Latest Warnings – Page 16 – WindowsTechs.com

T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account

Posted on May 18, 2018 by BrianKrebs

T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate. Continue reading T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account→

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers in Real Time Via Its Web Site

Posted on May 17, 2018 by BrianKrebs

LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards. Continue reading Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers in Real Time Via Its Web Site→

Microsoft Patch Tuesday, May 2018 Edition

Posted on May 8, 2018 by BrianKrebs

Microsoft today released a bundle of security updates to fix at least 67 holes in its various Windows operating systems and related software, including one dangerous flaw that Microsoft warns is actively being exploited. Meanwhile, as it usually does on Microsoft’s Patch Tuesday — the second Tuesday of each month — Adobe has a new Flash Player update that addresses a single but critical security weakness.

First, the Flash Tuesday update, which brings Flash Player to v. 29.0.0.171. Some (present company included) would argue that Flash Player is in itself “a single but critical security weakness.” Nevertheless, Google Chrome and Internet Explorer/Edge ship with their own versions of Flash, which get updated automatically when new versions of these browsers are made available. Continue reading Microsoft Patch Tuesday, May 2018 Edition→

Twitter to All Users: Change Your Password Now!

Posted on May 3, 2018 by BrianKrebs

Twitter just asked all 300+ million users to reset their passwords, citing the exposure of user passwords via a bug that stored passwords in plain text — without protecting them with any sort of encryption technology that would mask a Twitter user’s true password. The social media giant says it has fixed the bug and that so far its investigation hasn’t turned up any signs of a breach or that anyone misused the information. But if you have a Twitter account, please change your account password now. Continue reading Twitter to All Users: Change Your Password Now!→

When Your Employees Post Passwords Online

Posted on May 2, 2018 by BrianKrebs

Storing passwords in plaintext online is never a good idea, but it’s remarkable how many companies have employees who are doing just that using online collaboration tools like Trello.com. Last week, KrebsOnSecurity notified a host of companies that employees were using Trello to share passwords for sensitive internal resources. Among those put at risk by such activity included an insurance firm, a state government agency and ride-hailing service Uber.com. Continue reading When Your Employees Post Passwords Online→

When Identity Thieves Hack Your Accountant

Posted on April 11, 2018 by BrianKrebs

The Internal Revenue Service has been urging tax preparation firms to step up their cybersecurity efforts this year, warning that identity thieves and hackers increasingly are targeting certified public accountants (CPAs) in a bid to siphon oodles of sensitive personal and financial data on taxpayers. This is the story of a CPA in New Jersey whose compromise by malware led to identity theft and phony tax refund requests filed on behalf of his clients. Continue reading When Identity Thieves Hack Your Accountant→

Don’t Give Away Historic Details About Yourself

Posted on April 9, 2018 by BrianKrebs

Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?” The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.

I’m willing to bet that a good percentage of regular readers here would never respond — honestly or otherwise — to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks — particularly Facebook — seem positively overrun with these data-harvesting schemes. What’s more, I’m constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.

On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts. Continue reading Don’t Give Away Historic Details About Yourself→

Dot-cm Typosquatting Sites Visited 12M Times So Far in 2018

Posted on April 4, 2018 by BrianKrebs

A story published here last week warned readers about a vast network of potentially malicious Web sites ending in “.cm” that mimic some of the world’s most popular Internet destinations (e.g. espn[dot]cm, aol[dot]cm and itunes[dot].cm) in a bid to bombard hapless visitors with fake security alerts that can lock up one’s computer. If that piece lacked one key detail it was insight into just how many people were mistyping .com and ending up at one of these so-called “typosquatting” domains.

On March 30, an eagle-eyed reader noted that four years of access logs for the entire network of more than 1,000 dot-cm typosquatting domains were available for download directly from the typosquatting network’s own hosting provider. The logs — which include detailed records of how many people visited the sites over the past three years and from where — were deleted shortly after that comment was posted here, but not before KrebsOnSecurity managed to grab a copy of the entire archive for analysis. Continue reading Dot-cm Typosquatting Sites Visited 12M Times So Far in 2018→

15-Year-old Finds Flaw in Ledger Crypto Wallet

Posted on March 20, 2018 by BrianKrebs

A 15-year-old security researcher has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies.

Hardware wallets like those sold by Ledger are designed to protect the user’s private keys from malicious software that might try to harvest those credentials from the user’s computer. The devices enable transactions via a connection to a USB port on the user’s computer, but they don’t reveal the private key to the PC.

Yet Saleem Rashid, a 15-year-old security researcher from the United Kingdom, discovered a way to acquire the private keys from the Ledger devices. Rashid’s method requires an attacker to have physical access to the device, and normally such attacks would fall under the #1 rule of security — namely, if an attacker has physical access to your device it is not your device anymore. Continue reading 15-Year-old Finds Flaw in Ledger Crypto Wallet→

Checked Your Credit Since the Equifax Hack?

Posted on March 11, 2018 by BrianKrebs

A recent consumer survey suggests that half of all Americans still haven’t checked their credit report since the Equifax breach last year exposed the Social Security numbers, dates of birth, addresses and other personal information on nearly 150 million people. If you’re in that fifty percent, please make an effort to remedy that soon.

Credit reports from the three major bureaus — Equifax, Experian and Trans Union — can be obtained online for free at annualcreditreport.com — the only Web site mandated by Congress to serve each American a free credit report every year. Continue reading Checked Your Credit Since the Equifax Hack?→