those making over $100,000 (6:41).

While talking to parents about their media use, the researchers found that some participants were often surprised by how much time they spent on certain activities.

“I like to play Words with Friends, and sometimes I’ll find that after a while I’ll be like, oh my God, I’ve been on this for an hour, and you have to say, OK, I have to put this away. I can see how children can get hooked on playing video games or using media the entire weekend,” said one mother of a 15-year-old.

While the surveys found that many parents mediate their child’s use of technology or screen time, the findings suggest that taking the time to examine their own consumption habits could be beneficial.

Wi-FI hotspots more dangerous than you think

© Vladislav Kochelaevs - Fotolia.com

(Jennifer Abel @ ConsumerAffairs) You've known for a long while now that there's an inherent security risk every time you go online, hence the near-constant warnings you hear about hackers, phishers, malware and other threats that literally didn't exist in your parents' day.

And you know that going online via any sort of free or public wi-fi hotspot is risky even by Internet-security standards, because that free network might be nothing more than bait offered by hackers seeking full access to any device connecting to it.

But you might not have known just how risky that free wi-fi access is — especially if you're a customer of Comcast or AT&T. Ars Technica tried a little experiment and the results should concern anybody who takes advantage of Comcast or AT&T's free offerings: “Millions of AT&T and Xfinity customers could be leaving themselves exposed to surreptitious hacking of their Internet traffic, exposing their personal data as a result.”

Here's a (very oversimplified) explanation of why: unless you specifically turn off that feature, or your device itself, your smartphone, tablet or other connectable device is always looking to connect with a familiar network.

Let's say you occasionally visit Starbucks to take advantage of their free wi-fi. So the next time you go there, your phone will automatically send out a signal, basically saying “Hey, Starbucks wi-fi, where are you?” and waiting for the electronic response “Here I am! Starbucks wi-fi, now connecting with you.”

But it's very easy for anyone to set up a wireless hotspot to respond under a false name: “Here I am! A hacker up to no good, but I told your phone I'm actually Starbucks wi-fi and now I'm connecting with you.”

That particular danger — that your devices might automatically connect to fake Starbucks or fake McDonald's or any other falsely labeled store-specific wi-fi hotspot — is easy to guard against: simply shut off the wi-fi connections on your mobile devices when you're not using them, set it so that it must ask before joining a mobile network.

How easy is it?

Ars Technica discovered just how easy it is for anyone with minimal knowledge and everyday equipment to set up as a wireless hotspot spoofing Xfinity or AT&T:

I set up my laptop as a Wi-Fi hotspot broadcasting the network name (SSID) “attwi-fi” (after alerting my neighbors, of course). After killing off the settings for my preferred networks on my iPhone, I turned on the Wi-Fi, and it connected to the fake “attwi-fi” hotspot without prompting.

When I killed the “attwi-fi” network after a few seconds, my iPhone promptly demonstrated the further risks of auto-connecting—it automatically reconnected with another network in the list of trusted networks on my phone: a hotspot called “xfinitywi-fi.” I had used an Xfinity hotspot while waiting for an appointment a few days earlier, and suddenly I was logged into a hotspot running on my neighbor’s cable modem.

Comcast’s Xfinity wireless hotspots present a Web page for login that requests a customer’s account ID and password, and each time you connect to a new hotspot it re-authenticates you. But if you’ve connected once during the day, the hotspot remembers your device and reconnects you without prompting.

This isn't a problem if your device is connecting to the legitimate Comcast or AT&T network, of course, but if it connects to a hacker-bait hotspot with a fake name, pretty much any data on that device is at risk.

Ars Technica pointed out that the security risk here does not come from the actualComcast/Xfinity or AT&T wireless hotspots, but from the risk of connecting to fake ones. “AT&T’s and Xfinity’s networks are insecure in themselves. They are just common enough to give someone with evil in mind a way to cast a wide net for potential victims over Wi-Fi. The same tools I used to spoof Xfinity could be set to automatically respond to a victim’s phone as any Wi-Fi access point they’ve trusted.”

How can you protect yourself? No matter what type of mobile device you have, disable any and all auto-connect features in it. The minor inconvenience of taking a few seconds to “manually” connect your devices to wi-fi when necessary beats the major inconvenience of giving hackers access to every bit of confidential data on those devices.

Wi-Fi WPA2 passwords Now Cracked with ease

A new way to compromise the WPA/WPA2 security protocols has been accidentally discovered by a researcher investigating the new WPA3 standard.

The attack technique can be used to compromise WPA/WPA2-secured routers and crack Wi-Fi passwords which have Pairwise Master Key Identifiers (PMKID) features enabled.

Security researcher and developer of the Hashcat password cracking tool Jens "Atom" Steube made the discovery and shared the findings on the Hashcat forum earlier this month.

At the time, Steube was investigating ways to attack the new WPA3 security standard. Announced in January by industry body the Wi-Fi Alliance, WPA3 is the latest refresh of the Wi-Fi standard.

WPA3 aims to enhance user protection, especially when it comes to open Wi-Fi networks and hotspots commonly found in public spaces, bars, and coffee shops. The new standard will utilize individualized data encryption to scramble connections -- as well as new protections against brute-force attempts to crack passwords.

However, the aging WPA2 standard has no such protection.

According to the researcher, the new attack method does not rely on traditional methods used to steal Wi-Fi passwords. Currently, the most popular method is to wait until a user connects to Wi-Fi, wait for the four-way authentication handshake to take place, and capture this information in order to brute-force the password in use.

Will The New NSA Massive Spy Center Watch You

Once finished, the NSA’s million square foot data center will be the size of 17 football fields, five times the size of the U.S. Capitol Building and 18 times bigger than the White House.

Baker believes this growth falls in line with the general expansion of the Internet, of communications over the past ten years – and the threat to our national safety has never been greater.

“The number one threat that we face as a nation frankly is not Iran,” Baker told Fox News. “It’s not actually the war on terror. It’s cyber warfare. It is the daily, astounding number of attacks against our government infrastructure, our private sector. The amount of economic espionage that’s directed at our country on a daily basis would stun the American public. So the NSA has both a defensive and offensive requirement.”

Will You Lose Your Internet In July

For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections this summer.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system is to be shut down.

The FBI is encouraging users to visit a website run by its security partner, www.dcwg.org, that will inform them whether they're infected and explain how to fix the problem. After July 9, infected users won't be able to connect to the Internet.

LONG ARM OF SCOFFLAW: An online ad scam is having some unintended ramifications: The fix may prevent as many as 360,000 from getting online. Several sites will show if you're infected:

DNS Changer Working Group: can discern whether you’re infected and explain how to fix the problem.

DNSChanger Eye Chart: if the site goes red, you’re in harm’s way. Green means clean.

The FBI website: type in the IP address of your DNS server to find out if it is infected.

Read more on how to stay safe

 

Windows 8 antivirus software scores dead last in German tests

Photo(James Hood @ ConsumerAffairs) By nearly any measure, Windows 8 has been a bust. Its truly bizarre desktop has gotten the most criticism but unnoticed until now has been the performance of the free antivirus software that is included in the operating system.

 

Now that someone has taken the trouble to put the system, called Microsoft Defender, through its paces, you can add it to the list of Windows 8 shortcomings. 

Independent German lab AV-Test evaluated 28 antivirus products, grading them for protection, repair and usability -- each worth six points for a possible total of 18 points.

"Bitdefender, Kaspersky Lab and Symantec lead the field while the protection packages from Avast, F-Secure and GData share fourth place," AV-Test said. 

Who was in last place? Yep, Windows Defender, which was five points behind everyone else.

Nevertheless, AV-Test says its tests at least prove that Windows 8 can be secured, as long as the user is willing to pay for an external security program.  

Malware results

When it comes to malware, the results were similar. 

"The suites from Bitdefender, F-Secure and Kaspersky all did the best job in this category, achieving detection rates of 100%, while the best free programs, namely those from Avast and AVG, were only able to make it to eighth and twelfth place respectively," said AV-Test. "The Windows Defender provided by Microsoft in its operating system set a very low benchmark value with a detection rate of just 79%."

AV-Test also confirmed what no one likes to admit -- namely, that stopping malware comes at the cost of impaired system performance.

"Although the best programs in the 'Protection' category also achieved excellent results in this 'System Load' category, none of them were able to score the maximum total of six points," AV-Test said. "This test category is proof that high security comes at the expense of a certain amount of system performance."

On average, the top 10 products earned an average of 4.0 points (out of 6.0) for system load, while the top-ranked product, from Bitdefender, earned 5.2.

What to do 

PhotoThe takeaway for consumers is pretty obvious. If you're going to run any version of Windows, you need a strong antivirus and malware protection software suite. Any of the top three named above should do the trick.

Don't want to buy antivirus programs? OK, fine. That leaves you with these options:

  • Get a Mac. Although Macs are not immune to viruses and malware, they are much more resistant than Windows and also are not attacked as often.
  • Get a Chromebook. Google's Chromebook relieves you of having to worry about security. It also relieves you of having to buy Microsoft Office, since it works with Google's office suite, which runs in the cloud and is, we should mention, free.
  • Switch to Linux. The Chromebook locks you into Google and doesn't give you the opportunity to run programs from your hard drive. If this matters to you, or if you just like to play around under the hood now and then, download a copy of Linux Mint, the best desktop program out there bar none. It's secure, free and rock solid and comes with its own suite of office programs, combining the benefits of the Mac and the Chromebook.

Windows Defender Offline in Windows 10

(Iaan D'Souza-Wiltshire @ Microsoft) Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).

In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.

Pre-requisites and requirements

Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.

For more information about Windows 10 requirements, see the following topics:

Note

Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.

To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.

Windows Defender Offline updates

Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the Microsoft Malware Protection Center.

Note

Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the Microsoft Malware Protection Center.

For information on setting up Windows Defender updates, see the Configure Windows Defender in Windows 10 topic.

Usage scenarios

In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.

The prompt can occur via a notification, similar to the following:

Windows notification showing the requirement to run Windows Defender Offline

The user will also be notified within the Windows Defender client:

Windows Defender showing the requirement to run Windows Defender Offline

In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status. Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required.

System Center Configuration Manager indicating a Windows Defender Offline scan is required

Manage notifications

You can suppress Windows Defender Offline notifications with Group Policy.

Note

Changing these settings will affect all notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.

Use Group Policy to suppress Windows Defender notifications:

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender > Client Interface.

  5. Double-click the Suppress all notifications setting and set the option to Enabled. Click OK. This will disable all notifications shown by the Windows Defender client.

Configure Windows Defender Offline settings

You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use Set-MpPreference to change the UILockdown setting to disable and enable notifications.

For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:

For more information about notifications in Windows Defender, see the Configure enhanced notifications in Windows Defender] topic.

Run a scan

Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.

Note

Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete.

You can set up a Windows Defender Offline scan with the following:

  • Windows Update and Security settings

  • Windows Defender

  • Windows Management Instrumentation

  • Windows PowerShell

  • Group Policy

Note

The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.

Run Windows Defender Offline from Windows Settings:

  1. Open the Start menu and click or type Settings.

  2. Click Update & Security and then Windows Defender. Scroll to the bottom of the settings page until you see theWindows Defender Offline section.

  3. Click Scan offline.

    Windows Defender Offline setting

  4. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.

Run Windows Defender Offline from Windows Defender:

  1. Open the Start menu, type windows defender, and press Enter to open the Windows Defender client.

  2. On the Home tab click Download and Run.

    Windows Defender home tab showing the Download and run button

  3. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.

Use Windows Management Instrumentation to configure and run Windows Defender Offline:

Use the MSFT_MpWDOScan class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.

The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.

wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start

For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:

Run Windows Defender Offline using PowerShell:

Use the PowerShell parameter Start-MpWDOScan to run a Windows Defender Offline scan.

For more information on available cmdlets and optios, see the Use PowerShell cmdlets to configure and run Windows Defender topic.

Review scan results

Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.

  1. Open the Start menu, type windows defender, and press Enter to open the Windows Defender client.

  2. Go to the History tab.

  3. Select All detected items.

  4. Click View details.

Any detected items will display. Items that are detected by Windows Defender Offline will be listed as Offline in the Detection source:

Windows Defender detection source showing as Offline

Related topics

Windows Mac Linux Apply Adobe Patch Right Away

(Jennifer Abel  @ ConsumerAffairs) Time to update your Adobe Flash Player, right now: Adobe has issued new patches, the second this month, to fix critical security errors in Flash for Windows, Mac and Linux. This patch is being released outside of Adobe's usual security update cycle, since the previous patch didn't quite fix the problem — or, rather, since hackers were able to quickly develop new ways to work around the patch.

Sophos' Naked Security blog referred to this latest security patch update as a “booster dose” for the previous one. Sophos also went so far as to advise its readers to “Try uninstalling Flash to see if you can live without it. As this incident reveals, Flash is popular with crooks, who put plenty of effort into working out how to exploit it.”

But if you keep Flash installed, try changing your browser settings to require the “click-to-play” or “Ask-to-activate” option, which requires your permission every time before Flash runs on your computer.

And definitely check to make sure you get this patch, although most Adobe users have Flash set to update automatically.

Windows Neutralizes Intel Spectre Fix

Windows users received an emergency update over the weekend as Microsoft raced to address yet another issue in the Meltdown/Spectre malware saga.

In this case, Microsoft's action was specifically designed to disable a fix that Intel issued to neutralize the Spectre Variant 2 attack. Unfortunately, that fix reportedly caused machines to reboot unexpectedly. Microsoft additionally claimed the Intel fix could, in come cases, cause a loss of data or file corruption.

To prevent users from losing data, the Windows update disables Intel's fix that addresses CVE-2017-5715, otherwise known as the Variant 2 Spectre attack.

The issue arose in early January as reports began to surface of a design flaw in some Intel processors. Intel responded that the issue affected all processors, including those made by other manufacturers.

Initial concerns focused on performance, with some reports claiming that Intel's fix could significantly slowed a computer's speed. Intel denied this, saying performance would vary depending on workloads.

Not exactly a smooth process

But addressing the security flaw has not exactly been a smooth process. Three weeks ago, Microsoft briefly suspendedits Windows update for AMD processors after it heard from some customers who said their machines would not boot up after the update.

"After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown," the company said at the time.

Those updates have now resumed without incident. Intel, meanwhile, told customers last week to refrain from installing current firmware updates designed to counter the threats until further instructions.

Meanwhile, The Wall Street Journal reports Intel informed some of its customers in China about the security flaw before it told the U.S. government about it.

The Journal quotes an Intel spokesman as saying it intended to inform government agencies about the newly discovered flaw, but the news became public before it could act.

Windows Server 2012 backup

 

Introduction

In my previous article I explained How to Install Windows Server Backup Feature in Windows Server 2012. In today's article you will learn how to create a backup of the System State/Active Directory using the Windows Server Backup Feature in Windows Server 2012.

Just as, until now you have already installed the Windows Server Backup Feature, now we will move forward from there.

Step 1

Go to the Tools option provided by the Server Manager, left-click on it and scroll down to the "Windows Server Backup"option.

backup1.jpg

Now this type of option will be opened:

backup2.jpg

Step 2

In the Local Backup option you will get a few options like "Backup Schedule", "Backup Once", "Recover" etc. In this article we will create a one-time backup, so click on "Backup Once".

backup3.jpg

Now "Backup Options" will be available from which you must select the second option, "Different Options" and then click on "Next".

backup4.jpg

Step 3

Now "Backup Configuration" will be available from which you can either select to create a backup of the "Full Server" or select the "Custom Option" that will give you freedom to chose from various options for creating a backup.

backup5.jpg

On the next page click on "Add Items" after which you will be able to select the item to create the backup of.

backup6.jpg

From the options you can select any Drive or System State or both. Here I will create a backup of only the System State so I select it and click on the "OK" button.

backup7.jpg

Step 4

Now you must select the "Destination Type" that can be either a "Local Drive" or any remotely shared folder.

backup9.jpg

Since here I selected the Local Drive, it will ask me in which drive I would like to create the backup and how much space is available in that drive. After that click on "Next".

backup10.jpg

Step 5

Now a Confirmation Page will be shown that will show you the full details of whatever you selected and will finally ask you to give permission to create the backup. Click on "Backup" to start the backup.

backup11.jpg

Now your backup will begin and within a few minutes your backup will have been created.

backup12.jpg

Now you can go to the specified drive and ensure that the backup was created.

backup13.jpg

Windows XP Administrator Access Using Windows XP Installation CD

It happens all the time. Clients come to us after deleting or demoting users, only to find that they no longer have Administrator access or no access at all. No worries, there are a couple things that can be done to would allow Administrator access, and this is how we do it:

Check this first: When most systems are setup, Windows XP will create an Administrator user. Most people, and companies, leave the password blank. Try logging into Windows using the Administrator user and no password. This works nine out of ten times.

 Ubuntu Live: This used to be the method of choice for managing lost Administrator passwords. However, the February 2013 Microsoft patch plugged this hole and rendered it useless.

New Method of Choice – Windows XP Installation CD: During a System Repair, the Windows XP CD uses the Administrator account. There is a hole or opportunity in the processes when System Repair begins to install drivers. At the moment that you see “Installing Drivers” at the lower left corner of the screen, immediately press Shift + F10 to enter the command console. Next type NUSRMGR.CPL, which brings up the “User Accounts” screen that normally allows you to Modify / Add / Delete users.

Do not change the Administrator password. Changing the Administrator password at this point may create system and encryption errors the may render some XP functionality useless!

Rather than changing the Administrator user account, let’s elevate an existing user with a known password (if possible) to Administrator status. The less you do, the greater opportunity for success. However, if you do not know the user password, simply blank the password rather than entering a new password.

Allow System Repair to complete normally. After a reboot, login using the Elevated User Account. Use Manage to change the Administrator password and to change the Elevated User Account. Reboot again, and you are finished.

The following is a step-by-step description of the initial Repair process that we found on the internet that worked for us:

1. Place your Windows XP CD in your cd-rom and start your computer (it´s assumed here that your XP CD is bootable - as it should be - and that you have your bios set to boot from CD)

2. Keep your eye on the screen messages for booting to your cd Typically, it will be "Press any key to boot from cd"

3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files.

4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now

5. The Licensing Agreement comes next - Press F8 to accept it.

6. The next screen is the Setup screen which gives you the option to do a Repair. It should read something like "If one of the following Windows XP installations is damaged, Setup can try to repair it" Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process.

7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes.

8. Shortly after the Copying Files stage, you will be required to reboot. (this will happen automatically - you will see a progress bar stating "Your computer will reboot in 15 seconds"

9. During the reboot, do not make the mistake of "pressing any key" to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted.

10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system.

11. At the prompt, type NUSRMGR.CPL and press Enter. Voila! You have just gained graphical access to your User Accounts in the Control Panel.

12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for password. After you´ve made your changes close the windows, exit the command box and continue on with the Repair (have your Product key handy).

13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact.

This security hole allows access to more than just user accounts. You can also access the Registry and Policy Editor….

And in case you are wondering, NO, you cannot cancel install after making the changes and expect to logon with your new password.

Cancelling will just result in Setup resuming at bootup and your changes will be lost.

Wyndham Hotels In Hot Water Over Credit Card Data

In its complaint, the FTC alleges that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury.  The agency charged that the security practices were unfair and deceptive and violated the FTC Act.  

Wyndham and its subsidiaries license the Wyndham name to approximately 90 independently-owned hotels, under franchise and management agreements.

When you go on vacation, the last thing you want to do is be hassled with a credit card problem because someone at your hotel screwed up. But, according to the Federal Trade Commission (FTC), that’s what’s happened to a lot of folks who stayed at Wyndham Hotels. 

The FTC has filed suit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. 

According to the agency, these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

Read More - Click Here!

Yelp Review Law Suite

(Justin Jouvenal Washington Post) Angered by what she thought was shoddy work on her home, Fairfax resident Jane Perez did what has become the go-to form of retail vengeance in the Internet age: She logged on to Yelp and posted scathing reviews of the D.C. firm that did the job.

Perez ticked off a list of accusations, including damage to her home, an invoice for work the contractor did not perform and jewelry that disappeared. She closed one post by fuming, “Bottom line do not put yourself through this nightmare of a contractor.”

The contractor’s response to her one-star takedown? Fight back.

Christopher Dietz filed a $750,000 Internet defamation lawsuit against Perez last month, saying the postings on Yelp and others on Angie’s List were false and sent customers fleeing. He is also asking a Fairfax County court for a preliminary injunction to keep her from writing similar reviews. A hearing will be held Wednesday.

Lawyers say it is one of a growing number of defamation lawsuits over online reviews on sites such as Yelp, Angie’s List and Trip­Advisor and over Internet postings in general. They say the freewheeling and acerbic world of Web speech is colliding with the ever-growing importance of online reputations for businesses, doctors, restaurants, even teachers.

It’s snark vs. status.

No one keeps track of how many suits are filed over online reviews, and lawyers say the numbers are still small but are getting larger. Most of the suits fail because juries and the courts have sided with free speech and the rights of the reviewers to express their opinions.

With 84 million visitors a month and 33 million reviews, Yelp especially has become a legal battleground given that the reputations of restaurants, nail salons, dry cleaners and other businesses can be made or shredded in a few keystrokes. For instance, a Chicago plastic surgeon sued after a Yelp reviewer said he gave her “Frankenstein breasts.”

Perez, a retired captain in the armed services, said she never fathomed that her Yelp review could land her in court. It has left her reeling and potentially facing thousands of dollars in legal bills to defend herself.

“I don’t want to see what happened to me happen to anyone else,” Perez said.

Nevertheless, she stands by her reviews, saying that everything she wrote was truthful about the work Dietz did on the townhouse, where she lives with her dog.

Some reviewers and free-speech advocates, including Perez, see the cases as free-speech issues: They say the lawsuits are heavy-handed attempts to stifle critical — but valuable — consumer information that has forced businesses to be held accountable.

On the other side, business owners such as Dietz say they are forced to take extreme legal measures because the Internet has made defamation that much more damaging. A single false post can live virtually forever on a site and reach millions, causing untold harm.

Lawyers say such cases are a cautionary tale for a new era: Those who feel targeted by defamation on the Web are more likely to file suit, and judges and juries are more likely to take such claims seriously than in years past, raising the legal stakes over vitriolic reviews, nasty blog comments and Facebook feuds.

“As the Internet has matured, more and more people are feeling the sting of negative posts against them, and the public and jurors are getting more educated about the impacts this speech can have,” said Aaron Morris, a lawyer who handles Internet defamation cases.

Dietz said his small seven-year-old design and contracting firm had a good reputation. Two reviews on Yelp give him the highest rating — five stars — and one praises him as showing a “high degree of professionalism.”

But that reputation was devastated by Perez’s reviews, he said. He alleges in the lawsuit that they cost him $300,000 in business. The situation has also taken a toll on him personally.

“The impact has been awful,” Dietz said. “There is no one to protect businesses when people slam their name.”

The Communications Decency Act shields sites such as Yelp from defamation suits over content posted by third parties. And Yelp, like many review sites, says it simply can’t check the veracity of millions of reviews, leaving businesses and the site’s reviewers to sort out messy factual disputes.

A 2011 Harvard study quantified just how big an effect those negative Yelp postings can have: A one-star increase among reviews of Seattle restaurants led to a 5 to 9 percent growth in revenue.

Perez hired Dietz’s company, Dietz Development, when she moved to the area and needed cosmetic work done on her newly purchased Fairfax home, according to the lawsuit. Dietz, a high school friend, was to paint, refinish floors, perform electrical and plumbing work, and do other tasks in June 2011.

But things quickly spiraled out of control, Perez wrote in her Yelp post.

“I was . . . left with damage to my home and work that had to be reaccomplished for thousands more than originally estimated,” Perez wrote. She alleges that Dietz “was the only one with a key” when jewelry disappeared from her home and that he trespassed on her property, prompting her to call the police, among other issues in dispute.

Dietz says that he completed the job, that he did not damage the home, that Perez never paid him and that she demanded that he perform work beyond what was part of their agreement, according to the lawsuit. Perez denies those accusations.

Dietz also says Perez’s comments about the missing jewelry and trespassing amount to false accusations that he committed crimes. County court records show that Dietz has not been charged on either accusation.

In Virginia, someone can be found liable for defamation if he states or implies a false factual statement about a person or business that causes harm to the subject’s reputation. Opinions are generally protected by the First Amendment.

Lawyers say such lawsuits are on the rise because of the explosion in popularity of review sites such as Yelp. They also say that commentators are unfamiliar with what constitutes defamation and that others are lulled into a false sense of security online.

“There is a right to speak anony­mously on the Internet,” said Lee Berlik, a Reston lawyer who handles Internet defamation cases. “Armed with that right, I think people feel safe when they are sitting in their pajamas at their desks at home. They feel they have the right to say whatever they want.”

But that right does not extend to defamatory speech. Lawyers across the country are more aggressively using a combination of legal maneuvers and computer forensics to help uncover the identities of anonymous commentators and sue them.

And some of those cases are producing astronomical awards. This year, an Anaheim, Calif., technology company won a $1.6 million judgment against a blogger who had accused the company of stealing money from business associates. And in 2006, a Florida woman won a $11.3 million judgment after a Louisiana woman called her a “crook” and a “con artist” in an Internet forum.

Lawyers say businesses suing reviewers have met with less success. In fact, many such lawsuits have backfired. Some have generated negative publicity for the plaintiffs and have been looked at skeptically by courts.

Last year, a California judge ordered a dentist to pay the legal bills of the parents of a patient he sued for defamation over a negative review one of them posted on Yelp.

Mark Goldowitz, founder of the Public Participation Project, which monitors such lawsuits, said he sees a troubling trend in review site defamation cases such as the one in Fairfax. He thinks they are a threat to vibrant new communities that have sprung up around Yelp and other sites.

“The suits can have a chilling effect on people’s willingness to share information,” Goldowitz said. “It does lead to people not posting reviews for fear of getting sued and to taking them down when threatened by a lawsuit.”

His group is pushing for a federal law that allows defendants to seek early dismissal of lawsuits that are aimed at silencing voices on public issues. Twenty-seven states, including Maryland, and the District have such “anti-SLAPP” laws, but not Virginia, according to Public Participation Project.

Perez has removed her reviews from Yelp, her attorney said, because allegedly false comments Dietz made about her in his response post on Yelp were popping up as the first listing in Google searches on her name.

Berlik, the lawyer, has a few words of advice for those who want to avoid similar lawsuits: Stick to opinion and “tell the truth, and you won’t get into trouble.”

Read More - Click Here!

Zeus - Sweet Orange Exploit Kits Attacking The Internet

(Christopher Brook - The Post) A new Apache module, Linux/Chapro.A, is making the rounds, injecting malicious content including a popular Zeus variant into web pages.

The module was discussed in a blog on ESET’s Threat Blog by the company’s Security intelligence Program Manager, Pierre-Marc Bureau.

According to the post, an iframe injection ultimately installs a version of Zeus, Win32/Zbot, but also points to a Lithuanian Sweet Orange exploit kit landing page.

The final Zeus payload targets users who frequent European and Russian banking foundations and tries to swindle unsuspecting victims into giving up their account information, including their PIN code and CVV code information.

The module also has a stealthy defense component, making it harder for system administrators to find the module during malware scans. The module only serves up malicious content under the right conditions. Linux/Chapro.A checks active SSH sessions on the Linux system its running but doesn’t deploy malware if a user is on a website using any of the SSH connected IPs. Linux/Chapro.A also only serves up its malware once, electing not to deploy it if a browser has already been infected, visited a malicious site or has been served a cookie.

“If a user visits an infected website twice from the same IP address; it will only receive the malicious content once. This provides a second, additional method to make the path of infection more difficult to determine,” reads ESET’s write-up.

The security firm adds that given the spread of the attack and its poor detection rates, it’s “very hard for law enforcement agencies to investigate and mitigate,” hinting that the module’s creators may have collaborated with another group to popularize the exploit kit only to sell the infected computers to a group running a Win32/Zbot botnet.

David Harley, a Senior Research Fellow with ESET clarified the company’s blog post on Linux/Chapro.A earlier this morning, referencing a post from the UnmaskParasites blog, “Malicious Apache Module Injects Iframes,” from earlier this fall. It turns out code from a module discussed in September bares striking similarities to the code analyzed by ESET. Security researcher Eric Romang notes the resemblance on his blog, acknowledging the module ESET has been calling Linux/Chapro.A also goes by the name Darkleech and has been distributed in Russian underground forums for months. Romang even compared near-identical strings of code from both Linux/Chapro.A and Darkleech to support his theory. “We were not aware of this material before publishing this blog,” Harley wrote this morning, connecting the two pieces of research.

 

Zeus Latest Facebook Virus Gunning for You

(Kim Komanso) The malware in question is called "Zeus." In most cases, it looks like a funny or shocking video one of your friends posted. It may be posted on their page or in a message to you.

Once you click the link to the "video," it will tell you that you need to update the player to watch the video.

When you try to do that, you download the virus. When you click the "Play" button, you're actually clicking "Like" on the virus page. It will spread the link to all of your friends to try to infect them.

Don't fall for it. If you get a message from your friend, ask them if they meant to send it. In most cases, they won't even know that they are spamming you.

You can also search the title of the video in question on Google or YouTube. If nothing turns up, you'll know the video is a scam.

Fake videos are a popular Facebook scam, but they're not the only one. I know three more you need to watch out for. I'll tell you what they are and how to avoid them in this must-read tip.

Don't forget to 'Like' my page on Facebook, as well. I'll give you plenty of security ideas all of the time. I also post fun and funny videos I find from all over the Web.

 

iOS 6.1 banned from corporate servers due to Exchange snafu

Summary: iPads and iPhones running the newest version of iOS are being blocked in some enterprises because bugs are overloading corporate Exchange servers.

One of the benefits of Apple's iOS devices such as the iPad and iPhone is that you can upgrade to the latest version as soon as it comes out. Being on the cutting edge is usually a good thing, but sometimes it can come back to bite you. If you are connecting to an Exchange server for mail and calendar services, the latest version of iOS has an unpleasant surprise in store for you.

Reports started surfacing in late January about excessive logging on Exchange servers caused by the upgrade to 6.1. A report on Microsoft Technet states:

I had a user upgrade to 6.1 and immediately after he finished, his phone/IPAD started causing excessive logging on the exchange server.  

I found the problem by using exmon and saw the CPU utilization in conjunction with high session count.

He shut down Outlook and the problem remained.  He turned off his iPad and the problem went away.  The only change he said he made that morning was upgrading to iOS 6.1.

This problem has been confirmed by many sources. Windows IT Pro's Tony Redmond reports:

I’ve picked up a few other reports that cannot be publicly attributed at this point that also refer to excessive transaction log generation after iOS 6.1 devices are introduced into Exchange 2010 or Exchange 2007 environments. I assume the same is true for Exchange 2013 as the underlying cause is likely to be in Apple’s mail app code that calls ActiveSync to synchronize with a user’s Exchange mailbox, with some indications being that the problem is once again associated with calendar events. You’d think that Apple would have learned after the iOS 6.0 calendar hijack fiasco.

Until the bug is fixed, corporate users are advised to not upgrade to iOS 6.1. For users who have already upgraded, though, there is no way to revert to the previous version. IT administrators have no control over when their BYOD users upgrade, so many of them have resorted to blocking iOS 6.1 from accessing Exchange as a temporary mitigation to prevent server outages for everybody else.

Apple has not yet acknowledged the problem or stated when a fix might be available, but hopefully it will be patched soon. Meanwhile, early adopters will have to access their calendars somewhere else.

Read More - Click Here!

iPhone Tracking - Is it Legal?

Privacy Statements, Terms of Use, we click Yes just to get through it to get what we want. But what freedom are we giving away? What does the iPhone iPad privacy statement actually say...

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

Ouch! maybe we should rethink this kind of stuff!!!

phone tracking and fingerprinting through sensor flaws

dotcommentary06_010_cag

 

(James Temple @ sfgate) Security researcher Hristo Bojinov demonstrating a method for “fingerprinting” a smart phone through its accelerometer in his Palo Alto office. Credit: Carlos Avila Gonzalez, Chronicle staff photographer. One afternoon late last month, security researcher Hristo Bojinov placed his Galaxy Nexus phone face up on the table in a cramped Palo Alto conference room. Then he flipped it over and waited another beat.

And that was it. In a matter of seconds, the device had given up its “fingerprints.”

Code running on the website in the device’s mobile browser measured the tiniest defects in the device’s accelerometer — the sensor that detects movement — producing a unique set of numbers that advertisers could exploit to identify and track most smartphones.

It turns out every accelerometer is predictably imperfect, and slight differences in the readings can be used to produce a fingerprint (see below for a further explanation). Marketers could use the ID the same way they use cookies — the small files that download from websites to desktops — to  identify a particular user, monitor their online actions and target ads accordingly.

Stale Cookies

It’s a novel approach that raises a new set of privacy concerns: Users couldn’t delete the ID like browser cookies, couldn’t mask it by adjusting app privacy preferences — and wouldn’t even know their device had been tagged.

“I don’t know if it’s been thought of before,” said Dan Auerbach, staff technologist at the Electronic Frontier Foundation. “It’s very alarming.”

Bojinov, a Ph.D. candidate in computer science at Stanford originally from Bulgaria, set out about a year ago with several collaborators at the Stanford Security Lab to test whether it was technically feasible to identify devices using various sensors. Bojinov wanted to make device manufacturers, software designers, policymakers and advocates aware of this potential avenue for tracking, in the hope that the industry would take steps to guard against it.

“People need to consider the whole system when they think about privacy,” Bojinov said.

 

Snooping

Indeed, accelerometers aren’t the only thing to worry about. The Stanford research team, which plans to publish its results in the months ahead, was also able to identify phones using the microphone and speaker. They found they could produce a unique “frequency response curve,” based on how devices play and record a common set of frequencies (see the explanation below).

Meanwhile, a team at the Technical University of Dresden in Germany recently developed a tracking method that exploited variations in the radio signal of cell phones, according to a story in New Scientist. The “collection of components like power amplifiers, oscillators and signal mixers … can all introduce radio signal inaccuracies,” researcher Jakob Hasse explained.

A Wired Opinion article today raises the possibility that the M7 coprocessor in Apple’s new iPhone could create another avenue for data collection.

Asked if this sort of work risks putting ideas into the heads of online advertisers, Bojinov said he’d be surprised if someone in the industry wasn’t already exploring these approaches.

The private sector and U.S. government have repeatedly demonstrated a willingness to make use of mobile phone’s hardware in ways users wouldn’t expect. Apps like Color, Shopkick and IntoNow activated smartphone microphones to detect when people were in the same room, entered a particular store or watched a specific TV show, as Computerworld reported.

Likewise, the FBI has famously flipped on the microphones of investigation targets to eavesdrop on conversations.

Losing the fight

To be sure, the smartphone is already a compromised device for anyone keenly concerned about ad tracking and privacy. Unique users can be identified, for targeting ads and other purposes, through cookies in the mobile browser or unique ID numbers associated with the device or particular apps. In addition, many apps can tap into the phone’s location, contact list, photos and more.

But conscientious users can at least exercise choices to minimize these capabilities — by selecting browsers that block certain tracking cookies by default, like Apple’s Safari, carefully picking apps that are less intrusive and managing which services access certain data.

Fingerprinting devices though the accelerometer and mobile browser, however, could eliminate such control, potentially undermining choice and transparency for the user. That’s what troubles privacy advocates the most.

“The fight to make it easier or harder to identify users is being lost by privacy advocates right now,” EFF’s Auerbach said. “There are a lot of novel techniques that are making it difficult to even know that tracking is even happening, because the fingerprinting is occurring” online rather than on the device itself.

Unlike with cookie files, there are no digital bread crumbs lining the advertiser’s trail.

Ryan Calo, an assistant professor of law focused on privacy at the University of Washington, said these forms of identification are merely the latest examples of broad and long-running trends in online advertising: Every privacy protection tool or ad blocking plug-in is met with new technologies that allow companies to sidestep such controls.

He believes the struggle will only continue as long as there is a misalignment of incentives between companies and consumers. If the core business model of major tech companies is collecting personal data to target ads, they will continue to find ways to do so — limited only by the law or whatever line users themselves draw.

In a forthcoming paper for George Washington Law Review, Calo argues that if companies like Facebook and Google offered users paid options, like Pandora does, it would encourage these businesses to improve service for their users, rather than for their advertisers — or “reorient the consumer from being a product to being a client.”

Screen Shot 2013-10-09 at 11.25.48 AM

— Ryan Calo, “Digital Market Manipulation,” George Washington Law Review (forthcoming)

I’m increasingly convinced that we need to change the basic incentive structure around tracking,” he said. “Absent that, we’re just going to see an arms race, whether in fingerprinting phones or fingerprinting browsers. If there’s money in identifying individual consumers, and if it’s not specifically illegal, people will do it.”

How it works:

Security researchers at Stanford have discovered methods of “fingerprinting” mobile devices by measuring tiny errors in the sensors, including the accelerometer and microphone. The degree of error is unique to each phone because, despite streamlined industrial processes, no two devices roll off the assembly line functioning in the exact same way.

The variations can be used to create IDs for phones that advertisers, and perhaps law enforcement, could exploit to track the devices.

The accelerometer is a standard sensor in smartphones that measures the acceleration of the device. It’s what enables, among other things, the browser to shift from landscape to vertical, as a user tilts their phone.

If the device is standing still, the accelerometer spits out numbers that represent its position in three-dimensional space.

The researchers wrote a piece of Javascript, a programming language used on many websites, for the Stanford Sensor ID experiment at Sensor-ID.com. It collects data about a phone’s acceleration along the Z-axis, a line straight up and down, running perpendicular to a phone lying on a table.

(Test your own phone by navigating here in your mobile browser.)

When the phone isn’t moving, the accelerometer should only sense the force of gravity. In a perfect world, the number it produces in that scenario would be -1 when the phone is facing up on a table and 1 when it’s facing down.

But it’s not a perfect world — every sensor has tiny defects. So instead, the accelerometer spits out two numbers like 0.0762669283983 and 1.00111302044, figures that in combination are unusual enough to work as a phone identifier.

The graph below shows accelerometer data from 16 devices tested at an Apple Store:

Courtesy: Hristo Bojinov

Courtesy: Hristo Bojinov

For the sake of the experiment, users have to play along, actively visiting the site and moving the phone as directed. But researcher Hristo Bojinov said a similar script could potentially be inserted invisibly onto any website. They’ve also identified a way to make similar measurements while a phone is bouncing around, say in a purse.

Separately, the researchers succeeded in fingerprinting phones using the microphone. The phone’s speaker plays a series of tones that climb in pitch, beginning below a level audible to humans, as the microphone records them. In this case, the software analyzes the system’s “frequency response curve,” identifying the unique way it plays and records a common set of frequencies.

This 3D graph shows audio frequency response for 16 devices, each in different colors. The devices ran the test three times, so the illustration highlights the persistent pattern for each device as well as the differences between them.

Courtesy: Hristo Bojinov

Courtesy: Hristo Bojinov

This process is a little more complex than the accelerometer experiment and would require the user to download an app to work. Unlike the accelerometer method, it would also give itself away — since the user could hear the rising tones.

Bojinov, who co-founded the startup Anfacto, collaborated on the sensor experiments with Stanford computer science professor Dan Boneh, fellow Stanford doctoral student Yan Michalevsky and Gabi Nakibly, an adjunct lecturer at the Israel Institute of Technology.

– James Temple