Why Are People Still Using Zoom?

Since the last time we mentioned Zoom, it seems there have been alerts put out there asking people to stop using it. There are numerous problems with it. Sure, it is probably the easiest meeting software for non-technical people to use but the security is what has people up in arms.

So what is the problem? There are a few. Even last summer they found there was software used to bypass security to be able to launch it in a few clicks. This also makes it easy for hackers to start webcams and watch users without them knowing. The other bad thing is this bug remained even after the user uninstalls Zoom. Apple has removed this component by issuing a force-deployed update to every Mac in the world.

There are other things. Zoom can use your private video calls and sell ads. What if you are using Zoom to speak with your therapist? What kind of ads will they be marketing?

Another thing that was “fixed” was the fact that Zoom was sending user info to Facebook. That has since been fixed in an update.

To see more about this:
OneZero.medium.com
Tidbits.com

Here is a light-hearted parody of the Zoom security issues:

To Track or Not to Track

Zachary McCoy, a restaurant worker in Florida, received a surprising email from Google. Google’s legal support team was letting him know that the local police department demanded some of his Google account data. Unless he tried to block it in court, they would release the data in seven days.

Not knowing what he had done, but noticing a case number, he began to search for the information. He found there was a burglary of a woman’s home within a mile of his and his roommates’ house. Knowing he had nothing to do with this, he contacted his parents who in turn hired a lawyer for him.

Their lawyer found out that they were looking for a “geofence warrant,” which just sweeps up all Google data from all GPS, Bluetooth, Wi-Fi connections nearby.

It turns out that McCoy uses an app on his phone called RunKeeper to record his bike rides. He found he passed by the victim’s home a few times within one hour, which is actually part of his normal frequent loops he makes all the time.

Even if you are innocently using your apps with GPS that keep track of your activities, you may be in the wrong place at the wrong time.

Read the full article

Passwords…Again!

Yes, they are a pain. All the requirements to have minimum characters, numbers, symbols, lower case, upper case, where does it all end? Well for now it doesn’t. The Portland, Oregon division of the FBI has recommendations for passwords and security.

Some people seem not to care about passwords and just make a simple one to get them into a site. They reuse passwords for multiple sites without changing them. Sometimes there are a couple favorites they just use over and over again. If they are asked to change them out, they just rotate the same ones around.

So back to the recommendations of the FBI. They recommend using passphrases. This would be three or four totally unrelated words strung together. You still may need to add special characters or numbers or capitals with some sites like banks, but you can slip in between words if that makes it easier for you. If you need help, try out this passphrase generator.

Read the full FBI article

Malwarebytes 2020 Report

We talked about Malwarebytes a few years ago. Back then, it was mostly PC users that worried about malware and exploits. Well, in their latest reports–surprise, surprise–Malwarebytes reports that in 2019, they saw a 400% rise in MAC exploits! That is a significant change from previous years.

Many of the malware items are called PUPs-Potentially Unwanted Programs. Many of them need to be quarantined. Malwarebytes scans for those as well as PUMs-Potentially Unwanted Modifications. For a PC, PUMs could be found either in the registry or in a browser setting.

Read the report (PDF)

Source

Avast Caveats

Do you use Avast antivirus programs? It has come to light that they harvested user data and sold the information collected to a firm called Jumpshot who in turn sold to other companies: Google, Microsoft, Intuit, to name a few. This pertains to both PCs and Macs. This includes both free and premium services. So while you are trying to protect your privacy and data, Avast is going behind your back and selling your data and privacy.

To be fair, you have the option to opt-in to allow some user data to be collected, but you are not really told how or what is being used. The data collected includes location lookups, searches, YouTube video listings, Google Maps, LinkedIn, and various others.

Think twice before you download a free or even paid software. Don’t allow them to collect information.

Source

Do You Really Own What You Think You Own?

Wow – that sounds confusing. And it is. You purchase something you think is good tech only to find out it is no longer usable. The Victor crew came across this article and it is true. Many things no longer work because it is no longer supported.

For instance, in 2011, Lenovo came out with an Android tablet IdeaPad K1. So that Christmas, I treated myself to one. I went all out and bought the keyboard, a nice leather case, and carrier. I was set. About 6 months later, I find out it will no longer get updates of Android and they left us with and Android 4.0 update to flash on it which would wipe out any customizations ore even any apps on it. I did flash it but the hardware now is old enough it probably won’t run much anymore.

Another example is HP Printers. For some printers to print, you HAVE to be enrolled in their InstantInk program or they can remotely disable your printer.

Back to the article. It is about Sonos. Sonos announced they will stop sending security and software updates to their legacy systems. Products introduced between 2005 and 2011 are considered legacy. People are being offered a 30% discount to trade in their old systems, however, they put the item into a 21 day countdown before goint to “recycle mode”. Once in this mode, it cannot be used or repurposed without their permission.

It would be nice to know the expiration dates of our devices, whether it is security updates, general software updates, or when they think the hardware will no longer work.

Source

Account Safety/Ring Camera

The Ring Camera system has recently been in the news because it can be hacked easily and one person hacked has filed a lawsuit against the owner, Amazon.

It seems that in plain terms, the authentication used by the family was not robust enough. Ring does offer two-factor authentication that can help prevent this from happening.

Many people fail to use two-factor authentication to begin with because they don’t really understand what it is. Once again we are urging people to get a password manager and use two-factor authentication where possible.

What two-factor authentication does is alert you to the fact a new device is trying to log into your account. If you don’t have two-factor enabled and have a weak password for ANYTHING, you are just asking to be hacked. Be safe and make it priority in 2020 to up your security game.

Check this out before buying a new Smart TV

New Smart TV on your Christmas list? Be careful of what features you get on your TV. Specifically the ones with cameras or microphones built in. They could be used to spy on you according to the FBI.

Smart TVs connect to the Internet in order to update, download apps, connect through the apps. Some of the newer ones have built-in cameras for facial recognition so they can suggest your favorite programming. Microphones are generally used for voice control for the remotes to change channels.

If your Smart TV is unsecured, hackers can listen and watch you as well, or take control of the TV. If you can’t turn off the camera, consider using black tape over the lens. Make sure to keep the software updated.

If you are victimized by any fraud on the Internet, contact the IC3 (Internet Crime Complaint Center).

Home Devices Part 2

Last week we talked about how home devices such as Google Home and Amazon Echo keep listening after you think you have stopped. There is more.

The same company, Security Research Labs, has more testing they have done. This time, they tested Google Home and Amazon Echo with actions/skills called Lucky Horoscope made just to show how the devices can be used by hackers for phishing. When asking for Lucky Horoscope they created to show this, the user is given an error that tells the user the action/skill is not available in their country. It waits a little while and then says there is an update. It then asks for the user’s password and records it. The hacker now has the user’s email and password.

Google Home:

Amazon Echo:

Home Devices

You may think you are ok using home devices such as Google Home or Amazon Echo but maybe not so much. Security Research Labs in Germany has some videos that will show how the devices are still active even after you think they have stopped listening.

Google Home:
In this video you can see the person talking on the right and the information recorded in the terminal on the left. As she keeps speaking after the time of her first question, it keeps recording the information to the server.

Amazon Echo:
You will see it continued to record after the person said “Alexa stop”.

Deepfakes

We’ve been seeing this word a lot lately. Let’s delve into what it is and what it means.

According to whatis.techtarget.com, it is an AI-based technology. It is used to alter videos to show something that didn’t happen. It comes from a Reddit user who changed clips of celebrities and used regular people in these clips.

So this is not just pasting your face over a celebrity image but rather using AI technology to create the clips making it even more polished.

This article from CNN has a lot of information that shows how this technology is made. It also sounds the warning of what may happen regarding the political atmosphere in our country concerning deepfakes.

Many celebrities are concerned about deepfakes because people have swapped their image onto porn films, thus invading their privacy and making something that didn’t happen go on social or other media.

Here is a video from Nova/PBS

Here is a TedTalk by Supasorn Suwajanakorn

More on Pa$$w0rds

The Victor crew found this article about passwords. There have been so many breaches in recent history. There have been 13 big data breaches this year alone (so far).

This article breaks down why passwords really don’t matter in light of the way hackers are performing their breaches. It is from a Microsoft tech using stats collected from Azure Active Directory connected accounts. The data is broken down by type of attack and how they are performed.

Once you cut through all the techese, the bottom line is to choose passwords with at least 8 characters, use a password manager and let it generate the password for you, try using multi-factor authentication for that extra step.

Trying out DuckDuckGo.com

Did you know there are other search engines besides Google? It seems with Google being all over the place, we forget that there are others. There are others we may have forgotten or didn’t even know such as bing.com, yahoo.com, dogpile.com, yippy.com, webopedia.com (focusing on technical terms), ask.com (may have previously been known as askjeeves.com), wolframalpha.com (computational intelligence), to name a few.

We are currently trying out DuckDuckGo.com. I’ve switched over to using it for a couple weeks now. The one lure is they are “… setting the new standard of trust online, empowering people to take control of their information.” They say your searches are always private. So what does that matter? DuckDuckGo

Have you ever searched for something just out of curiosity and then received all sorts of spammy email all about that subject? Just look at your spam mailbox and you may see many spam emails about your search phrase. This would happen especially when you aren’t using private browsing mode in your browser. And it’s not just emails. You will start to see what you searched for on websites and in apps as well.

DuckDuckGo has been around since 2008. You can even download their browser with privacy from your app store.

Zero-Day Internet Explorer Vulnerability

First of all – what does zero-day mean? It is the day a vulnerability was found. If a bug was around for 10 days it would be a 10-day vulnerability. Usually a fix will be developed in the form of a patch or workaround.

A zero-day exploit means an attack takes place the day a vulnerability is discovered.

On March 30, 2019, two zero-day vulnerabilities were discovered in Microsoft EDGE and Internet Explorer. Without getting too technical, the behind the scenes code of the browser can occur when you visit a malicious site and some of the same origin policy code allows other sites to intervene. When working correctly, it would prevent other sites from accessing your information.

Another vulnerability is related to MHT files. Internet Explorer can still read MHT files. If you are using Outlook, you may see this above an email: “If there are problems with how this message is displayed, click here to view it in a web browser.” It will then open in IE even if you are using Windows 10 with Edge. If the MHT file is infected you will have problems.

To prevent programs from opening IE, you can go into “Programs and Features” in Control Panel and then to “Turn Windows features on or off” and uncheck Internet Explorer 11. Restart your computer.

Trend Micro Blog

Gmail

If you have a gmail account, did you know that your email address can also have dots in it and you’ll still get it? For example, if your address johndoe@gmail.com, it won’t matter if you send to john.doe@gmail.com. You can even send it to j.o.h.n.d.o.e@gmail.com and still get it. Most mail systems do not allow this. Apparently this has been like this for some time.

We found out recently when we saw an article from ZDNet about how scammers are exploiting this by registering for different websites under your email but adding the dots. It may be sites like Netflix, Amazon.com, or eBay. They would see the dotted account email as a different one.

One group has used a variation to obtain credit cards. They have filed tax returns, registered for trial accounts, USPS change address requests, collecting Social Security benefits, apply for unemployment benefits, and apply for FEMA disaster relief.

The article brought out two other things that could be exploited. First, Google allows + signs – you can send email to johndoe+someword@gmail.com and johndoe@gmail.com will get it. Second, before gmail.com it was googlemail.com and if you use johndoe@googlemail.com, johndoe@gmail.com will still get it. Yes this has been tested and confirmed.

Collection #1 Breach

There was a new breach found last week and reported by Troy Hunt on January 17, 2019. This one is a massive breach where a collection of emails and passwords of over 2.5 billion rows of combinations. There were over 1.1 billion of these as unique combinations found possibly due to emails being in both upper case and lowercase. There were a total of of over 700 million unique email address with passwords.

Perhaps you are no longer using a particular email that was found in the breach. Or maybe your password has been changed. Chances are you are or were a little lax about your passwords and re-used them on different sites.

You can use Troy’s site https://haveibeenpwned.com to check to see if your email has been found in any breaches. You can use this page to check to see if a password you are using has been in any breaches: https://haveibeenpwned.com/Passwords

We recommend you use a password manager and let it generate secure passwords for you. You would only have to remember that one password and can have access to all your passwords and sync them to your devices. Some managers even offer storage of sensitive documents.

Read Troy Hunt’s article here.

Logging into any Google service logs you into Chrome

As of version 69, the Chrome browser will log you in and sync when you visit any Google site like Gmail, YouTube, Google Docs, Google Maps, etc. For whatever reason, you may not want to be logged in, or you may not want them to keep track of everything you do. They are not giving you that choice anymore.

There was a discussion on Twitter about it with Adrienne Porter Felt, a Chrome engineer and manager.

Apparently after these discussions and feedback, Google is going to back down and make some changes come version 70 coming out in mid-October. They will allow sign-in without syncing. If you want to sync between devices, you will need to turn sync on. Signing into a Google owned website will not sign them into Chrome at the same time.

Facebook Breach

By now you’ve heard about last week’s Facebook breach in which 50 million user’s accounts were impacted. This time, attackers had the ability to directly take over user accounts. Facebook logged out 90 million users from their accounts – the 50 million affected and 40 million more that may have been. They also announced that other sites could be affected if you use your Facebook credentials to log into them.

The persons responsible, who haven’t been found yet, were able to get to the access tokens, kind of like session hijacking. The problem was found in the video uploader page. Find out more about it from How-to Geek.

Chrome Extension: PassProtect

There is a Chrome extension to help you pick better passwords. It is called PassProtect by okta. It will tell you right away if your password is in a list of data breaches. It doesn’t necessarily mean your username/email and password combination are in that list but if your password is already in a list of compromised passwords, you might want to rethink that password. You can add it to your Chrome browser.

They do not store or collect any information from you, they simply use the HaveIBeenPwned.com API to check against the list of known breaches. If you want to check a password on your own, you can check it here as well manually to see if it is in the list of breached passwords, because it is the same list. Hackers that have collected passwords will often use them to breach a site and try to guess people’s logins and if you are using a password from a breached list, and they know your email or username, you may find yourself hacked.

PassProtect

Robot Guards

A company based in Singapore, Oneberry Technologies, has developed RoboGuard. If you need surveillance, you can get a robot to do it. You would still have to man the system and watch whatever the robot found but this is an interesting concept in robotics and in surveillance.

Funny how things never change…

The Victor crew happened upon a an article about an article. TheVerge.com showed a clipping of a news article from a 1996 copy of the Wall Street Journal. The clipping shows that even back in 1996, there were privacy concerns.

Concerns with privacy about such things as cookies, encryption, junk email. We recently wrote about the blast of Terms of Service you’ve been seeing. Most of them address all these issues within them.

The only way to truly protect your privacy is to be aware of what is being collected. Don’t just shrug off all those terms and privacy legal pages. Read them. If they want something you don’t want to give, then just stop using that service, app, website, etc. If the site or app has privacy settings, go into them and limit your exposure. Limit who can see your posts, photos, or information. Sometimes you can even set it so you need to approve who can friend or follow you.

View the original full Wall Street Journal article here.

Does 2-Factor Authentication Keep You Safe?

Not always. The Victor crew found an article/video that demonstrates how you have to be very careful even if you use 2-factor authentication in place. The trouble can occur when a user clicks a link sent in a phishing attack. The email may look legitimate but it may have the real site name misspelled.

The most important take away it to stop and think before click a link even if you think it comes from a legitimate source. If you receive a message from a major site, most likely you can just go to that site, log in, and see any notifications someone may have sent rather than looking at emails that are generated.

You can see how it 2-factor authentication is bypassed in this demonstration by Kevin Mitnick from KnowBe4.com.

Windows Defender Browser Protection

There is an extension for the Chrome browser called Windows Defender Browser Protection. It extends your Defender protection to include your browser. It will keep you from accidentally clicking to phishing site. You can also turn the protection on or off. If you click to a link from an email it will help by reporting to you that the website is unsafe.

After you install it on your browser, you will see a small defender icon on the top of your browser. You can click it and then you will see the dropdown (shown below). You can turn on or off temporarily.

Windows Defender Chrome Addon

Get the extension for Chrome here.

Learn more about how it works from Microsoft.

Cryptocurrency Mining

Cryptocurrency is the term given to currency such as bitcoin, ether, or any of the other digital currencies out there. So how does this work?

Cryptocurrency runs on what is called a blockchain, a ledger or document that is duplicated over networks of computers. As this is updated, it is made available to the holder of cryptocurrency. Every transaction is recorded of every cryptocurrency. The blockchain is run by miners. Their computers tally up the transactions. They update the transactions and also make sure of the authenticity of the information received. In payment, miners are paid fees for each transaction. The buyers and sellers agree on the value of the cryptocurrency as it fluctuates.

The transactions are made peer-to-peer without a mediator like a bank. The buyer and seller do not know who the other is, but everyone in the blockchain knows about the transaction as they are made public.

If I wanted to buy something that costs $10,000, and find a seller that accepts cryptocurrency, I would try to find out the current exchange rate get the public cryptocurrency address, say bitcoin, and we would stay anonymous to each other. I would then have my Bitcoin installed to his computer, say 10 bitcoins rated at $1000 each. My bitcoin client would sign the transaction with his private key. The transaction would be verified and transferred and recorded.

Cryptocurrency mining includes adding transaction to the blockchain and releasing new currency. They use special computers, hardware and software, to do this. Lately they’ve taken to using browsers and apps for cryptomining. There is a javascript that they can add to your website. Sometimes they will let you know they are using this, sometimes not. When it was first used it didn’t generate that much money for the miners but now that bitcoin rates have increased, it seems there has been another surge with it.

Coinhive is an alternative to browser ad revenue. They have a javascript for people to put on their website. They are using your computer to mine the bitcoin. Mining takes a lot of power so they look for other ways to use it. A good ad blocker can prevent you from using some of these types of sites. I just got the message from my adblocker when trying to get to coinhive.com. It is used to mine a cryptocurrency called Monero. The owners of the site get 70% of the currency and Coinhive gets the rest. You may never even know it is taking place if you visit a site using this, except maybe your computer runs a little slower. Users with WordPress can even get a plugin for using Coinhive.

One month last year, Malwarebytes blocked 248 million attempts to borrow resources from the Coinhive script. Many of the sites using Coinhive are porn sites or heavily covered with ads anyway. A good antivirus or ad blockers can help. You can also turn off javascript from your browser. Download and use Opera which will block cryptocurrencies.

Coinhive cryptomining scripts were found recently in 19 apps in the Google Playstore. One of the apps had over 100,000 users. They have since been removed from the store.

Here are some of our source articles to find out more:
https://www.benzinga.com/
https://www.symantec.com/
https://www.pcmag.com/
https://www.bleepingcomputer.com/
https://thenextweb.com/

Password security

We’ve talked about passwords before and yet it is such an important thing because of all the breaches we see. Some people say they don’t have anything that important so it doesn’t matter or they say they need to use the same password for everything.
This is a totally bad practice and attitude to have about this. Think about all your accounts where you have purchased items, or your banking or credit card accounts. Do you really want to use the same password for everything? Once they breach one account, say your email, they can look through that to find what other accounts you are subscribed to and have a field day. This is even how identities are stolen.

Here are some things you can do:
Go to HaveIBeenPwned.com and check your email for pwnage.
Also click on their password tab and check to see if your passwords are on any common lists.
Use a password manager like LastPass.
Use 2 step verification. Use an authenticator, too.

Once you download LastPass, set it up with a hard to hack easy to remember password (the first video below gives some suggestions on how to find one.) You can then import all the passwords saved to your browsers. Once you have LastPass you can also run a kind of audit check for recommendations on which passwords to change – it will show you duplicates or not so secure passwords you already have.