Posts Tagged: ‘hackers’

Scam of the day – February 26, 2015 – Lenovo issues automatic fix for Superfish adware

February 26, 2015 Posted by Steven Weisman, Esq.

Computer company Lenovo recently disclosed that computers that it was selling came with a software called Superfish that posed huge potential problems for the users of those computers.  Superfish is the name of a type of adware that was bundled on to their computers when sold.  This software did not provide any benefit to the computer user, but rather was a source of revenue for the Lenovo because the makers of Superfish pay Lenovo to have the software installed.   Superfish would inject ads on to websites visited by the computer user as well as track the websites searched by the computer user unbeknownst by the computer user.  This type of software installed on computers before sale is known by such colorful and pejorative terms such as “crapware,” “bloatware,” or “junkware.”  Unfortunately, it was discovered that Superfish was easily exploited by hackers to steal user information of the computer user thereby endangering the user’s security.  Fortunately, Lenovo has come up with an automatic fix that will remove Superfish from your computer.

TIPS

The affected computers include Lenovo’s G Series, U Series, YSeries, Z Series, S Series, Flex, Miix, Yoga and E Series computers.  Here is the link to remove Superfish from your computer if you have one of the affected computers:  http://support.lenovo.com/us/en/product_security/superfish_uninstall

Lenovo is not alone in installing such programs without informing its customers.  It is incumbent upon all computer purchases to inquire as to specifically what programs are installed on our computers when we purchase them and what the software does.

Jessica Bennett, a Lenovo user has just filed a proposed class action lawsuit against Lenovo on behalf of herself and other affected customers.  I will keep you informed as to the progress of this lawsuit.

Scam of the day – February 15, 2015 – President Obama’s Executive Order on cybersecurity

February 15, 2015 Posted by Steven Weisman, Esq.

In an effort to help combat cybercrime, President Barack Obama has issued an Executive Order encouraging and promoting information sharing both within the private sector as well as between the private sector and the government.  It has long been known that such information sharing about cyberthreats is an important step in the battle against cybercrime, data breaches and hackers.  The Department of Homeland Security will take the lead in establishing Information Sharing and Analysis Organizations (ISAOs) including setting up voluntary standards for these organizations.

TIPS

Although this is a very promising first step that will undoubtedly aid in the battle against cybercrime, data breaches and hackers, it is only a first step.  When looking for a helping hand to protect yourself from cybercrime and hackings, the best place to look is still at the end of your own arm.  We all must recognize that each of us is responsible for following best practices to protect ourselves as best we can from cybercrime and hackings.  We cannot rely on either government or private industry to do the job for us.  One of the reasons I write Scamicide each day is to arm you with the knowledge you need to protect yourself as best you can from threat of cybercrime and hackings.

Scam of the day – February 1, 2015 – Important security patches for Apple OS X, Safari, iOS, Apple TV and Adobe Flash Player

January 31, 2015 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  Today’s updates are critical updates from Apple for OS X, Safari, iOS and Apple TV users.  In particular, one of vulnerabilities if left unpatched could enable a remote attacker to take complete control of the victim’s system. Users of the affected programs should make sure that they update their software with these latest security patches as soon as possible.  In addition, today’s security updates provides new security patches for the popular Adobe Flash Player which is a constant target of hackers.  Although it has just been a couple of weeks since I last provided you with Adobe Flash Player security updates, there are new security patches you should install now.

TIPS

Here is a  link to the necessary  Apple updates as provided by the Department of Homeland Security:  https://www.us-cert.gov/ncas/current-activity/2015/01/27/Apple-Releases-Security-Updates-OS-X-Safari-iOS-and-Apple-TV

Here is a link to the security updates for the Adobe Flash Player: http://helpx.adobe.com/security.html

Scam of the day – January 29, 2015 – Major security flaw discovered in Linux operating system

January 29, 2015 Posted by Steven Weisman, Esq.

Linux is a popular and free computer operating system.  Recently researchers at the cloud security company Qualys discovered a major security flaw in the Linux operating system which they have named GHOST that would enable hackers to remotely take total control of a Linux user’s computer or other device without having to even know a password.  The GHOST security flaw could be exploited merely though an email from a Linux-based system to the victim’s computer or other device.  Fortunately, there is a patch for this security problem.  A link to the patch can be found below.

TIPS

If you are a Linux user it is imperative that you download the security patch immediately.  Here is a link that will take you to the necessary patches.  https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability

This is just another example of how important it is to keep up to date with the latest security patches and updates and install them as soon as possible.  Hackers and identity thieves constantly are taking advantage of people who do not update the software they use on their computers and other devices with the latest security patches.  Here at Scamicide we inform you whenever there are important security patches and updates about which you should be aware.  Make sure that you check out Scamicide every day and let your friends know to do the same.

Scam of the day December 24, 2014 – Beware of the Iggy Azalea sex tape

December 24, 2014 Posted by Steven Weisman, Esq.

I have been reporting to you about a purported Iggy Azalea sex tape that may or may not exist for a few months now.  Discussion about the purported sex tape featuring Australian rapper Iggy Azalea has resurfaced due to a feud between Azalea and rapper Azealia Banks, which has, in turn, prompted a group of hackers to surface threatening to release photos taken from the purported video unless Azalea apologize to Banks.   Meanwhile, to no one’s surprise supposed leaks of the tape have purportedly turned up on the Internet where the curious can put themselves in serious risk of identity theft by clicking on links in emails, text messages or social media postings promising to take you to the purported tape.  Other times, you may find yourself being prompted online to update your video capabilities on your computer or other electronic devices in order to view the video.  Again, this is just a ruse to lure you into downloading dangerous keystroke logging malware that will steal information from your computer and use it to turn you into a victim of identity theft.

TIPS

Without even getting into the question of the morality and ethics of looking for material such as this or the stolen videos of Jennifer Lawrence, Kate Upton and other celebrities, the truth is that you cannot trust any text message, email, social media posting that promises you such tantalizing material.  The chances are just too great that by clicking on any of these links or downloading attachments you will be downloading malware that will be used to steal your identity.  As for websites that turn up on Google and other search engines promising to provide you with these videos, scammers are adept at manipulating the algorithms used by search engines to rank websites so that although you may think you are looking at a legitimate website, you are not.  It is also important to remember that even if you have kept your anti-malware and anti-virus software up to date, that is of little consolation since these security software programs are always at least a month behind the latest malware and viruses.  If you need to satisfy your curiosity for gossipy material, stick to legitimate websites such as www.tmz.com.

Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

November 8, 2014 Posted by Steven Weisman, Esq.

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.

Scam of the day – October 7, 2014 – Latest security updates from Department of Homeland Security

October 7, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates include a number of important security patches related to the Bash virus.

TIPS

Here are the links to the latest security updates as issued by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB14-279

Scam of the day – October 2, 2014 – Important update on Bash bug

October 2, 2014 Posted by Steven Weisman, Esq.

On September 27th I warned you about the revelation that there was a bug called Shellshock in the Bash command-line interpreter on many operating systems including Linux, Unix and Apple’s OSX that had just been discovered after more than twenty years.  This bug is simple to exploit and tremendously dangerous since when exploited by hackers, permits the hacker to take over the computers using the infected operating systems.   The Federal Financial Institution Examinations Council (FFIEC) has warned the banking industry that it should take immediate steps to protect itself from this major threat.  Hackers have been busy trying to take advantage of this security flaw by attacking servers using affected operating systems while security experts have been equally as busy trying to create new patches.   A series of security patches have been released just in the last couple of days. It is also important to know that, as individual computer users, your firewall should protect you unless a hacker tricks you through phishing into clicking on a link and download malware to exploit the flaw.

TIPS

For all of us, this is a reminder to never click on a link in an email, text message or social media posting unless you are absolutely sure that it is legitimate.  Too often, what appear to be legitimate communications with emails are phishing scams with malware attached.

Here are links provided by the Department of Homeland Security which in turn have links to the latest security patches issued by Apple and others to deal with this problem.

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

https://www.us-cert.gov/ncas/current-activity/2014/09/30/Apple-Releases-OS-X-bash-Update-10

Scam of the day – August 7, 2014 – Russian gang steals 1.2 billion user names and passwords

August 6, 2014 Posted by Steven Weisman, Esq.

It was revealed yesterday that a Russian gang of about 20 hackers committed what may be the largest data theft in history by stealing 1.2 billion user names and passwords along with 500 million email addresses.  This particular gang has been operating since 2011, but this is their largest data theft.  The data breach was discovered by a computer security company, Hold Security who indicated that the data breach involved more than 420,000 websites around the world including those of large companies as well as small websites.  The companies hacked included companies involved in the auto industry, real estate, oil industry, consulting firms, care rental businesses, hotels, computer hardware companies, software companies and the food industry.  The gang used a technique to hack these websites that I have warned you about for two years.  They exploited security vulnerabilities in the software used to create websites, such as Adobe Cold Fusion, which has proven to be vulnerable in the past (although at this point in time, it is still too soon to know exactly which vulnerable programs were exploited) that permit a type of hacking called an SQL injection in which the hacker is able to inject his data collection software into the targeted website which can often go undetected for long periods of time.  The hacker then retrieves the collected information and then either uses it themselves for identity theft and fraudulent purposes or sell the information on black market websites to other criminals.

TIPS

The first thing to remember is that you are only as safe as the security of the weakest company or website that holds your personal information including your user name and password.  Although it is an inconvenience, it is important to maintain separate, unique passwords and user names for all of your accounts and to change them somewhat frequently.  If you use the same password for a small retailer and your online banking, you become extremely vulnerable to having your bank account hacked if the retailer with which you do business is hacked.  Also, do not store your user name, password or credit card information on any website.  It may be convenient for you, but it is also extremely convenient for identity thieves as well.  You can expect a wave of “spear phishing” by which you will receive emails that appear to come from someone you know and trust when in reality it is coming from an identity thief.  Many of these spear phishing emails will have links and attachment that contain keystroke logging malware that, when downloaded, will permit the identity thief to steal all of your personal information from your computer and use it to make you a victim of identity theft.  It is for this reason that I always advise you  not to download an attachment or click on a link unless you have confirmed and are absolutely positive that the email is legitimate.  This is an important story and I will update you as more information becomes known.

Scam of the day – June 30, 2014 – Even hackers use weak passwords

June 29, 2014 Posted by Steven Weisman, Esq.

I am constantly warning people to use complex, distinct passwords for all of their online accounts in order to prevent the passwords from being stolen and deciphered when encrypted.  The easiest passwords for an identity thief to decipher are those that use any word in the English language or passwords less than twelve characters.  A complex password should also mix small letter, capital letters, figures and symbols for maximum protection.  However, many people do not do this and are at great risk of identity theft because of their lack of prudence in choosing a password.  These people should feel a little better about themselves, however, because a recent study by computer security company Avast found that even the hackers don’t generally use strong passwords.  According to Avast only about 10% of hackers use difficult to decipher passwords, with the average hacker password only six characters long.  In fact, the most popular password for hackers, was “hack.”

TIPS

Just because hackers don’t take enough precautions to protect themselves does not mean that you should neglect having a strong password.  You should have a separate password for all of your online accounts so if your password for one account falls into the hands of an identity thief, your entire online life is not threatened.  You should also change your passwords about every six months.  Creating an easy to remember, but complex password is not very difficult.  Start with a phrase, such as “AVeryComplexPassword” and then add a some numbers and symbols, such as “AVeryComplexPassword1**.”  You can then personalize it to a particular account by adding an abbreviation for that account at the end.  For example, your password for Amazon could be “AVeryComplexPassword1**Ama.”  Easy to remember and hard to break.