July 2013 - Posts

Please be careful at YouTube for a little while

Word is there is something happening at YouTube that hearkens back to the old days of bad-stuff-in-flash.

Google has picked up on it too.


Dale Begg-Smith - remember him?

Dale Begg-Smith, Australia's most successful Winter Olympian, has vanished off the map:

Who was Dale Begg-Smith pre Olympic glory?


What does the Olympic Winter Institute of Australia boss Geoff Lipshut have to say?  "Dale has various personal business interests. When he's not with us training, we don't keep personal tabs on Dale."


Largest hacking and data-breach scheme ever prosecuted in the United States

From 2005 to 2012, five men from Russia and the Ukraine are alleged to have operated a global hacking network infiltrating the world’s largest financial institutions and businesses.  The men and four co-conspirators, including two who live in the U.S. seized at least 160 million credit and debit card numbers from institutions including Dow Jones, NASDAQ, J.C. Penney, JetBlue, and 7-Eleven.  The conservative estimates is $300 million lost.

Cite: http://www.nj.com/essex/index.ssf/2013/07/five_hackers_stole_160_million_credit_and_debit_card_numbers_through_international_attacks_federal_i.html 

Posted by sandi with no comments

An update on Innovative Marketing

Remember Innovative Marketing? Judgment was filed against Kristy Ross in September last year, finding her jointly and severally liable with Innovative Marketing, Sam Jain and Daniel Sundin for $163,167,539.95.

Ross has appealed, making (as described by the FTC) an "astounding—and false—argument that the district court never decided that the advertisements were deceptive".

The FTC goes on to say that "Ms. Ross also urges the Court to reject liability standards for 

FTC actions crafted over thirty years and applied uniformly in every court of appeals to have considered them."

And so the legal merry-go-round continues.

Posted by sandi with no comments
Filed under:

So now Lakeland has been hacked...

Cite: http://nakedsecurity.sophos.com/2013/07/24/lakeland-hacked-and-passwords-reset-customers-advised-to-change-passwords-elsewhere/

I know it's a pain but I strongly recommend that everybody consider taking advantage of "2 factor authentication" for their email, bank accounts and other services that may grant access to sensitive information.  I've done exactly that - setting up two factor authentication for Google, and Hotmail, and Twitter and my bank accounts. Yes, it's a pain having to have my phone with me so that I can enter that unique code every time I make a transaction online, but it's worth the pain.

Of all the setups I've tried thus far, Hotmail is the one I like the most. I have a Windows phone, you see, and all I had to do was install an authenticator app on my phone, connect my phone to my account by using my phone to scan a bar code generated by Hotmail and displayed on the hotmail website.  The authenticator app works kind of like an RSA key, with a six digit number changing every 30 seconds or so.

Google caused me some difficulties, although I do like the single use authentication passwords for apps that don't support 2FA, and backup codes for when you don't have phone service.

Apple Developer site hacked

Cite: http://devimages.apple.com/maintenance/

“Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.”

FTC to hold ID theft webinar for the Blind and Visually Impaired on 31 July

This is worth sharing:

“The Federal Trade Commission will host a webinar at 2 p.m. Eastern on July 31 for blind and visually impaired consumers with information on how to protect themselves from identity theft.

The webinar, “Talking Through Identity Theft:  A Program for the Blind and Visually Impaired,” will address the full array of identity theft in the financial, medical and government benefits sectors. In addition, the webinar will address the particular issues facing both children and older adults in dealing with identity theft.

The webinar is free and open to the public. Webinar participants will need to connect via phone and computer, and can join up to 15 minutes in advance of the event.”

Posted by sandi with no comments
Filed under:

Ubuntu forums hacked

"Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database." [nearly 2 million signed up members]

Cite: http://nakedsecurity.sophos.com/2013/07/21/gun-wielding-penguin-takes-over-ubuntu-forums-waves-ak-47-at-linux-users-everywhere/

Please treat mikserv.com with extreme caution

The domain has been mentioned in association wiht malvertizements regularly in recent times.

mikserv.com – sharing IP with bozserv.com, kibhost.com and rovstat.com at time of writing.

Posted by sandi with no comments
Filed under:

Tumblr security alert: passwords “sniffed in transit” ??

Oh dear – with shared wireless networks being so common nowadays, this is quite a concern.

Update and change your passwords please…

Please treat ero-advertising.com with extreme caution

There are reports coming in of malvertizing via ero-advertising.com.


Nintendo hacked (affects Japanese users)

Yes, your personal information *is* valuable (think identity theft).  And, you should never use the same username and password across multiple sites.

“Hackers bombarded Nintendo for a month with 15.46 million bogus login attempts, out of which 23,926 struck the jackpot, exposing names, addresses, phone numbers and other personal details of corresponding Club Nintendo customers.”

Cite: http://nakedsecurity.sophos.com/2013/07/09/nintendo-cracks-after-month-long-15-5-million-strong-hacker-bombardment/

Mass confusion approaches?

Back on 27 June Firefox announced that their “mixed content blocker” was available in the Firefox Beta, and was on track for general release with Firefox 23.  But, look at the indicator they are using:

Source: https://blog.mozilla.org/security/2013/06/27/mixed-content-blocker-hits-firefox-beta/ 


Here’s an IE10 equivalent, displayed at the bottom of the screen when a problem site is encountered.



It’s great that Mozilla are actively searching for sites that are being broken by the upcoming mixed content blocker, and it’s great that they are introducing this protection, but my personal opinion is that the size and position of the indicator they have chosen to use make it far too easy to miss, and users are going to be confused when sites they are visiting break.

Thank you, but no

1. It ended up in my junk mail folder

2. The English is terrible

Hopefully those two points mean whoever wrote this email won’t succeed in fooling too many people.


Ubisoft compromised

Cite: http://blog.ubi.com/security-update-for-all-ubisoft-account-holders/

Yes, Ubisoft have taken action to protect themselves and their users but here’s something to think about – if any of those Ubisoft users have used the same username and password on other sites, then those sites are at risk too. That’s why it is SO important to NEVER use the same username and password on multiple sites.

It can be a pain to have lots of different usernames and passwords, I know, but at the very least make sure you have unique stuff for the most sensitive sites – online email, banking, instant messaging clients, any account that exposes your personal information or can be used as a way to gain access to other sites.

For example, if your email account is compromised, and that email account is used (for example) to receive “password resets” for other sites (which the bad guys can work out from going through your inbox, folders, sent items, deleted items) then they can easily take over all those accounts too.

Another safe browsing comparison….

We see them regularly – tests which try to quantify which browser is “safest”, whether it be IE or FF or Chrome or whatever.

The hardest thing to protect a user against, I think, is “social engineering”.  You see, in the end we all have the choice to ignore warnings being displayed our software, and if a malware distributor can convince a victim to ignore any warnings that they may be seeing, then it’s game over.

Anyway, Fred Pullen posted on the IE blog back on the 22nd about an NSS analysis which makes things look very good for IE, and for Chrome.

Image Source: http://blogs.windows.com/ie/b/ie/archive/2013/06/21/internet-explorer-10-provides-safer-browsing.aspx

It’s an interesting comparison; you can see that IE10 gains most of it’s protective behaviour from “URL reputation”, Chrome from “Download Protection”.  “Application reputation” had only a small part to play.

It’s obvious that Firefox, Safari and Opera need to do something to address the deficiencies in their protections, although, I admit, I’m surprised at how effective “URL reputation” is as implemented by Microsoft for IE10.

Chrome have been taking steps in recent times to tighten things up with regards to apps too.  For example, disabling silent extension installs and later announcing that they would start identifying software that violates Chrome’s standard mechanisms for deploying extensions, flagging such binaries as malware.

Revised Children's Online Privacy Protection Rule Goes Into Effect Today. Also, adult advertising being displayed by apps made for children

URL: http://www.ftc.gov/opa/2013/07/coppa.shtm

“The revised COPPA rule addresses changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. The modified rule,approved by the Commission in December 2012, widens the definition of children’s personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.”

Also about children, a recent article on a popular news site appeared about pornography and ads appearing in apps made for children:

"ADVERTISEMENTS for pornography and sex chat lines are appearing in apps made for children but Australia's advertising industry says it is powerless to stop them, calling the issue "tricky and "a grey area".  Advertising regulators instead say they are unable to prosecute overseas advertisers and rather than seek the power to do so they advise parents to "take some responsibility" for what their children see in apps."

There’s a combination of factors here; yes, advertisers can “target” their advertisements, but app owners/developers may also have some say about the types of advertising they are willing to accept, depending on who they choose to source their advertising from, and the controls provided by their chosen provider.