Monday, March 28, 2016

Malware-laden "speeding ticket" emails crafted using GPS data from users' own phone

Over the weekend, I came across an ingenious phishing scam seen in a small Pennsylvania town. Residents of Tredyffrin, PA have been receiving email claiming to be a speeding citation from the local police department, but containing accurate data including locations, posted speed limits, and actual driving speeds. The data is believed to come from a mobile app with permissions to access GPS data, though the actual app has not been named (nor is it certain whether it is a compromised legitimate app, or a malicious app built for the scam).

Targeted victims receive an email similar to the following:

As the email contains actual and accurate location and driving speed data, the Tredyffrin Police suspect a "free mobility or traffic APP" is involved. The attached "infraction statement" does not actually contain a license image nor any means of paying a fine; instead, it contains malware.

Thursday, March 24, 2016

Oh no! Introducing kids to computers might encourage HACKERS!

Time to rant for a few minutes. A British tabloid author published a story this week entitled "Will the BBC's free micro:bit computer create a generation of teenage HACKERS?" I generally ignore inane stories such as this, but in this case an article with dangerously uninformed opinions is getting a fair amount of attention. 

This article is so far off base, I don't know where to start. 

The BBC, the United Kingdom's public broadcasting company, has launched an initiative to put miniature DIY computers in the hands of students. According to the story, each year 7 student (roughly equivalent to 7th grade in the US) in England, Wales, Northern Ireland and Scotland will receive a micro:bit computer. The goal is to teach kids the basics of computer circuits and computer programming, which some kids may then build upon with more advanced education.

The author tries to make a case that teaching young kids computing skills will encourage a new generation of malicious hackers. 

Tuesday, March 22, 2016

In the wake of a disaster, be alert for relief scams

Hurricane Isabella in 2003, seen from the International Space Station. Credit Mike Trenchard, Earth Sciences & Image Analysis Laboratory, Johnson Space Center

Updated 2016 October 7: As Hurricane Matthew makes its way up the US East Coast, I've updated this post with advice both for would-be givers dodging fake charities, and for those affected by disaster avoiding unscrupulous contractors.

The morning (local time) of Tuesday March 22, 2016, an airport and a metro train station in Brussels, Belgium, were struck by separate but presumably linked explosions (warning: the linked articles contain some disturbing images). 

As appalling as it is, major internationally-publicized disasters such as this invariably are followed by "cyber opportunists," criminals who take advantage of the publicity for their own nefarious gain. Two common methods are fraudulent requests for assistance, and malware-laden websites using search engine optimization to appear high in search results for news on the events of today.

Friday, March 18, 2016

A great debate: smartphones and two-factor authentication

Here's a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro @johnnysunshine tweeted the above last week, and sparked a lively debate.

Read more about the debate on CSOonline.

Thursday, March 10, 2016

A positive step for insecure home routers?

It is gratifying to see one's passion result in a positive change that could benefit many people. On February 23 the Federal Trade Commission issued a press release saying ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk

In the settlement, ASUS agreed to some terms, including one that I have suggested many times: a way for consumers to receive automated notifications by email or text message when new updates are available that improve the security of the devices.

Monday, March 7, 2016

A $1.35 million cookie: Verizon settles FCC's "Supercookie" probe

Early Monday morning, the FCC announced it had reached a settlement with Verizon over the wireless giant's practice of injecting a tracking header into websites browsed from a mobile device using Verizon's mobile data network.

On the surface, this seems a huge win for consumer privacy - but the reason why requires a bit of explanation, and the actual implications are a bit more nuanced.