Malware-laden "speeding ticket" emails crafted using GPS data from users' own phone

Over the weekend, I came across an ingenious phishing scam seen in a small Pennsylvania town. Residents of Tredyffrin, PA have been receiving email claiming to be a speeding citation from the local police department, but containing accurate data including locations, posted speed limits, and actual driving speeds. The data is believed to come from a mobile app with permissions to access GPS data, though the actual app has not been named (nor is it certain whether it is a compromised legitimate app, or a malicious app built for the scam).

Targeted victims receive an email similar to the following:



As the email contains actual and accurate location and driving speed data, the Tredyffrin Police suspect a "free mobility or traffic APP" is involved. The attached "infraction statement" does not actually contain a license image nor any means of paying a fine; instead, it contains malware.

Oh no! Introducing kids to computers might encourage HACKERS!

Time to rant for a few minutes. A British tabloid author published a story this week entitled "Will the BBC's free micro:bit computer create a generation of teenage HACKERS?" I generally ignore inane stories such as this, but in this case an article with dangerously uninformed opinions is getting a fair amount of attention. 

This article is so far off base, I don't know where to start. 

The BBC, the United Kingdom's public broadcasting company, has launched an initiative to put miniature DIY computers in the hands of students. According to the story, each year 7 student (roughly equivalent to 7th grade in the US) in England, Wales, Northern Ireland and Scotland will receive a micro:bit computer. The goal is to teach kids the basics of computer circuits and computer programming, which some kids may then build upon with more advanced education.

The author tries to make a case that teaching young kids computing skills will encourage a new generation of malicious hackers. 

In the wake of a disaster, be alert for relief scams

Updated 2016 October 7: As Hurricane Matthew makes its way up the US East Coast, I've updated this post with advice both for would-be givers dodging fake charities, and for those affected by disaster avoiding unscrupulous contractors.

The morning (local time) of Tuesday March 22, 2016, an airport and a metro train station in Brussels, Belgium, were struck by separate but presumably linked explosions (warning: the linked articles contain some disturbing images). 

As appalling as it is, major internationally-publicized disasters such as this invariably are followed by "cyber opportunists," criminals who take advantage of the publicity for their own nefarious gain. Two common methods are fraudulent requests for assistance, and malware-laden websites using search engine optimization to appear high in search results for news on the events of today.

A great debate: smartphones and two-factor authentication

Here's a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro @johnnysunshine tweeted the above last week, and sparked a lively debate.

Read more about the debate on CSOonline.

A positive step for insecure home routers?

It is gratifying to see one's passion result in a positive change that could benefit many people. On February 23 the Federal Trade Commission issued a press release saying ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk. 

In the settlement, ASUS agreed to some terms, including one that I have suggested many times: a way for consumers to receive automated notifications by email or text message when new updates are available that improve the security of the devices.

A $1.35 million cookie: Verizon settles FCC's "Supercookie" probe

Early Monday morning, the FCC announced it had reached a settlement with Verizon over the wireless giant's practice of injecting a tracking header into websites browsed from a mobile device using Verizon's mobile data network.

BREAKING: The FCC has settled an investigation into Verizon Wireless’s practice of inserting unique identifier headers or… (1/2)

— The FCC (@FCC) March 7, 2016

…so-called “supercookies” into its customers’ mobile Internet traffic without their knowledge or consent. (2/2)

— The FCC (@FCC) March 7, 2016

On the surface, this seems a huge win for consumer privacy - but the reason why requires a bit of explanation, and the actual implications are a bit more nuanced.

Cloud apps: easy file sharing, easy ransomware sharing

Here's something to keep in mind when sharing files and storage with others: the mistakes of others can put you at risk.

There's not a lot of detail in this report, but it mentions cases where ransomware has spread through shared cloud storage (think iCloud, Dropbox, or Google Drive). If your friend or family member becomes infected, and you sync to the same shared account, you might unknowingly infect your device.

Ransomware is the current scourge of the Internet. Ransomware is malware that encrypts your personal data such as irreplaceable photos, documents, and financial records, making them unusable. It then charges a ransom fee to decrypt the files so you can use them again. The only fully reliable protection against this threat is a current and complete backup of your important data, stored somewhere out of the reach of the malware. Without such a backup, your only choices may be to pay the ransom or sacrifice the data forever.

While I have not personally experienced ransomware spreading in this manner, I did have an "oh crap" moment once when a child deleted music from a shared drive. I had set up a sizable library of (legally-owned!) music that they could download to their devices, and taught them how to use a mobile SMB client to browse the server; alas I was not clear enough in showing them the difference between "local device" and "shared server." When they wanted to remove music from their devices to make room for something new, one of them accidentally deleted some content from my server.

The point is, when sharing things with others, think of how their mistakes can put you at risk. In the music share scenario that I mentioned, I quickly learned to set the share so that my kids could only download music from it, but not change anything on the share itself. Only I could modify the contents of the share, and only from a PC that I controlled.

Similarly, you may consider whether sharing data in a read-only form is appropriate for your needs.