Pete Recommends – Weekly highlights on cyber security issues February 23, 2019

Subject: About us Downdetector
Source: Downdetector
https://downdetector.com/about-us/

About Downdetector – We like to see Downdetector as the weatherman for the digital world: we detect when technology fails. Just like the weather, service interruptions and outages can’t be predicted, and just like a weatherman, we can tell you what is going on.

More concretely, Downdetector offers a realtime overview of status information and outages for all kinds of services. We aim to track any service that its users consider vital to their everyday lives, including (but not limited to) internet providers, mobile providers, airlines, public transport and online services.

Downdetector is an independently owned and operated by Ookla, LLC. Downdetector spawned from the notion that existing solutions did a poor job at informing the public. People who are affected by an on outage typically turn to their provider or the media for updates, but in fact they know best if there are any issues. Following that guiding principle, we have set up and expanded our service since April 2012. We will continue to drive future changes and improvements, as well as expand to other countries (please check the bottom of this page for a list of regions that we currently serve).


Subject: Behold, the Facebook phishing scam that could dupe even vigilant users |
Source: Ars Technica
https://arstechnica.com/information-technology/2019/02/behold-the-facebook-phishing-scam-that-could-dupe-even-vigilant-users/

Phishers are deploying what appears to be a clever new trick to snag people’s Facebook passwords by presenting convincing replicas of single sign-on login windows on malicious sites, researchers said this week.

Single sign-on, or SSO, is a feature that allows people to use their accounts on other sites—typically Facebook, Google, LinkedIn, or Twitter—to log in to third-party websites. SSO is designed to make things easier for both end users and websites. Rather than having to create and remember a password for hundreds or even thousands of third-party sites, people can log in using the credentials for a single site. Websites that don’t want to bother creating and securing password-based authentication systems need only access an easy-to-use programming interface. Security and cryptographic mechanisms under the hood allow the the login to happen without the third party site ever seeing the username password.

Researchers with password manager service Myki recently found a site that purported to offer SSO from Facebook. As the video below shows, the login window looked almost identical to the real Facebook SSO. This one, however, didn’t run on the Facebook API and didn’t interface with the social network in any way. Instead, it phished the username and password.

RSS for this site: http://feeds.arstechnica.com/arstechnica/index/


Subject: What Is Credential Stuffing?
Source: WIRED
https://www.wired.com/story/what-is-credential-stuffing/

You may have noticed this happening more and more lately: Online accounts get taken over in droves, but the companies insist that their systems haven’t been compromised. It’s maddening, but in many cases, technically they’re right. The real culprit is a hacker technique known as “credential stuffing.”

The strategy is pretty straightforward. Attackers take a massive trove of usernames and passwords (often from a corporate megabreach) and try to “stuff” those credentials into the login page of other digital services. Because people often reuse the same username and password across multiple sites, attackers can often use one piece of credential info to unlock multiple accounts. In the last few weeks alone, Nest, Dunkin’ Donuts, OkCupid, and the video platform DailyMotion have all seen their users fall victim to credential stuffing.

“With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services,” says Crane Hassold, a threat intelligence manager at the digital fraud defense firm Agari. “Most people don’t change their passwords regularly, so even older credential dumps can be used with relative success. And since password reuse is rampant, cybercriminals will generally test a set of credentials against numerous different websites.”

Other articles filed under SECURITY: https://www.wired.com/category/security/

RSS: https://www.wired.com/feed/security/rss


Subject: Your smartphone is tracking you: How to stop it from sharing data, ads
Source: Kim Komando via USA Today Tech
https://www.usatoday.com/story/tech/columnist/komando/2019/02/14/your-smartphone-tracking-you-how-stop-sharing-data-ads/2839642002/

Your phone knows where you are standing or sitting at this moment. Most people know that. How else could you use GPS? While location tracking is essential for directions, it also helps big tech sell you things.

“Targeted advertising” is a massive phenomenon. Companies are eager to flood your screen with ads, which are primarily influenced by your day-to-day habits. Facebook, Apple, Microsoft, Amazon, Google and many others make money off mobile ads, and they need this information to power their data-mining machines.

Why is your phone allowed to track you and share that data with unknown third parties? In short, you gave it permission. Typical data-sharing policies are buried within pages and pages of privacy policies and terms of agreements.

Companies usually have a reasonable explanation, such as Apple tracking personal calls and emails to prevent fraud, which many consider an invasion of privacy.

No matter what device you use, accessing the internet subjects you to behavioral tracking. If this practice bothers you, all hope is not lost. Here are some ways you can take action…

Google isn’t the only way to search: Here are 7 services you should try instead

Get ‘smart’ about your thermostat: What you need to know about Nest, Ecobee

Great Google tricks: 15 amazing tips you never knew before now


Subject: Fraud of the Day
Source: Tele-fraudster | Federal Healthcare Fraud
https://www.fraudoftheday.com/healthcare-fraud/tele-fraudster/

Telemedicine is credited with helping to improve how healthcare is delivered. Some of the benefits include fewer hospital admissions and re-admissions, improved commitments to following recommended courses of treatment and faster recovery for patients. It sounds like a win-win situation until you consider today’s fraudster, a Tennessee-based nurse practitioner, who used telemedicine to commit healthcare fraud. She was one of seven who are charged with bilking TRICARE – the military’s health insurance provider – out of more than $65 million.

Site RSS feed: https://www.fraudoftheday.com/feed/

articles by state e.g., Florida RSS feed: https://www.fraudoftheday.com/florida/feed/


Subject: Blog Entries Tagged Internet of Things
Source: Schneier on Security
https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=Internet%20of%20Things&__mode=tag&IncludeBlogs=2&limit=10&page=1

Entries Tagged “Internet of Things”


Subject: Your Internet Privacy
Source: WatchBlog: Official Blog of the U.S. Government Accountability Office
https://blog.gao.gov/2019/02/19/your-internet-privacy/

Do you shop or bank online? Use the Internet to stay connected with friends and family? Internet-based products and services regularly collect and share personal information about users, such as location, search terms and browsing history, contact information, and financial data.

We’ve looked at how federal agencies oversee Internet privacy and potential ways to better protect consumers—today’s WatchBlog explores.

This entry was posted in Business Regulation and Consumer Protection, Information Security and tagged Alicia Puente Cackley, banking, consumer protection, data protection, Federal Trade Commission, FMCI, internet of things, IOT, Mark Goldstein, National Telecommunications and Information Administration, online shopping, privacy, social media. Bookmark the permalink.

Sample section: https://blog.gao.gov/tag/privacy/

and its RSS feed: https://blog.gao.gov/tag/privacy/feed/


Subject: Study – Password Managers: Under the Hood of Secrets Management
Source:  Independent Security Evaluators via beSpacific
https://www.bespacific.com/study-password-managers-under-the-hood-of-secrets-management/

Independent Security Evaluators: “Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7 [1], 1Password 4 [1], Dashlane [2], KeePass [3], and LastPass [4]. We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.”

Independent Security Evaluators RSS feed: https://www.securityevaluators.com/feed/


Subject: Once hailed as unhackable, blockchains are now getting hacked
Source: MIT Technology Review
https://www.technologyreview.com/s/612974/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/

[thanks, Dale]

More and more security holes are appearing in cryptocurrency and smart contract platforms, and some are fundamental to the way they were built.

Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase’s popular exchange platform. Its blockchain, the history of all its transactions, was under attack.

An attacker had somehow gained control of more than half of the network’s computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends.” The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn’t so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).

Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry.

Recommended for You

  1. Lab-grown meat could be worse for the environment than beef
  2. President Trump has signed a directive to establish Space Force
  3. Watch a harpoon successfully spear a piece of space junk
  4. Machine learning is contributing to a “reproducibility crisis” within science
  5. AI is reinventing the way we invent

other CONNECTIVITY articles:
https://www.technologyreview.com/topic/connectivity/

and its RSS feed:
https://www.technologyreview.com/c/computing/rss/


Subject: Don’t be fooled by fake images and videos online
Source: The Conversation
http://theconversation.com/dont-be-fooled-by-fake-images-and-videos-online-111873

Advances in artificial intelligence have made it easier to create compelling and sophisticated fake images, videos and audio recordings. Meanwhile, misinformation proliferates on social media, and a polarized public may have become accustomed to being fed news that conforms to their worldview.

All contribute to a climate in which it is increasingly more difficult to believe what you see and hear online.

There are some things that you can do to protect yourself from falling for a hoax. As the author of the upcoming book “Fake Photos,” to be published in August, I’d like to offer a few tips to protect yourself from falling for a hoax.


Subject: Google Quiz – Can you spot when you’re being phished?
Source: Fortune via beSpacific
https://www.bespacific.com/google-quiz-can-you-spot-when-youre-being-phished/

Fortune: “…Google has a new phishing quiz you can take to test how well you can recognize malicious emails. Released by Jigsaw, a subsidiary of Google parent company Alphabet Inc., the quiz displays several samples of common phishing techniques, such as using an hyperlink with a domain name that was disguised to look like a real web address, but actually leads to a phony site. The quiz trains test-takers in a number of quick, easy ways to be more cyber-secure, such as to hover a link in an email before clicking on it or check an email address against the name displayed as the supposed sender…”

beSpacific Subjects: Cybercrime, Cybersecurity, E-Mail
Fortune tagged: http://fortune.com/tag/phishing/


Subject: How tech companies use dark patterns to discourage us from exercising our rights to privacy
Source:  Forbrukerradet via beSpacific
https://www.bespacific.com/how-tech-companies-use-dark-patterns-to-discourage-us-from-exercising-our-rights-to-privacy/

Dark Patterns – How tech companies use dark patterns to discourage us from exercising our rights to privacy. [44-page PDF] The Norwegian Consumer Council (the Forbrukerrådet or NCC) report criticizes “features of interface design crafted to trick users into doing things that they might not want to do, but which benefit the business in question.”

beSpacific Subjects: Cybercrime, Cybersecurity, Internet, Microsoft, Privacy, Social Media

Some links from their site:

  1.  “Threats to Consumers in Mobile Apps”  https://www.forbrukerradet.no/undersokelse/2015/appfail-threats-to-consumers-in-mobile-apps/
  2.   “Internet of Things”  https://www.forbrukerradet.no/internet-of-things/
Posted in: Blockchain, Cybersecurity, Email Security, KM, Privacy
CLOSE
CLOSE