Wednesday, November 22, 2017

Uber hack may need self-protection by consumers

Fortune Magazine has rather stern advice for consumers regarding the recent Uber hack, here

Uber hasn’t yet said how it will notify consumers or whether it will force a password reset.  The article says do it.  And don’t use the same password you use on other accounts.

Fortune disagrees with Uber's contention that consumers don't need to worry. Bur Fortune, despite the title of the article, really doesn't tell you how you can tell if you were affected. 


Of course, what’s so disturbing is that Uber apparently paid off the hackers and didn’t tell anybody for a long time. Presumably the hackers threatened to give the data to other hackers.  It’s like naming names. See something, say something. 

Tuesday, November 14, 2017

Has the NSA made us all targets of foreign enemies?

The New York Times has a long and detailed story of the breakdown of the work of the “Shadow Breakers” at the NSA, and how the tools of the group were taken and used to develop ransomware to target some consumers, especially less secure companies and hospitals last spring.

The booklet-length article by Scott Shane, Nicole Perlroth, and David E. Sanger appears here. 
You wonder how safe any computer or website or company will be against an enemy that is determined and combative enough, to infiltrate the NSA through employees or contractors.


And EFF has made so much of the surveillance issue over the years. 

Monday, November 13, 2017

Well-known blogging consultant urges everyone to go to https now -- but it's complicated

Ramsay Taplin, Australia’s “Blog Tyrant” has come up with a detailed post on how Bloggers can convert their sites to https, link
It’s important to remember that this applies only to specific domains, not to subsites of Blogger or Wordpress.

I wrote a detailed comment.  Since the comment period is time-sensitive, I’ll reproduce my own comment here:

How important is https for a page that does NOT require user logon or collect user info? That does NOT process funds, PII, etc.

I have four domains on BlueHost, which as of now will set up one as SSL (with an enhanced SiteLock passage). I did pick one of the addons (because it is possible to do transactions on it although i do them rarely in practice). In my case that is (not the site I have shared most often). I am expecting BlueHost will change things so that all four can be https. Also, Google’s free Blogger will make all free domains https but does not with those that have their own domain names.  That is because SSL is by main domain name (e.g. int he case of Google). That also seems true of Automattic  (example) (there’s not much there — that’s a copy of some old stuff). It wo uld be helpful to know if Google, WordPress, BlueHost etc will do anything soon to make this “easier”.
You can navigate to my Blogger Profile.  “Movie Reviews” “Book Reviews” and “Bill Boushka” all resolve to specific domain names and right now do not have https.  The other thirteen are Blogger subdomains.  They can be viewed with or without https.  Some embedded videos from some news sources do not yet work when viewed in https.
Ramsay’s directions are very long and complicated, and I would wonder how many bloggers have the time to do this.  The blogging business paradigm that he advocates generally works with niche blogs aimed at very specific audiences, and often go along with small businesses that actually would use email lists.  This might be very hard for a lot of small businesses to do.
I suspect BlueHost and other providers will make this simpler in the future.  Business persons should also consider hacker security protection like SiteLock.
Electronic Frontier Foundation has long urged all websites to go to https, even those that don’t require logon or do transactions or collect PII.
I’ll come back to this in more detail in the near future (I don’t know how near) on my Wordpress news blog. 

Saturday, November 11, 2017

Criminals can make duplicate house keys from images created by apps

Recently local television stations warned consumers about the dangers to home security posed indirectly by apps that encourage you to photograph your house keys so that duplicates can be made.  Thieves have done this to go ahead and commit burglaries. 

Wired has a typical story by Andy Greenberg from 2014, here.    Some of the apps include KeyMe, KeysDuplicated and KeySave.

One risk is allowing parking valets to have access to house keys.

The reports don't way whether these apps would work with higher security locks like Medeco, 

Thursday, November 09, 2017

School districts come under disturbing attacks from foreign hackers

School districts have come under attack from hackers, including ISIS-related, in a few different ways.  They seem vulnerable because of particular service providers and particular platforms that they use.

Here’s a report from northern New Jersey.

There were also disturbing attacks, some of them threatening, in Iowa and in the Flathead area of Montana (Post story).
I didn’t encounter any of this when working as a substitute teacher in northern Virginia 2004-2007, but times have changed. 

Tuesday, November 07, 2017

ABC reports fake Droid apps that can steal pw's to social media, bank accounts

ABC News is reporting an epidemic of fake apps, particularly on Android smartphones, that can steal passwords to social media and bank accounts, even when the phones are not in use.

The ABC News story is here. WJLA has been carrying the story locally in the DC area, with a demonstration where several volunteers get hacked. 

I do very little in the way of transactions on my own phones.