Friday, May 6, 2016

Email hacks, cute pet scams, and payroll fraud - the week in review

Here is a recap of some more notable cyber security stories this week, along with short and simple things you can do.


270 million email accounts hacked!


The story: many news outlets are reporting that a Russian hacker stole passwords to over 270 million GMail, Yahoo! Mail, Hotmail, and Mail.ru email accounts. The origin of the story is a company with a dubious track record, known for making a big deal out of questionable information. Most likely, the hacker does have 270 million passwords - but not necessarily accurate, current, or associated with email accounts. This seems to be a repackaging of a story from the same source 2 years ago - at that time claiming a billion passwords. In reality, these passwords came from many smaller breaches, over a period of many years, and many were not even to email accounts. Instead, perhaps a news website was compromised and the attacker stole the email address and password used to log in; the attacker makes an assumption that you used the same password for your email account as you used for the news website.

What you should do: Don't panic. Do change your email account passwords just to be safe. Do use unique and long passwords for every account (or at least for any important accounts). Do set up two-factor authentication (which requires a code sent to you via SMS/text message, or an authentication app on your phone, to log in from any new location) for your email accounts.

Read this post for more password advice.


Fraudsters steal tax, salary data from ADP!


The story: ADP provides payroll and benefits services for over a half million businesses. Cyber crime investigator Brian Krebs wrote of an incident affecting some ADP clients. Client companies have the option of either pre-creating accounts for every employee, or of having employees create accounts themselves. In the latter case, the employee provides some information that presumably only the actual employee would know (social security number, date of birth, and a code provided by the employer). In some cases, employers evidently posted the company-specific code on a public website to make it easy for employees to sign up; if an attacker were able to obtain someone's social security number and date of birth, they could then create an account pretending to be that employee, and access all of the tax and salary information ADP holds for that employee - useful for tax return fraud among other schemes.

What you should do: This only affects ADP client companies that require their employees to sign up for online payroll and benefits services. The simplest defense is to create your online account with your payroll service immediately upon starting a new job - if you do it first, a hacker cannot pretend to be you.


10 year old kid gets $10,000 for hacking Instagram!


The story: this is actually a great positive story. Facebook awarded a 10-year-old Finnish student with the equivalent of $10,000 USD for finding and reporting a flaw in Instagram (which Facebook owns). Under the flaw, a hacker could delete any other people's comments. Thanks to this young researcher, Facebook fixed the flaw so it cannot be exploited by those with nefarious intention. I've seen other companies disqualify bug bounty reports from underage submitters. Kudos to Facebook for giving young ones incentive to not go to the Dark Side!

What you should do: Nothing! The flaw has already been fixed by Facebook.


Wi-Fi network named "mobile detonation device" freaks out passengers!


The story: Passengers on an Australian airline turned on their wireless devices to connect to the in-flight movie system, and freaked when they saw a hotspot named "mobile detonation device." The airline quickly ushered passengers off the plane while they investigated. As far as has been stated publicly, the device advertising that name was never identified, and eventually the flight did go on.

What you should do: How about not naming your mobile phone wi-fi hotspot something that will cause panic and possibly get you arrested?


Cute puppies and kittens lead to online scams!


The story: UK fraud and cyber crime reporting center ActionFraud writes of an increase in pets offered for sale through online auction websites. Often, the animal comes with a sad story about how it is in a faraway location and needs a new home, along with transportation to that new home. The unsuspecting buyer wins the auction, pays for the animal, and then is asked to pay more vet, boarding, or transportation fees. The buyer though never actually gets the animal - the pet for sale is usually merely a picture taken off a public social media post, of a happily homed pet.

What you should do: Don't buy a pet through an online auction. Your local animal rescue or SPCA no doubt has plenty of sweet animals looking for new homes.


Thousands of WordPress blogs redirect readers to malware!


The story: Security research firm Sucuri found a clever malware campaign that exploits WordPress blog sites whose operators haven't paid attention to security updates. The attackers compromise the blog sites, and add a piece of code that randomly redirects some but not all users to a website controlled by the attacker. If you are one of the unlucky few, the attacker's website attempts to trick you into downloading a fake software update that is actually malware.

What you should do: Two things. First, if a website asks you to install a software update, be very skeptical. Most modern software will automatically update in the background, and may display a notice in your system tray; a website popup with a software update is usually fake. Second, I am a huge fan of OpenDNS, a service that simply doesn't let your browser go to known bad sites. Read this post for a simple, step-by-step guide to setting up OpenDNS. It's not as hard as you think.