• Posts Tagged ‘security’

    All about Tech Support Scams

    by  • April 11, 2014 • Tech • 0 Comments

    unpacked-logoYou hear those stories about someone calling claiming they’re from Microsoft and that they’ve “found a problem on your computer” and are here to help. To be honest, I didn’t put much faith into those stories. I mean, really? Do people actually get those calls? Well, earlier this year I was sitting in a colleague’s office, someone on our tech staff, when her cell rang and she answered it. She quickly put it on speaker so I could hear the caller. It was someone claiming to be from Microsoft wanting to help her with a problem on her computer. She let him go on for about five minutes, not actually doing anything he said to do, before hanging up. Yes folks, these calls are real. And no, they are not calling to help you.

    Last week I was pointed to a great page from Mallwarebytes titled “Tech Support Scams – Help & Resource Page“. This is a great recourse you can use to familiarize yourself with these sorts of scams and to point others to in order to educate them to spot and ignore these scams.

    For example:

    Cold Call

    Usually from India and operating out of boiler rooms, these scammers call people in the U.S, Canada, the UK, and Australia whom they find in the phone directory.

    The scam is straightforward: pretend to be calling from Microsoft, gain remote control of the machine, trick the victim with fake error reports and collect the money.

    If you ever get a call from a Microsoft or Windows tech support agent out of the blue, the best thing to do is simply hang up. Scammers like to use VoIP technology so their actual number and location are hidden. Their calls are almost free which is why they can do this 24/7.

    …and the specific techniques they use:

    The Task Manager (CPU ‘spikes’)

    cpu

    falseThese spikes are dangerous for your PC’s health. Just like your heart rate, they should not go up. Your PC could suffer some irreparable damage.

    trueWhen your PC is active, you will see the CPU usage go up and down constantly. What would not be good is if the CPU was pegged at 100% utilization all of the time. This is not the case here.

    Even if you know what you’re doing, this is a wonderful page to read and share.

    Some calm, yet firm, advice for those wondering about Heartbleed

    by  • April 10, 2014 • Internet • 0 Comments

    heartbleedI’ve been putting off this post for a few days to allow for the immediate freak-out to die down and to let some actually good advice to surface. I’m now read to provide the following advice and resources:

    What happened?

    Basically, for the past two years there’s been a flaw in the security software behind somewhere near 60% of all “secure” Web sites on the Internet. That whole “make sure the site you’re logging into says ‘https://’” advice, well, that was the part that was broken. No one stole your password per se, but this hole could allow someone to get it and the site they got it from would have absolutely no idea that it happened.

    For a slightly more technical explanation watch this short video from the Security Now podcast.

    Is it serious?

    Bruce Schneier, the security guy security guys listen to says “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.” ‘Nuff said.

    Do I need to change my passwords?

    Yes. Especially if, and I’m sorry if this language offends you, your passwords are crap. And chances are, your passwords are crap. Test your passwords using https://howsecureismypassword.net/. If your password strength isn’t measured in millenia, your password is crap.

    Oh, and if you use the same password for more than one site. You password is crap.

    This is not news folks. You’ve heard this before and ignorance is no longer bliss when it comes to this stuff.

    Do I need to change them right now?

    This is the biggest problem caused by this whole mess: it depends.

    Services that ran certain types of servers, or non-problematic versions of the SSL software, were not effected by this problem and therefore don’t have this as a reason to need you to change your password. (Unless you should anyway since your passwords are crap. See above.)

    Services that were effected need to fix the problem on their end before changing your password will do any good. Sure, you could go change your password right now, but if they fix the problem tomorrow, you’ll just need to change your password again.

    (See Naked Security’s “Heartbleed heartache” – should you REALLY change all your passwords right away? if you’d like further details.)

    So, how do you tell?

    Well, yesterday I got an e-mail from IFTTT.com telling me that they’d fixed the problem and that I should change my password. Full marks to IFTTT but don’t expect that from everyone.

    LastPass Heartbleed TestMashable has a great page titled The Passwords You Need to Change Right Now where you can look up major services to see if it’s time to change your password. Go there as soon as you’re done reading this unless you’re a LastPass user.

    If you use LastPass they have a service that will go through your accounts and let you know which services have the problem, whether they’ve fixed their server or not, and if it’s time to change your password. You can find instructions on how to do this on their page titled “LastPass Now Checks If Your Sites Are Affected by Heartbleed.”

    What should I do from this point forward?

    Improve your passwords! Seriously folks, we’re not kidding any more. Install LastPass and create a 100% unique and random password for every site you use. Also, if a service uses two-factor authentication and you can do it (i.e. you can receive text messages on any sort of cell phone) turn it on.

    If you run a server, or know someone who does, read/send this EFF blog post on Why the Web Needs Perfect Forward Secrecy More Than Ever and do it.

    Yes, this is a pain. Yes, things like complex passwords and two-factor authentication, adds some time it’ll take to log into a Web site. But so does locking your door when you leave the house in the morning. That doesn’t mean you’ve wasted the extra five seconds it took just to be a little more secure.

     

    Tuesday Tech Tip: Cloud storage that’s actually secure

    by  • April 1, 2014 • Internet, Tech • 0 Comments

    WualaI’ve blogged about Wuala before but in light of the recent news about Dropbox checking for the sharing of copyrighted material, which I agree with some isn’t really that big of a controversy, some may still want a more secure way to store and share in the cloud.

    Wuala works just like Dropbox but completely encrypts any content you put into it. Be aware though, that by doign this the program is a bit slower (as it needs to encrypt on upload and decrypt on download,) and, more importantly, if you loose your encryption key, your content goes with it.

    Friday Video: Edward Snowden @ TED & the NSA response

    by  • March 28, 2014 • Politics & Law • 0 Comments

    Published on Mar 18, 2014

    Appearing by telepresence robot, Edward Snowden speaks at TED2014 about surveillance and Internet freedom. The right to data privacy, he suggests, is not a partisan issue, but requires a fundamental rethink of the role of the internet in our lives — and the laws that protect it. “Your rights matter,” he say, “because you never know when you’re going to need them.” Chris Anderson interviews, with special guest Tim Berners-Lee.

    Published on Mar 20, 2014

    After a surprise appearance by Edward Snowden at TED2014, Chris Anderson said: “If the NSA wants to respond, please do.” And yes, they did. Appearing by video, NSA deputy director Richard Ledgett answers Anderson’s questions about the balance between security and protecting privacy.

    Gmail goes full HTTPS

    by  • March 20, 2014 • Tech • 0 Comments

    Gmail_logoStarting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet.

    In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers—something we made a top priority after last summer’s revelations.

    Read the full post @ The Official Google Blog.

    Time to stop using your Starbucks app to pay for your cup o’ joe

    by  • January 16, 2014 • Tech • 0 Comments

    Starbucks logoThe Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

    The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim’s bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim — he said it would probably be an email — which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.

    Read the full article @ Computer World.