A massive data breach at Amazon subsidiary Zappos.com has led to the personal information of as many as 24 million customers being exposed. Below is all of the information, as well as the statement from Zappos CEO, Tony Hsieh.
Florida Marine Lt. Col. Karl Trenker and his fiancee will probably think twice before posting jewelry for sale on Craigslist again. (Actually, they will probably never use Craigslist again to post a sale – at least, we wouldn’t.) It all started when his fiancee posted a gold chain for sale on Craigslist. And ended with Trenker being shot three times, and plugging the bullet holes with his fingers while waiting for help to arrive.
If you were one of an untold number of people who received a particular iTunes update, it will likely have planted a Trojan backdoor on your computer or smartphone (primarily iPhone or Blackberry) which allows government and law enforcement agencies access to your personal data. Let us be quick to add that this is a fake iTunes update. The malware (or “commercial software” depending on which side of this you are on) is sold primarily by three companies: Gamma FinFisher, Vupen Security, and HackingTeam. Gamma’s FinFisher product is from the UK, Vupen Security is out of France, and HackingTeam is in Italy, however all of the companies sell their software around the world.
“Take This Lollipop”, the creepy Facebook tour through your personal information, is an excellent example of something we have been trying to pound into your heads all along: putting personal information on the Internet (such as location based check ins) can be dangerous. More to the point: most people have no idea how much personal information they really have revealed online, and how easy it is to track them down, stalking them, and worse. “Take this Lollipop” is technically a Facebook app, which is how (and why) it asks for you to log in using Facebook Connect, something that we also advise against.
The worm that infected an Iranian nuclear site, Stuxnet, or something very much like it, may be getting ready to strike again, say researchers. A recently discovered malware dubbed Duqu (for the prefix of its files, ~DQ, is designed to steal information needed to mount another such attack, and provide remote access to industrial installations such as, well, nuclear plants.
It can be a pretty scary thing to log into your Gmail account and be met with a blazing red banner that says “Warning: We believe your account was recently accessed from:” followed by a geographic location that you decidedly aren’t, often a place such as Russia, Poland or China, and that followed by the options “Show details and preferences” and “Ignore”. Usually you can be certain that at that moment, the first thing you need to do is change your password, because your account was almost certainly hacked or otherwise compromised. However, that’s not always true if you get a warning of a remote access in the U.S., such as “We believe your account was recently accessed from: United States (CA).”
It’s kind of fun to see a friend’s smiling face as their email address picture when you open an email from them. But there is a little-known danger to having a contact picture associated with someone who sends you email. That’s because those contact images are displayed even if the email is from someone who has hijacked your friend’s email address, which happens all the time with phishing, scamming and spamming. It’s called “spoofing”, and any scammer or spammer can put your friend’s email address as their own “from” address. What this means is that any scammer can send you email “from” your friend’s email address, and your email program will display the address book picture you have set as the contact image. And many, if not most, people, seeing their friend’s email address image in that email, will have a false sense of security that the email really is from their friend. It’s as if the address book image being present in the email somehow proves it’s really from their friend. Well, it doesn’t. And here are real-life examples to prove it.
A Magistrate has recommended to the Federal court in Maine that a bank (in this case Ocean Bank of Maine) has no liability, even though it allowed hackers to remove more than $500,000 from one of the bank’s customers accounts. The customer, Patco Construction, had been the victim of the Zeus trojan, which steals passwords once surreptitiously installed on a victim’s computer.
Earlier this month the White House released what it is calling its “Cybersecurity Legislative Proposal”. It makes for an interesting read, and so we thought we would share it with you. Let us know what you think.
Three researchers in Germany at the University of Ulm have discovered a massive security hole in Android – so big, in fact, that it affects at least 97%, and as many as 99%, of all Android users. The researchers, Bastian Könings, Jens Nickels, and Florian Schaub, have discovered that the security flaw allows anyone who is sniffing around your connection on an unsecured wireless network to acquire your Google authorization credentials from a specific token (the authToken), giving them access to your contacts, your calendar and, well – really any application that authenticates you by using your Google authorization credentials contained within that authToken.
Nicole Santos is getting quite a name for herself, and deservedly so. Her name has been spammed all across Facebook, in wall posts that are full of profanities, and also almost always exhort the spammed to “Vote for Nicole Santos”. The trick, of course, is that at the bottom of the post, next to the “Comment” and “See Friendship” links, is a link to “Remove this app”. Because the language in the wall posts is so foul, one’s first instinct is to hit that link as quickly as possible – but don’t click that link because that is how the virus infects your machine. (There is also a similar virus spam going around Facebook right now that exhorts you to “Please do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to begin the verification process”.)
Lots of you are asking lots of questions about the Sony PlayStation Network (“How was the Sony Play Station Network taken down?”, “Who hacked the the Sony PlayStation Network?”, “Is it true that it was done with rooted Sony PSP handhelds?”, and, perhaps most importantly, “Is the Sony PSN secure now?” To bring you up-to-date, if you are scratching your head right now, first, the Sony PlayStation Network (referred to in shorthand as the “PSN”) was taken down last month in a concerted cyber attack which, at first Sony claimed was down due to “maintenance” but, eventually, they admitted that a hacking attack had taken them down. The hacker or hackers also caused Sony’s Qriocity services to go down. Oh, and wait – it also extended to the Sony Online Entertainment network. In short, if you have ever completed any transaction online with Sony, you need to treat your identity and credit card information as compromised.
The “Security Alert” trojan, sometimes known as a ‘rogue antivirus’ attack, is making the rounds again. First spotted a few years ago, until recently the “web security” antivirus alert trojan targeted mainly PCs, tricking Windows users into downloading the evil ‘BestAntivirus2011.exe’ file by telling them that “To help protect your computer Windows web security have detected trojans and ready to remove them.” (Note the poor language usage.) Now this same tactic is being used to attack Mac users – all that has changed is the “Windows” to “Apple” and the file name (‘MacProtector.mpkg for Macs’) – even the poor language remains the same! “To help protect your computer Apple web security have detected trojans and ready to remove them.” says the pop-up. Don’t fall for it, and whatever you do, don’t click on “Remove all”, which will cause the malware to be downloaded to your computer.