Keep your browser extensions updated!

It is important to keep all software you use up to date. There are updates for a reason – most likely some of the code used was found to be vulnerable to attacks.

This past week, a popular extension was hijacked. The developer of the Web Developer for Chrome extension had his own account hijacked. The hijackers phished his Google account, then modified the code in his account and pushed it out to users. The version of Web Developer for Chrome that was pushed out is 0.4.9. You need to make sure you have the updated version 0.5 installed NOW!

The version the hijackers uploaded can force ads on pages, capture passwords, or other unreported problems. Consider changing passwords to pages visited during the time of the compromise. The date was August 2. The developer himself admits he fell for a phishing attack that started this. This effected over one million users.

The developer details the events in his blog. The bottom line is anyone can click on a bad link and it is important to have two-factor verification in place.

Passwords: should you use the one you want?

If you are looking for a password, you can check to see if the password you want to use has ever been used. Just go to the Have I Been Pwned website and look at the Passwords link. They now have a list of the passwords that have been breached. You can test your password against it and it will tell you if it’s been breached but it will also tell you it may not be a good password even if it’s not been breached.

Here is what you get if your password has been used before and found on a breach list:

Have I been pwned Pwned Passwords - yes

Here is what it looks like if it hasn’t:

Have I been pwned Pwned Passwords - no

Windows 10 Creators Update

When the Victor crew was notified of the Windows 10 Creators Update, we scratched our heads. What in the world is that? Why would I need it?

There is a new Gaming category in Settings. When in game mode it will make the experience smoother.

You can use the new Paint 3D app to make 3D drawings along with 360 degree view.

There is feature that allows you keep open tabs by setting them aside so you don’t have to favorite them but put them aside for small projects you may be working on.

Microsoft Edge becomes the default eBook reader. You can customize the eBook as you are reading it, highlight parts, set bookmarks. You can also change the screen for night use.

There is a setting for Mixed Reality that works with HoloLens VR headsets.

Plan and measure trips on Maps. You can share them with others.

There’s a new privacy dashboard to allow you to set your own security settings.

Mini View allows you to keep a video in a small window.

The first of these updates were rolled out April 11, 2017.

Source:
https://blogs.windows.com/windowsexperience/2017/04/11/whats-new-in-the-windows-10-creators-update/#lTLvawf2Zc4QtKJx.97

Ransomware

The Victor crew has heard a lot of news lately about a cyber attack nicknamed WannaCry using ransomware. Ransomware is holds an infected computer hostage until a ransom is paid, usually in bitcoin, money that is virtually untraceable. This latest attack has caused global problems. In the UK, hospitals have been attacked. In the US, FedEx fell victim. If you use a Macintosh computer you are most likely safe as these attacks are targeted at PC users. If you are still running Windows XP you are even more vulnerable as there are no more patches being made for these systems.

Here are some things you can to do to prevent this from happening to you:

Keep your computer up to date. Do the patches for your operating system.
Make sure to do security updates for your security service.
Only open attachments from the person you know and trust.
Be careful of programs or other items you may want to download.
Back up your computer to an external hard drive.
Keep copies of your files on cloud services.

If you do get infected and don’t want to pay the ransom, which has been about $300-$600, you will have to flatten your machine (reinstall your OS). If you have kept your files on a cloud service or on an external hard drive, you will have defeated them. You will need to reinstall all your programs if you haven’t backed up the entire system.

The predictions are that today there will be even more as people turn on their computers if they haven’t been kept up to date.

Sources:
http://www.foxnews.com/tech/2017/05/15/ransomware-how-to-protect-yourself.html
http://abcnews.go.com/US/simple-things-protect-ransomware-attacks/story?id=47410339

New type of phishing attacks affecting browsers

The Victor crew came across an urgent matter. If your browser is Chrome or Firefox, be aware of a new phishing attack. An attacker can send you an email with a link to a malicious website. You could visit a site that will either infect your computer or make you think you are signing in with your credentials as they trick you into thinking you are accessing the correct site.

The people from Wordfence, a security plugin for WordPress found this last Friday, April 14, 2017. They set up a demo site to show what is happening. It is well worth it to check their article and see if you are affected and what to do. They have set up a demo using a medical site, epic.com, so you can test your browser and browser settings. You can visit their demo site here in Chrome or Firefox. To compare the demo site with the real site they faked for comparison, you can click here to visit the real site here.

This does not affect Windows or Safari browsers. Currently there is a fix for Firefox browsers. Here is what you do:

Open your Firefox browser
Type about:config in the address bar
Search for ‘puny’ (without quotes)
You should see network.IDN_show_punycode set for ‘false’
Double click it to make it ‘true’

Chrome currently does not have a fix for it.

Yahoo!

Yahoo has recently been in the news again lately due to yet another problem with data breaches. Having a Yahoo account, this Victor crew member has received an email from Yahoo about it.
Yahoo Email
In this message, they tell me that they are investigating the creation of forged cookies. They say they are taking steps to secure accounts. They say this forged cookie may have been created in 2015 or 2016 and they believe it to be connected to the September 22, 2016 data theft. They also give some actions you can take.

They suggest using a Yahoo Account Key which is something we will investigate ourselves at a later time. This user is on the verge of dismissing this account altogether although it was my first email created back in the 90s. I have added 2-step verification as well as changed the password.

Yahoo Email
Another email as a reminder from Yahoo states a reminder to secure to secure the account. They suggest updating to the Yahoo Mail app on android or iOS. They suggest to turn off insecure apps.

Yahoo Email
As I logged into the account after the above emails, there was a link to update security settings to block apps with less secure login. I am not sure what this entails yet, but will let you know when I find out.

Mobile Phone Number Hijacking

We’ve written a few times about password security. But what if your phone number gets hijacked? This is not having your phone stolen but rather having your phone number taken from you. You no longer can use the two-step verification because someone else has the number they have on file for it. So how does a phone number get hijacked in the first place? The Victor crew wanted to learn more.

It can start with a text that looks like it came from your carrier. It may have a number or a login page for you to enter some information. All they need is your call-in pin and they can start the process of porting your number over to their phone. You actually think you are talking to a representative of your carrier. Once they have your number, they can use the “forgot password” function of all your apps and get a code sent to them to reset the passwords. Think of all the apps you have – your bank, your email, your wallet. So what can you do?

Here are some ideas from Forbes:

  • Put a passcode on your account with your carrier. Make sure whoever you are talking to uses that passcode with you. If a hacker tries to use it, hopefully the representative is on the ball and asks for the passcode.
  • Use the mobile carrier specific email address to access the account. Forbes suggests you have an address as your current primary one, one just for a mobile carrier, and one for all your sensitive accounts like banking. This way your primary account can’t be used to steal your phone number.
  • Disable online access to your wireless account. You will have to go the store to make changes but it won’t get hacked.
  • Ask your carrier to make changes with photo ID required.

Some other thoughts:

  • Use a password manager and let it generate passwords.
  • Don’t have the same security questions on all sites and don’t answer them truthfully.
  • Do not connect your mobile number to sensitive accounts. Create a new Gmail email address and don’t connect a phone number to it. Use Google Authenticator with one-time passcode generator to use it. They suggest using a Google Voice number.
  • Use a security key. Yubikey is a physical security key device. There are also devices you use a USB port for.
  • Use biometric authentication – fingerprint for example.

Safety tip for handling bar and QR codes

Don’t throw away items such as boarding passes, driver’s licenses, credit cards, or anything that has a bar code, QR code, data matrix, or postal code. They should be shredded. There are all kinds of shredders available, even those that will shred credit cards. They may hold more information than you realize. So what? Someone could use this website to decode the information and learn more about you.

This article tell about the information someone found from his boarding pass. It showed his name, frequent flyer number, other personal info, and his record locator. Using this, the account with the airline can be accessed. Future flights were seen as well. Seats can be changed, a PIN number reset. If someone really wanted to get into it they can figure out more of your information. They would have your address and know of a future flight so your home could be robbed.

Password security

The Victor crew has written about passwords several times in the past. Here is an older article that can stand the test of time regarding security and passwords: http://www.wired.com/2012/11/ff-mat-honan-password-hacker/. Even though this was about 3 1/2 years ago, the knowledge and wisdom Mat imparts is timeless.

Through these years, there hasn’t been much more change to secure passwords. You should probably consider what is called 2-step or 2-factor verification to secure your most used sites like Apple or Google. You can also get it for Facebook, twitter and other sites.

What you will need to do is make sure they have a phone number that they can send a verification code to. Then you will put use this code to register this device. You won’t be asked for this code again once the device is registered.

Some words of wisdom concerning passwords

Strong passwords are not easy to come up with and even harder to remember. Komando.com has some suggestions.

Don’t make passwords easy to guess. People are still using passwords like 123456 or other easy passwords.
Make passwords 8 characters or more. They should be different types of characters and include upper case, lower case, numbers, and symbols.
Don’t use the same passwords everywhere. Use a unique password for every account.

Consider a password manager like LastPass, KeePass, Dashlane, or 1Password. You can even have your password manager generate a strong password for you. As long as you make your main password for the manager complex, you won’t even have to know your passwords.

Jody Victor

Smartphone Kill Switch

In 2015, smartphones will start coming equipped with a “kill switch.” This will allow users to remotely disable their smartphones and wipe the data. Apple, Google, Samsung, and Microsoft with the five largest cellular carriers in the US have signed on voluntarily to the program.

All smartphones manufactured for sale after July 2015 must have this technology. This would deter thieves from taking mobile devices as they are rendered useless. HTC, Motorola, Nokia are among other makers who have signed up.

Users can erase contacts, photos, email and other personal information and lock the phone so it can’t be used without a password. The data will be retrievable if the owner recovers the phone.

Critics have accused cell phone carriers of being reluctant to do this as they would lose revenue from replacing and activating stolen phones.

Jody Victor

Passwords and Chrome

If you are using Chrome and haven’t signed out of the browser, and you share your computer or your computer is stolen, then you have shared any passwords you have saved in the browser. Anyone can simply go to chrome://settings/passwords to view the passwords you have saved. There is no other security applied.

Unlike Firefox. You can set a master password that you have to enter before you can see the saved password. This adds a layer in Firefox’s security.

IE encrypts passwords and you can’t easily view them. You can download IE Passview to see them.

The bottom line is, if you share a computer or travel with your laptop, make sure you are logged out of all your browsers and logged out of the operating system. Make sure all user accounts are password protected.

~ Jody Victor