security

All posts tagged security

javascript-scam-dialog

The dialog, sounding ominous, is using ignorance and fear to urge the user to “Act Fast” to avoid disaster. It is also a complete lie aimed at scamming you

Mistype “Twitter” or any popular URL into you browser and you might fall victim to scam-ware with an dialog box that looks like the one to the right. This screen shot is a dialog box that pops up upon being redirected to a domain name with a common miskeying of “twitter.” The landing page has a javascript that threw up this auto-opening dialog box that is intended to look like a system level warning. This is all a con game — and BTW: “con” stands for “confidence” because the whole scam is based on tricking people that they can trust the person scamming them with confidence.

This dialog box automatically opens on this page, and reopens after being closed. It contains text that is ripe with known psychological techniques that urge victims to take fast action and not look for outside help. Its wording is finely crafted to shuts down a person’s reasoning centers and on impulse.

The first is a warning of imminent warning of danger: Which is akin to a sailor in a bird’s nest yelling “VIRUSES HO!”

Back in the day when a warning would require immediate action to avoid crashing a ship on the rock, this was a good survival instinct: “Don’t think, thus do it” has saved countless lives. However, this assumes you know what to do in the case of an emergency. If you don’t, following the instructions of a trusted instructor could sometime land a plane safely — as in many a commercial airliner disaster movie. So, here is a manual that shows how these scams work which might help novice users avoid losing a lot of money for no other reason than not knowing any better.

Continue Reading

SmartTVs have a tendency to collect information without allowing end users to control or even know what is being collected and transmitted. UPDATE: Recently, Samsung’s legal disclaimer about its voice controlled SmartTV had to include a warning (buried in the legal section) that the TV is always relaying what the user’s near the TV are saying, and mentioning that sensitive information should not be said near the TV.

This is an example of the invasiveness of these devices. On top of this, the technology is so new, that there are no regulations concerning what information can & cannot be collected with smart devices, nor how that information is transmitted. The article below from the BBC explains how LG’s SmartTV sends the names of his family members in clear text across the internet— something that most people would be uncomfortable having publicly available. These are just 2 examples of how buying into the convenience of a Smart TV is not worth the cost in terms of privacy.

Continue Reading

I was going to push an article about something completely different that has been on the back burner for a good amount of time, but this is more important. Sorry for the lack of detail and my terse tone, but I expect better of large sites making amateur moves. I’m not saying I have never messed up: I have, but I learned from it* (“never push prototypes”) and never at this scale. The basics I sent to the site admins are enough for them to act on.  I sent this out tonight. (Note: this is also why I don’t use email addresses for half of an account’s login credentials.)

Hi,
Upon trying to login today to create a *******, I got a warning that the login page (now a pop-over) is not running through port 443 (SSL encrypted). I have decided to abort the login process because my email and password would be transmitted over the internet in the clear. My previous visits did have encrypted login. So thanks to someone who updated the site without running a regression test nor searching for glaring security hole you guys probably have a some users whose passwords have already been mined and exposed (LPH * HSU to calc how many people have been exposed) to allow crackers to get more pieces of info on account holders in order to steal their identity.

Combined with enough info (such as the recent Chase crack, Yahoo crack, or Sony crack) the crackers can try collected emails and passwords attached to them against known accounts with the same email to see which users use the same password on multiple sites. Then it is a simple matter to just run a script to try to login to all the popular sites — FB, G+, Amazon, Bank sites etc. to get into people’s accounts. Good job ;
Very sloppy update.

About all I can say is that no matter how good your password is, reusing the same password on multiple sites means if someone else is sloppy with it, as above, you are exposed to having someone take over every account that uses this same password, and any account linked to an email with this recycled password. And since it is difficult to come up with unique passwords and not write them down, using a password manager such as 1Password is recommended (just use a good unique password for your password manager).

Obscurity and Encryption are not the only tools, just a few layers of in-depth defense I myself learn a bit more about every day. If you want to learn more about securing your site, check out SecurityPatterns.org.

(*The mistake I mentioned above didn’t cause a data breach, but still: now even my prototypes sanitize the input because I formalized a utility class with a static input filter method.)

UPDATE: this article published today http://appleinsider.com/articles/14/10/14/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach and my prior article on Dropbox Email Scams could be inter-related as well as the above. Again, this could very well be an example of what happens when you use the same password on multiple accounts. So, be safe and don’t do it. Other than making myself type that a thousand times on a blackboard page of my site, (which would be cool if the Simpson’s opening used this BTW), I can’t emphasize strongly enough how dangerous using the same password (or dictionary words with a few numbers like “protected123”) is.

Oh yeah: I forgot my usual sign off in my haste to post last night: Thanks for reading.