Defensive Computing in the News

DEFENSIVE COMPUTING IN THE NEWS

MAY 2023

May 18, 2023: Popular Android TV boxes sold on Amazon are laced with malware by Zack Whittaker for Tech Crunch. Two China-based companies, AllWinner and RockChip, sell several wildly popular Android TV boxes that are sold on Amazon. The boxes are cheap and highly customizable, including several streaming services. Their listings on Amazon boast four-out-of-five star ratings and collectively racked up thousands of praiseworthy reviews. Yet, the are preloaded with malware capable of launching coordinated cyber attacks. The only defense is to not buy one in the first place. If you own one, the only defense is to throw it away. They are still being sold by Amazon. Of course.

May 10, 2023: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet. Want to block third-party trackers on your Android phone? This feature from DuckDuckGo can help with that. Here's how to enable it. There is more about this in the Android topic on this site.

APRIL 2023

Apr 27, 2023: How I Nearly Fell for a Frightening 'Virtual Kidnapping' Scam by Larry Magid. A scammer called Magid on the phone and said he had kidnapped is wife. Quoting: "As a long-time tech journalist and founder and CEO of an online safety organization, I know a lot about phone and online scams ... But this call felt real to me and threatened to separate me not from money but from someone, who ... means more to me than anything in the world. Being an 'expert' didn’t make me immune to the social engineering that led me to believe the threat was real." The playbook for this type of scam: Start with fear, follow with an authority figure to gain trust and then pivot to the threat. Great defense: Magid put the bad guy on speaker and dialed 911 from another phone. He said nothing, but he knew that the 911 operator would hang on and listen to the call.

April 18, 2023: Used Routers Often Come Loaded With Corporate Secrets by Lily Hay Newman for Wired. Researchers from the security firm ESET bought 18 used routers made by Cisco, Fortinet, and Juniper Networks. They found nine were just as their previous owners had left them and fully accessible. Only five had been properly wiped. All nine of the unprotected routers contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords. All nine included enough identifying data to determine the previous owner. Eight of the nine included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations. Other security companies have repeatedly seen the same thing. ESET tried to contact all the vulnerable organizations and some would not give them the time of day. There is said to be a resale market with millions of enterprise level networking devices.

April 6, 2023: The headline is misleading, the actual attack was SIM Swapping. Read more about this type of attack and defending against it on the SIM Swap page.
Riley Reid's Twitter Hacked and Posting Extremely Racist Things for Days to 2 Million Followers by Emanuel Maiberg for Vice. "One of the biggest pornstars in the world has been hacked to spread hateful content and Twitter hasn’t done anything about it for days."

April 3, 2023: Supply Chain Compromise or False Positive: The Intriguing Case of efile.com [updated - confirmed malicious code] by Johannes Ullrich of SANS. The tax preparing website has been hacked. For some users, it prompts them to download a scam browser update which is actually malware. I reviewed their website on April 5th and there was no mention of this.

April 3, 2023: Even when using a VPN, there are many ways that a web browser can still spy on you. One way to counter this is to use the Tor browser. However, Tor is brutally slow, so Mullvad just released a new web browser, the Mullvad Browser. Basically, this is the Tor browser but without Tor. The Mullvad Browser can be used with any OS level VPN or even without a VPN at all. Both the Tor and Mullvad browsers have many customizations that avoid fingerprinting, that is, they try to make all users of the software appear to be the same. The Mullvad browser is free and available for Windows, macOS and Linux. There is no Mobile version. It uses the Mullvad DoH DNS service that is available to everyone, not just Mullvad customers. They offer two free DNS services, the default one does not block ads, but this can be changed.

MARCH 2023

March 31, 2023: How to spot the Trump and Pope AI fakes by Shira Ovide for the Washington Post. Some suggestions: look for hands, background images and inanimate objects that don’t look quite right. Look at the writing on objects. The background may be blurry or distorted.

March 23, 2023 (last updated): How to Check if Your Password Has Been Stolen by Chris Hoffman of How To Geek. Check an email address or userid at haveibeenpwned.com. Check a password at haveibeenpwned.com/Passwords.

March 22, 2023: Journalist hurt by exploding USB bomb drive by Thomas Claburn for The Register. A whole new type of attack using a USB flash drive. More in the USB Flash Drives topic.

March 22, 2023: 4 Amazon privacy settings you should change right now by Jared Newman in PC World. The settings minimize data collection and opt out of ad targeting.

March 10, 2023: A five minute video from CNN: CNN's Donie O'Sullivan tests AI voice-mimicking software March 2023. On the one hand this is funny as an AI voice fools the reporter's parents. On the other hand, AI generated voices are also used to fool relatives as part of scam to send money. And, financial institutions use voice printing as a security feature.

March 5: They thought loved ones were calling for help. It was an AI scam. by Pranshu Verma for the Washington Post. To fake the voice of a person used to require a large voice sample. No more. Bad guys can now replicate a voice with an audio sample of a few sentences. The audio could come from YouTube, TikTok, Instagram, Facebook videos or podcasts, making many people vulnerable. Or rather, making their relatives vulnerable to scammers. The technology to do this is now much easier to use and cheaper making it available to more scammers. Two defenses are not new: be aware of this type of scam and also be aware that the callerid on a phone call can be spoofed. Another defense: when a loved one calls asking for money, put the call on hold and call them back. Another defense: verify the identity of the caller by asking them a question that only they would know. Or, along the same line, setup a security phrase ahead of time, just for this sort of thing. Ugh.

March 3, 2023: Thought you'd opted out of online tracking? Think again by Thomas Claburn for The Register. A study of websites that offer users the chance to opt out of data collection found ... opting out did next to nothing. The defense: "... in order to fully protect privacy, users still need to rely on privacy-enhancing tools, such as ad/tracker blocking browser extensions and privacy-focused browsers (e.g., Brave Browser)." In the web browser topic on this site, I do suggest using Brave.

March 1, 2023: How To Prevent Watch-And-Grab iPhone Theft a 7 minute video by Gary Rosenzweig of MacMost.com. If you are worried that someone can watch you enter your passcode on your iPhone and then steal your iPhone from you, then here's how to protect yourself. There is more on this on the iOS page.

FEBRUARY 2023

February 2023: Best Practices for Securing Your Home Network from the National Security Agency (Version 1.0). A nine page PDF.

February 24, 2023: All iPhone users should watch this February 2023 video from the Wall Street Journal about bad guys stealing iPhones after watching the owner unlock the phone with a PIN code. The video is also available on YouTube: Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes. The point of the story is all the bad things that thieves can do with just the phone and the PIN code. The video is a criticism of the Apple ecosystem and shows how easy it is to lose access to your Apple ID. Apple has made a number of design mistakes, perhaps the biggest is letting someone change the Apple ID password knowing just the PIN code for the phone. A safer design would require first entering the current password before being allowed to change anything. It also points up the danger to using the Apple password manager (iCloud Keychain). Apps that have the password automatically entered by the Apple password manager can be easily abused by the bad guys. One victim had $10,000 stolen from her. This strikes me as another design flaw, providing access to saved passwords without first requiring a password to kick off the password manager. Still another design flaw is the new hardware security keys that are intended to prevent access to an Apple account. With the phone and PIN code these security keys are bypassed and can even be removed from the Apple account. Big mistake by Apple. There is more on this and a long list of defensive steps on the iOS page.

February 12, 2023: How to Make Sure You’re Not Accidentally Sharing Your Location by David Nield in Wired. Your location can be logged by your devices, by your apps, and by websites you visit. More on this in the Location Tracking topic on this site.

February 8, 2023: How to Prepare for a Lost, Stolen or Broken Smartphone by J. D. Biersdorfer for the New York Times. The article discusses buying insurance or extended warranty coverage, backing up files both to the cloud and to a computer of yours, dealing with water damage, using location services and more.

February 8, 2023: Mysterious leak of Booking.com reservation data is being used to scam customers by Dan Goodin for Ars Technica. "For almost five years, Booking.com customers have been on the receiving end of a continuous series of scams that clearly demonstrate that criminals have obtained travel plans and other personal information customers provided to the travel site ... It's hard to understand how, after five years, the leak in Booking.com’s partner network continues to spill private data that leaves customers open to scams and other forms of fraud. The company’s insistence that its systems haven’t been breached is little comfort to those affected ... Until Booking.com comes clean, people would do well to book travel using a different site."

February 3, 2023: Retirees Are Losing Their Life Savings to Romance Scams. Here's What to Know by Emily Schmall in the New York Times. Con artists are using dating sites to prey on older lonely people, in a pattern that accelerated during the isolation of the pandemic. Older people are more susceptible to romance scams because they usually have more money than younger people. In an example in the article, gift cards were used to transfer money from the victim to the bad guys. Gift cards are a classic pattern in scams. If an older person refuse to accept the fact that they have been scammed, family members can file an emergency petition for temporary guardianship and ask a judge to issue an order that will immediately freeze bank accounts.

February 3, 2023: Until further notice, think twice before using Google to download software by Dan Goodin for Ars Technica. Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous. "Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird." The Domain Name Rules page on this site shows how to recognize scam domain names. Not said in the article is that this can not affect iOS and Android which have their own app stores. This only affects ancient operating systems without an app store: Windows and macOS. The article also does not offer the obvious defense of blocking ads, probably because Ars Technica relies on ads itself.

February 3, 2023: Part of Defensive Computing is picking good companies to deal with. In that light: Charter's $7 Billion Penalty For Murdering An Elderly Customer Reduced To $262 Million by Karl Bode for Tech Dirt. Paraphrasing: In August 2022 Charter Communications (Spectrum) was slapped with a $7 billion lawsuit after one of their cable technicians murdered an 83-year-old customer. The lawsuit claims that Charter had eliminated a more rigorous screening process when they merged with Time Warner Cable, letting the employee and his history slip through the cracks. A jury later reduced the amount to $1.1 billion. This week, Charter settled with the family for $262 million, all of which will be covered by insurance. Worse yet: the court found that Charter had forged documents to try and force the family out of the court system and into binding arbitration. Why? In arbitration, the results would have been secret and damages would have been limited to the amount of the victims cable bill. Let me repeat: forged documents.

February 1, 2023: More pig butchering scams in the news (see also a story from September 2022 below). Pig-butchering scam apps sneak into Apple's App Store and Google Play by Dan Goodin for Ars Technica. Quoting: "In the past year, a new term has arisen to describe an online scam raking in millions, if not billions, of dollars per year. It's called 'pig butchering,' and now even Apple is getting fooled into participating. Researchers from security firm Sophos said on Wednesday that they uncovered two apps available in the App Store that were part of an elaborate network of tools used to dupe people into putting large sums of money into fake investment scams.". Pig butchering scams employ a combination of apps, websites and people to build trust with a victim over an extended period of time. Eventually, the discussion turn to investments that the scammer claims to have earned huge sums of money from and the victim is invited to participate. The victims are often well-educated, some with PhDs. In part these scams work because of the length of the engagement the scammers have with the victims. One ruse to show that the scam investment is legit is when the bad guys let the victim withdraw some of their money.

JANUARY 2023

January 31, 2023: Can we trust Anker Eufy security cameras? Read this and decide for yourself: Anker finally comes clean about its Eufy security cameras by Sean Hollister for The Verge. Quoting: "First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn't answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams - among other questions - we would publish a story about the company’s lack of answers. It worked. In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted - they can and did produce unencrypted video streams for Eufy’s web portal ... ".

January 25, 2023: Well done, Poland. Artemis – CERT Polska verifies the cybersecurity of Polish organizations From CERT Polska about their Artemis system that scans the Polish internet for bugs, old software and configuration errors and then notifies resource owners. They are scanning Polish schools, hospitals, research institutes, universities and local government units. And, they are finding lots of bad stuff. Good for Poland. Too bad, the United States does not do this. i think the Dutch do something similar.

January 23, 2023: Hackers often use this clever trick to take you to phishing sites - can you spot it? by Anthony Spadafora for Toms Guide. About spoofed URLs that look very similar to legitimate ones. These are homograph attacks. The article has an example of a scam www.citibank.com domain and I could not spot the difference. It looked legit to me. More about this on the Domain Name rules page.

January 22, 2023: How to Encrypt any File, Folder, or Drive on Your System by David Nield for Wired. Covers encryption software built into Windows and macOS. Also covers VeraCrypt.

January 16, 2023: All the Data Apple Collects About You - and How to Limit It by Matt Burgess in Wired. "Apple's business model is shifting ... it has recently pushed to boost its profits by increasing its services, such as subscriptions to Apple Music, iCloud, and Apple TV. And its advertising business is quickly growing. As a result, Apple's users are starting to see more ads inside some of Apple’s apps." There is not much in the way of defense in the article, a couple system wide settings that are already on the iOS page here.

January 5, 2023. Twitters blue verification is still a scam. Twitter said it fixed 'verification.' So I impersonated a senator (again). by Geoffrey A. Fowler for the Washington Post. Elon Musk said Twitter would begin authenticating users who pay $8 for Blue. Not true.

DECEMBER 2022

December 28, 2022. 6 easy fixes to avoid tech headaches in 2023 by Heather Kelly for the Washington Post. Quoting: "The most common issues we heard this year were about being tricked. Whether it was by hackers taking over Facebook accounts or scammers asking for money on the phone." As expected, the article pushes password managers, but it does also suggest a simple notebook which is the right solution for many people. Topics in the article: Lower your chances of getting hacked and scammed, Prepare for your death, Prepare for the death of your devices, Have the big tech talks with your kids, Set up older family members for success and Lock down your privacy online.

December 22, 2022. Why You Need To Be Careful When Buying a Used Mac by Gary Rosenzweig of MacMost.com. A long article/video, well worth your time. Some points raised: online used Mac sales have been overrun by scammers. The most risk is at Craig's List, E-bay, Facebook, or Next Door. It is common for used Macs to have been stolen. In that case, it may be locked down and not usable. Macs can be locked down in a variety of ways. Macs get new operating systems for about five years after they come out. Then they only get security support for two more years. The battery may be worn down. You may over pay for it. The Apple Refurb Store will not save you much money but you will get a fair recent model. Tips on what to do first with a used Mac.

November 14, 2022 (first published), updated Dec 20, 2022. How millions of phones get early notice of California’s biggest quakes by Geoffrey A. Fowler in the Washington Post. About a system called ShakeAlert, developed by the U.S. Geological Survey and partners. Typical warning is up to 20 seconds before the shaking. The system is now operating in California, Oregon and Washington state. Android is better than an iPhone in this regard. Google added ShakeAlert to Android in 2020. Of course the phone has to know your location and must have Emergency Notifications enabled. I found this impossible to understand as searching Android 13 Settings for "emergency" produced 932 results. Which ones matter? Dunno. On iOS you have to install an app and fight with the OS so it always knows where you are. Two apps mentioned in the article are MyShake, from the University of California at Berkeley and QuakeAlertUSA from Early Warning Labs.

SEPTEMBER 2022

September 19, 2022. What's a Pig Butchering Scam? Here's How to Avoid Falling Victim to One. by Cezary Podkul for Pro Publica. Quoting: "If you're like most people, you’ve received a text or chat message in recent months from a stranger with an attractive profile photograph. It might open with a simple 'Hi' or what seems like good-natured confusion about why your phone number seems to be in the person’s address book. But these messages are often far from accidental: They are the first step in a process intended to steer you from a friendly chat to an online investment to, ultimately, watching your money disappear into the account of a fraudster. 'Pig butchering,' as the technique is known - the phrase alludes to the practice of fattening a hog before slaughter ... went global during the pandemic. Today criminal syndicates target people around the world ... "