Posts Tagged: ‘hackers’

Scam of the day – October 7, 2014 – Latest security updates from Department of Homeland Security

October 7, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates include a number of important security patches related to the Bash virus.


Here are the links to the latest security updates as issued by the Department of Homeland Security:

Scam of the day – October 2, 2014 – Important update on Bash bug

October 2, 2014 Posted by Steven Weisman, Esq.

On September 27th I warned you about the revelation that there was a bug called Shellshock in the Bash command-line interpreter on many operating systems including Linux, Unix and Apple’s OSX that had just been discovered after more than twenty years.  This bug is simple to exploit and tremendously dangerous since when exploited by hackers, permits the hacker to take over the computers using the infected operating systems.   The Federal Financial Institution Examinations Council (FFIEC) has warned the banking industry that it should take immediate steps to protect itself from this major threat.  Hackers have been busy trying to take advantage of this security flaw by attacking servers using affected operating systems while security experts have been equally as busy trying to create new patches.   A series of security patches have been released just in the last couple of days. It is also important to know that, as individual computer users, your firewall should protect you unless a hacker tricks you through phishing into clicking on a link and download malware to exploit the flaw.


For all of us, this is a reminder to never click on a link in an email, text message or social media posting unless you are absolutely sure that it is legitimate.  Too often, what appear to be legitimate communications with emails are phishing scams with malware attached.

Here are links provided by the Department of Homeland Security which in turn have links to the latest security patches issued by Apple and others to deal with this problem.

Scam of the day – August 7, 2014 – Russian gang steals 1.2 billion user names and passwords

August 6, 2014 Posted by Steven Weisman, Esq.

It was revealed yesterday that a Russian gang of about 20 hackers committed what may be the largest data theft in history by stealing 1.2 billion user names and passwords along with 500 million email addresses.  This particular gang has been operating since 2011, but this is their largest data theft.  The data breach was discovered by a computer security company, Hold Security who indicated that the data breach involved more than 420,000 websites around the world including those of large companies as well as small websites.  The companies hacked included companies involved in the auto industry, real estate, oil industry, consulting firms, care rental businesses, hotels, computer hardware companies, software companies and the food industry.  The gang used a technique to hack these websites that I have warned you about for two years.  They exploited security vulnerabilities in the software used to create websites, such as Adobe Cold Fusion, which has proven to be vulnerable in the past (although at this point in time, it is still too soon to know exactly which vulnerable programs were exploited) that permit a type of hacking called an SQL injection in which the hacker is able to inject his data collection software into the targeted website which can often go undetected for long periods of time.  The hacker then retrieves the collected information and then either uses it themselves for identity theft and fraudulent purposes or sell the information on black market websites to other criminals.


The first thing to remember is that you are only as safe as the security of the weakest company or website that holds your personal information including your user name and password.  Although it is an inconvenience, it is important to maintain separate, unique passwords and user names for all of your accounts and to change them somewhat frequently.  If you use the same password for a small retailer and your online banking, you become extremely vulnerable to having your bank account hacked if the retailer with which you do business is hacked.  Also, do not store your user name, password or credit card information on any website.  It may be convenient for you, but it is also extremely convenient for identity thieves as well.  You can expect a wave of “spear phishing” by which you will receive emails that appear to come from someone you know and trust when in reality it is coming from an identity thief.  Many of these spear phishing emails will have links and attachment that contain keystroke logging malware that, when downloaded, will permit the identity thief to steal all of your personal information from your computer and use it to make you a victim of identity theft.  It is for this reason that I always advise you  not to download an attachment or click on a link unless you have confirmed and are absolutely positive that the email is legitimate.  This is an important story and I will update you as more information becomes known.

Scam of the day – June 30, 2014 – Even hackers use weak passwords

June 29, 2014 Posted by Steven Weisman, Esq.

I am constantly warning people to use complex, distinct passwords for all of their online accounts in order to prevent the passwords from being stolen and deciphered when encrypted.  The easiest passwords for an identity thief to decipher are those that use any word in the English language or passwords less than twelve characters.  A complex password should also mix small letter, capital letters, figures and symbols for maximum protection.  However, many people do not do this and are at great risk of identity theft because of their lack of prudence in choosing a password.  These people should feel a little better about themselves, however, because a recent study by computer security company Avast found that even the hackers don’t generally use strong passwords.  According to Avast only about 10% of hackers use difficult to decipher passwords, with the average hacker password only six characters long.  In fact, the most popular password for hackers, was “hack.”


Just because hackers don’t take enough precautions to protect themselves does not mean that you should neglect having a strong password.  You should have a separate password for all of your online accounts so if your password for one account falls into the hands of an identity thief, your entire online life is not threatened.  You should also change your passwords about every six months.  Creating an easy to remember, but complex password is not very difficult.  Start with a phrase, such as “AVeryComplexPassword” and then add a some numbers and symbols, such as “AVeryComplexPassword1**.”  You can then personalize it to a particular account by adding an abbreviation for that account at the end.  For example, your password for Amazon could be “AVeryComplexPassword1**Ama.”  Easy to remember and hard to break.

Scam of the day – June 26, 2014 – Hedge funds hacked

June 26, 2014 Posted by Steven Weisman, Esq.

Hedge funds are aggressively managed investment portfolios that are largely unregulated.   They generally are used by only the wealthiest of people.  They also have become a ripe target for hackers who, according to a recent report by computer security firm BAE System, have been hacking into the computers of these funds and causing financial harm in a multitude of ways.  According to BAE, one unnamed hedge fund lost millions of dollars after hackers managed to infiltrate their computers through simple spear phishing tactics by which the hackers tricked hedge fund employees into clicking on links in infected emails that downloaded malware into the hedge fund’s computers that enabled the hackers to learn about impending trades and then delay the trades while the hackers traded first based upon the stolen information.   Another way that the hedge funds have been attacked is through the ransomware  program Cryptolocker, about which I warned you repeatedly since November of 2013.  Cryptolocker is a type of malware that infects the computer of the unwary victim and encrypts all of the victim’s data making it unusable unless they pay a ransom to the criminal hacker.


The financial industry as a whole has not taken sufficient security precautions and steps to protect themselves and our economy from the attacks of scammers, hackers and identity thieves.  Just because you have not heard of many of these hackings as much as with high profile hackings of Target and other companies is very much because quite often the companies do not disclose that they have been hacked.  The hedge fund industry’s sophisticated digital trading systems have become attractive targets to hackers and the hedge fund industry has not taken the necessary security steps to protect the integrity of their business from attack.  Unfortunately, this type of crime is something that is going to get worse before it gets better.  Whenever you are investing your money with a company, you should first inquire as to the security steps taken by the company.

Scam of the day – June 1, 2014 – Stoners need not apply – at least not yet

June 1, 2014 Posted by Steven Weisman, Esq.

The FBI takes cybercrime seriously as do many law enforcement agencies and companies around the world.  In a creative move to enhance its cybersecurity, British banks began hiring hackers to hack into their banks in an effort to learn where the vulnerabilities of their security systems are and how to correct those flaws.  Similarly, the FBI is reaching out to hire young hackers to come work for the FBI to help combat cybercrime and black hat hacking.  However, in a recent speech to the White Collar Crime Institute, FBI Director, James B. Comey spoke about the difficulty of finding hackers who meet the FBI requirement of not having smoked marijuana for the preceding three years.  Director Comey acknowledges that this presents a problem to the bureau when it comes to hiring knowledgeable hackers.  According to Comey, “I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview.”  Comey did say, however, that the FBI is considering changing its drug policy in the future, which would help tremendously in hiring the knowledgeable hackers it desires.


If the FBI maintains its present drug policy, it stands little chance of hiring sufficient new agents to combat the serious cybercrimes of today.  With the laws and public perception of marijuana use dramatically changing, hopefully the FBI will make the necessary changes to its drug policy to enable it to hire the new agents it needs.

Scam of the day – April 21, 2014 – IRS misses Windows XP deadline

April 21, 2014 Posted by Steven Weisman, Esq.

It has been six years since Microsoft informed its customers that it would no longer support the Windows XP operating system, thus giving its users plenty of time to install a newer operating system, such as Windows 7.  Without continuing technical support, the Windows XP operating system will be dramatically vulnerable to hackers exposing flaws in the program to the detriment of stubborn people still using this program.  This is not a matter of Microsoft being greedy.  It is merely a reflection of the fact that Windows XP is too old in terms of computer software and just like after a while it becomes advisable to buy a new car instead of pouring money into repairs for an old car, it is prudent to move to another and better operating system.  It is unfortunate that many banks in the world that use Windows XP to operate ATMs and many government agencies that also use Windows XP failed to act before the April 8, 2014 deadline for Microsoft no longer providing updates.  What many of these companies and the IRS (yes, the IRS) are now doing is paying for short term support of Windows XP until they make the change over to a newer operating system.  The failure to act in a timely manner is  needlessly costing these companies and government agencies large amounts of money.  If they had merely acted in a timely manner, they would not have to be paying for these emergency services.  In a Congressional hearing last week numbers between $500,000 and $30 million dollars were tossed about as the additional cost incurred by the IRS due to their lateness in acting.  This is inexcusable.  Hackers have already been taking advantage of vulnerabilities in Windows XP to steal from ATMs and there is concern in some circles that government agencies such as the IRS may find problems due to their delay in updating their operating systems.


Here is a warning to banks and government agencies including the IRS:  Microsoft has indicated that it will no longer do security updates for Windows 7 in January of 2020.  Don’t make the same mistake twice.

What do you think will happen?

Scam of the day – March 29, 2014 – Microsoft warns of danger in .rtf files

March 29, 2014 Posted by Steven Weisman, Esq.

Microsoft has issued a warning to people not to open files with the rtf extension due to a vulnerability that Microsoft has just discovered that could enable a hacker to send you an email with an .rtf file attached that if you download will enable the hacker to take control of your computer.  At the moment, although Microsoft has discovered the problem, they do not have a solution so they are advising people not to open such files and to consider disabling the opening of .rtf files.  RTF is an acronym for rich text format files which is a file format Microsoft developed for use with Word software.


Microsoft has released a security advisory with more details about this threat and what you can do to reduce the danger. Here is a link to Microsoft’s security advisory about this problem:  For now, the best course of action is to totally avoid rtf files.

Scam of the day – March 10, 2014 – Netflix phishing scam

March 9, 2014 Posted by Steven Weisman, Esq.

Phishing is the term for a scam where you are lured to a phony website and either induced into providing personal information to what you think is a legitimate company or even a government agency or persuaded to click on what appears to be a legitimate link only to learn that by clicking on the link, you unwittingly download keystroke logging malware that will steal all of the information from your computer, smartphone, tablet or other device.  In either situation, the end result is the same.  You end up a victim of identity theft.  Recently a phony, but very good looking copy of a Netflix website was found on the Internet.  The URL for the website did have the word “Netflix” in it, but it also had a number of apparently random characters also in the URL which to a careful viewer would have been a sufficient tip off that this is a scam.  On the website was a message to call an 800 support telephone number.  If you call the number, you are told that your Netflix account has been shut down because it had been illegally accessed by hackers.  You are then told to enable the “support” team to have access to your computer or other device in in order to remotely download necessary security software to protect your account in the future.  Instead of security software, what is installed remotely is a keystroke logging malware program that enables the scammers to steal all of the information from your device and use it to make you a victim of identity theft.  In addition, the support team also asks for a photo of the customer’s identification and a credit card, which is readily able to be done using the victim’s computer or phone camera, which was actually able to be enabled through software already downloaded unwittingly by the customer.  In closing, the phony support team tells the customer that the customer will be charged as much as $400 for the security update, however, in his or her case, they will offer a discounted rate.


This particular scam is no longer being done.  The phony website has been taken down.  However, it is a typical type of phishing scam that you must take great care to avoid.  Identity thieves are quite adept at creating legitimate looking websites that appear to be those of legitimate companies or even governmental agencies.  Whenever you go to a website for a company or agency with which you do business, make sure that you have the correct URL.  Double check it.  In this case, a savvy consumer would also know that Netflix does not supply security software.  In any event, never provide personal information, click on links or download attachments unless you are absolutely sure that you are dealing with a legitimate company that has a real reason for your information.  Although this particular scam is now down, you can expect the same pattern to repeat itself time and time again.

Scam of the day – February 24, 2014 – University of Maryland data breach

February 24, 2014 Posted by Steven Weisman, Esq.

A few days ago the University of Maryland disclosed that personal information of more than 300,000 students, faculty and other university employees connected with the university since 1998 was stolen by computer hackers.  In a statement disclosing the data theft, the university said that computer and data security was “a very high priority” the university which is hard to understand because of the lax security that led to the data theft.  Included in the compromised data were names, Social Security numbers, birth dates and other information for all faculty, staff, students and university personnel issued a university identification since 1998.  This information is a veritable treasure trove for hackers who, armed with this information, use it to for purposes of identity theft.  The University of Maryland is by no means alone when it comes to being hacked.  Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Rhode Island,  the University of Arizona, Marquette and more than 50 other colleges and universities have been the victims of data breaches in the last couple of years.  The reason for targeting universities and colleges is simple.  Generally they maintain tremendous amounts of personal information and their record for data security is not good.  Colleges and universities have much personal information that is often easily accessible within the school’s computer systems.  Too often schools have permitted the information to be on unencrypted laptops and flash drives.   In addition many schools do not have sufficient security programs in place to limit access to personal information, which the universities keep in their computers long after it is necessary to be kept, such as Social Security numbers for students who have long since graduated.


The schools have got to start giving more than lip service to their commitment to data security. Data breach prevention systems should be implemented that include, but not be limited to updated firewalls, limited access to personal information, purging of unnecessary information  and encryption.  Personal information should not be as open and available as they presently are at this time at many universities.  if you are someone who is a victim of the University of Maryland’s data breach, you should contact the University and accept its offer of a year’s free credit monitoring.  You also should consider putting a credit freeze on your credit report because monitoring only tells you that you have become a victim of identity theft after the fact, a credit freeze can protect you from becoming a victim in many instances.  For information about credit freezes, click on the link on the right hand side of the page where it indicates, “credit freezes.”