Friday, November 25, 2016

Fake apps are like to pester companies that don't create their own; stolen identities can use fake social media accounts (esp. less popular ones)

Tonight, on Black Friday, several media sources noted that companies (selling in major box stores) that don't have their own smart phone apps are likely to find that crooks will create phony apps in their name.

The advice is to download the app from the vendor or possibly the retailer but not from an app store.

Another risk is that individuals who do not sign up for a particular service may learn that others have created accounts in their name.  This could happen with Snapchat and Instagram.  When I signed up for Instagram, I found a bogus account in my name with nothing in it, but it had to be removed first.  

Thursday, November 24, 2016

2-step verifications can now use thumb drives as security keys

Google is recommending that users of Google accounts on true laptops or desktops with USB ports, now consider getting security key thumb drives for use in 2-step verification of their Google accounts, rather than use pin codes by smartphone or pre-print.  They also recommend financial institutions offer similar products, which can work with Google Chrome.  The writeup is here.
Although the 2-step process now available pretty much stops password cracking, it’s possible for a hacker to entice a user with a duplicate built to look exactly like the original (and presumably use phishing to entice clicks, or misspellings, that today lock up browsers with scare ware.

Thursday, November 10, 2016

Beware of scams in new shopping apps for smartphones

Now the latest warning is to be careful of  scamming“shopping apps” from your smartphone.

Be wary of apps that don’t have any or many reviews, or that link to other apps.  Most of the rogue apps seem to come from China.

(To view the NBC News embed, turn off the https and use http.  To have to say that seems ironic on a blog about Internet security.)

Wednesday, November 02, 2016

Microsoft to patch "Fancy Bear" vulnerability on Election Day, but Adobe seems to have done all necessary patches to Flash

Microsoft plans to patch a vulnerability in its Windows operating systems from 7 to 10 on Nov. 8 (Election Day, ironically), a bug known as “Strontium” or “Fancy Near”.  The “Strontium” name seems to refer to loose nuclear waste in former Soviet republics (especially Georgia).  A British security site Itpro has a good explanation here.

The zero-day vulnerability seems to be spread by phishing attacks, especially those appealing to the “It’s free” mentality, and seem to affect Adobe.  There is some suggestion that the vulnerability originated in Russia and is intended to sabotage political campaigns.

Adobe also is warning users about the vulnerability “CVE-2016-7855” (story)

 An attacker could gain control of a user’s system when viewing an infected flash file.  Almost any operating system could be affected, but Adobe says its fixes will work on all systems.

Adobe has a blog posting on the matter here.

When I visited the download center  in Windows `0 it told me that Chrome will automatically download any new versions when needed.

Recently I did get a warning from one site that I actually thought looked suspicious.

Google has a security blog entry describing the problem here.

Some sources say that Microsoft’s Malicious Software Removal Tool (which takes a long time to update, always) already protects users.

Some older YouTube videos (including some embedded by me) invoke Adobe Flash, and Mac systems seem to block these by default.

Trend Micro says that it’s latest builds protects Windows users from malicious exploits possible from the vulnerability, here.