205 posts categorized "Scams & Threats" Feed

Do Social Media Pose Threats To Democracies?

November 4th cover of The Economist magazine The November 4th issue of The Economist magazine discussed whether social networking sites threaten democracy in the United States and elsewhere. Social media were supposed to better connect us with accurate and reliable information. What we know so far (links added):

"... Facebook acknowledged that before and after last year’s American election, between January 2015 and August this year, 146m users may have seen Russian misinformation on its platform. Google’s YouTube admitted to 1,108 Russian-linked videos and Twitter to 36,746 accounts. Far from bringing enlightenment, social media have been spreading poison. Russia’s trouble-making is only the start. From South Africa to Spain, politics is getting uglier... by spreading untruth and outrage, corroding voters’ judgment and aggravating partisanship, social media erode the conditions..."

You can browse some of the ads Russia bought on Facebook during 2016. (Hopefully, you weren't tricked by any of them.) We also know from this United Press International (UPI) report about social media companies' testimony before Congress:

"Senator Patrick Leahy (D-Vt) said Facebook still has many pages that appear to have been created by the Internet Research Agency, a pro-Kremlin group that bought advertising during the campaign. Senator Al Franken (D-Minn.) said some Russian-backed advertisers even paid for the ads in Russian currency.

"How could you not connect those two dots?" he asked Facebook general council Colin Stretch. "It's a signal we should have been alert to and, in hindsight, one we missed," Stretch answered."

Google logo And during the Congressional testimony:

"Google attorney Richard Salgado said his company's platform is not a newspaper, which has legal responsibilities different from technology platforms. "We are not a newspaper. We are a platform that shares information," he said. "This is a platform from which news can be read from many sources."

Separate from the Congressional testimony, Kent Walker, a Senior Vice President and General Counsel at Google, released a statement which read in part:

"... like other internet platforms, we have found some evidence of efforts to misuse our platforms during the 2016 U.S. election by actors linked to the Internet Research Agency in Russia... We have been conducting a thorough investigation related to the U.S. election across our products drawing on the work of our information security team, research into misinformation campaigns from our teams, and leads provided by other companies. Today, we are sharing results from that investigation... We will be launching several new initiatives to provide more transparency and enhance security, which we also detail in these information sheets: what we found, steps against phishing and hacking, and our work going forward..."

This matters greatly. Why? by The Economist explained that the disinformation distributed via social media and other websites:

"... aggravates the politics of contempt that took hold, in the United States at least, in the 1990s. Because different sides see different facts, they share no empirical basis for reaching a compromise. Because each side hears time and again that the other lot are good for nothing but lying, bad faith and slander, the system has even less room for empathy. Because people are sucked into a maelstrom of pettiness, scandal and outrage, they lose sight of what matters for the society they share. This tends to discredit the compromises and subtleties of liberal democracy, and to boost the politicians who feed off conspiracy and nativism..."

When citizens (via their elected representatives) can't agree nor compromise, then government gridlock results. Nothing gets done. Frustration builds among voters.

What solutions to fix these problems? The Economist article discussed several remedies: better critical-thinking skills by social media users, holding social-media companies accountable, more transparency around ads, better fact checking, anti-trust actions, and/or disallow bots (automated accounts). It will take time for social media users to improve their critical-thinking skills. Considerations about fact checking:

"When Facebook farms out items to independent outfits for fact-checking, the evidence that it moderates behavior is mixed. Moreover, politics is not like other kinds of speech; it is dangerous to ask a handful of big firms to deem what is healthy for society.

Considerations about anti-trust actions:

"Breaking up social-media giants might make sense in antitrust terms, but it would not help with political speech—indeed, by multiplying the number of platforms, it could make the industry harder to manage."

All of the solutions have advantages and disadvantages. It seems the problems will be with us for a long while. Social media has been abused... and will continue to be abused. Comments? What solutions do you think would be best?


Security Experts: Massive Botnet Forming. A 'Botnet Storm' Coming

Online security experts have detected a massive botnet -- a network of zombie robots -- forming. Its operator and purpose are both unknown. Check Point Software Technologies, a cyber security firm, warned in a blog post that its researchers:

"... had discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016... Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.

With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others..."

Reportedly, the botnet has been named either "Reaper" or "IoTroop." The McClatchy news wire reported:

"A Chinese cybersecurity firm, Qihoo 360, says the botnet is swelling by 10,000 devices a day..."

Criminals use malware or computer viruses to add to the botnet weakly protected or insecure Internet-connect devices (commonly referred to as the internet of things, or IoT) in homes and businesses. Then, criminals use botnets to overwhelm a targeted website with page requests. This type of attack, called a Distributed Denial of Service (DDoS), prevents valid users from accessing the targeted site; knocking the site offline. If the attack is large enough, it can disable large portions of the Internet.

A version of the attack could also include a ransom demand, where the criminals will stop the attack only after a large cash payment by the targeted company or website. With multiple sites targeted, either version of cyber attack could have huge, negative impacts upon businesses and users.

How bad was the Mirai botnet? According to the US-CERT unit within the U.S. Department of Homeland Security:

"On September 20, 2016, Brian Krebs’ security blog was targeted by a massive DDoS attack, one of the largest on record... The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices... The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack..."

Wired reported last year that after the attack on Krebs' blog, the Mirai botnet:

"... managed to make much of the internet unavailable for millions of people by overwhelming Dyn, a company that provides a significant portion of the US internet's backbone... Mirai disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK. This week, researchers published evidence that 80 models of Sony cameras are vulnerable to a Mirai takeover..."

The Wired report also explained the difficulty with identifying and cleaning infected devices:

"One reason Mirai is so difficult to contain is that it lurks on devices, and generally doesn't noticeably affect their performance. There's no reason the average user would ever think that their webcam—or more likely, a small business's—is potentially part of an active botnet. And even if it were, there's not much they could do about it, having no direct way to interface with the infected product."

It this seems scary, it is. The coming botnet storm has the potential to do lots of damage.

So, a word to the wise. Experts advise consumers to, a) disconnect the device from your network and reboot it before re-connecting it to the internet, b) buy internet-connected devices that support security software updates, c) change the passwords on your devices from the defaults to strong passwords, d) update the operating system (OS) software on your devices with security patches as soon as they are available, e) keep the anti-virus software on your devices current, and f) regularly backup the data on your devices.

US-CERT also advised consumers to:

"Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary. Purchase IoT devices from companies with a reputation for providing secure devices... Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected."


Experts Find Security Flaw In Wireless Encryption Software. Most Mobile Devices At Risk

Researchers have found a new security vulnerability which places most computers, smartphones, and wireless routers at risk. The vulnerability allows hackers to decrypt and eavesdrop on victims' wireless network traffic; plus inject content (e.g., malware) into users' wireless data streams. ZDNet reported yesterday:

"The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network... The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk."

Reportedly, the vulnerability was confirmed on Monday by U.S. Homeland Security's cyber-emergency unit US-CERT, which had warned vendors about two months ago.

What should consumers do? Experts advise consumers to update the software in all mobile devices connected to their home wireless router. Obviously, that means first contacting the maker of your home wireless router, or your Internet Service Provider (ISP), for software patches to fix the security vulnerability.

ZDNet also reported that the security flaw:

"... could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched Internet-of-things (IoT) devices being exposed for use by botnets."

So, plenty of home devices must also be updated. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). One "price" of wireless convenience is the responsibility for consumers and device makers to continually update the security software in internet-connected devices. Nobody wants their home router and devices participating in scammers' and fraudsters' botnets with malicious software.

ZDNet also listed software patches by vendor. And:

"In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer... At the time of writing, neither Toshiba and Samsung responded to our requests for comment..."

Hopefully, all of the Internet-connected devices in your home provide for software updates. If not, then you probably have some choices ahead: whether to keep that device or upgrade to better device for security. Comments?


Report: Patched Macs Still Vulnerable To Firmware Hacks

Apple Inc. logo I've heard numerous times the erroneous assumption by consumers: "Apple-branded devices don't get computer viruses." Well, they do. Ars Technica reported about a particular nasty hack of vulnerabilities in devices' Extensible Firmware Interface (EFI). Never heard of EFI? Well:

"An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. 47 Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version."

This is very bad. EFI hacks are particularly effective and nasty because:

"... they give attackers control that starts with the very first instruction a Mac receives... the level of control attackers get far exceeds what they gain by exploiting vulnerabilities in the OS... That means an attacker who compromises a computer's EFI can bypass higher-level security controls, such as those built into the OS or, assuming one is running for extra protection, a virtual machine hypervisor. An EFI infection is also extremely hard to detect and even harder to remedy, as it can survive even after a hard drive is wiped or replaced and a clean version of the OS is installed."

At-risk EFI versions mean that devices running Windows and Linux operating systems are also vulnerable. Reportedly, the exploit requires plenty of computing and technical expertise, so hackers would probably pursue high-value targets (e.g., journalists, attorneys, government officials, contractors with government clearances) first.

The Duo Labs Report (63 pages, Adobe PDF) lists the specific MacBook, MacBookAir, and MacBookPro models at risk. The researchers shared a draft of the report with Apple before publication. The report's "Mitigation" section provides solutions, including but not limited to:

"Always deploy the full update package as released by Apple, do not remove separate packages from the bundle updater... When possible, deploy Combo OS updates instead of Delta updates... As a general rule of thumb, always run the latest version of macOS..."

Scary, huh? The nature of the attack means that hackers probably can disable the anti-virus software on your device(s), and you probably wouldn't know you've been hacked.


Here Comes The Post-Equifax-Breach Spam From Scammers

If you haven't received them yet, you probably will soon. Here comes the spam - unwanted e-mail messages - from scammers, supposedly related to the massive Equifax data breach. The spam will likely include phishing attacks: attempts to trick consumers into disclosing sensitive bank account and payment data.

What might this spam look like? The spam filter by my e-mail provider recently trapped the message below in my spam folder:

Suspected spam email. Click to view larger version

The sender's intent is to clearly leverage consumers' anxieties and fears about the massive, horrific Equifax breach. The e-mail message also states:

Suspected spam email. Click to view larger version

The message offers both three free credit scores and free credit reports. The problems I see with this e-mail:

  1. The message doesn't list a price for its offer. The company name -- FreeCreditClick -- implies the offer is free.
  2. Key items in the e-mail don't match. The company name in the "From" field doesn't match the e-mail address. Nor does the company name in the "From" field match the company name in the body of the message.
  3. The sender's e-mail address in the "From" field includes a version of an e-mail address I've seen before in other spam.
  4. The Equifax site already directs consumers affected by the data breach to an Equifax site to learn how to get protection (e.g., credit monitoring and fraud resolution services) for free.
  5.  The e-mail offers credit reports from the three major credit reporting agencies: Experian, Equifax, and TransUnion. Informed consumers know that the official website for free credit reports is annualcreditreport.com.
  6. Informed consumers know that while there are several brands of credit scores, they probably need a single good one.
  7. The e-mail contains order and unsubscribe links with destinations that doesn't match either the company's name in "1" nor "2."

To understand #7, I reviewed the underlying HTML markup language used to create this e-mail message:

HTML markup of the suspected spam email. Click to view larger version

The destinations for both the order link (A) and the unsubscribe link (B) contain the "proffbuilder.com" site and embedded redirect commands. The redirect commands could take your web browser anywhere. Too risky, so I did not click on them.

As best I can tell, this definitely is spam. I don't trust it. What do you think?


A Greater Volume Of Bogus Email Messages

Have you checked your e-mail spam folder? Your e-mail provider's spam filter is a highly valuable tool which identifies and collects bogus, unwanted messages; which often either contain malware or link to sites which do. I happily use my e-mail provider's spam tool. It saves me plenty of time and aggravation.

You don't have to read the messages collected in your spam folder by your e-mail service. I do occasionally because I've taken my online security a step further. I configured the spam filter to trap all inbound messages not in my e-mail address book, and not only the messages it identified as spam. For me, nothing gets through unless I already know you. I don't want any of this garbage downloaded to my laptop's hard drive.

Call me extra careful.

Recently, when I scanned my spam folder I found a flood of messages up from three or five daily to 30 or 40. The subject lines of the bogus messages included a wide variety of offers: timeshare rentals, hair removal products, credit scores, credit cards, dating services, pet products, wrinkle removal products, home refinance loans, ink for computer printers, and much more. Often, the bogus messages pretended to be valid businesses, such as Amazon and Walmart. A partial list of the messages in my spam folder:

Partial list of messages in a spam folder. Click to view a larger version

Clearly, the spammers hope to trick users into opening these messages. Don't. Experts advise consumers not to reply to these bogus e-mails. If you do, you'll only get more.

If you know where to look, it's fairly easy to spot the spam. All of the messages include the same e-mail reply address. In this instance it is contact@cron-job.org. Unfortunately, Cron-Job is a valid business which did not send out this spam. According to the Denver Post:

"Cron-jobs is a non-profit organization supporting Cron, a Unix-software utility. The site was spoofed! Cron-jobs documents what happened here: cron-job.org/en/spam- statement... The messages are not from them, thus they cannot stop them. They don’t even use the “contact@cron-job.org” email... The messages are likely being sent on a bot-network. These are computers that have malware on them and their owners don’t know the machines were hijacked..."

So, a word to the wise. Regularly scan you computer (e.g., laptop, desktop, tablet, phone) to identify and remove malware. You don't want to contribute to the e-mail spam problem.

I noticed another sender's e-mail address generating lots of spam: XXXXXXXXXXXXaolea.us. The spammers vary the numbers and letters in the XXX portion of the e-mail address, but my e-mail service provider is skilled at identifying bogus messages.

Last, if you haven't activated the spam filter offered by your e-mail provider, now is a good time to do so.


Neighbor Spoofing: What It Is And The Best Way To Stop It

A friend recently posted on social media:

"I get five to seven phone calls daily from a 617-388-(random) number. I keep blocking them but new ones keep calling. My number is a 617-388- number. I've called a few back and they're actually people's personal mobile numbers. What is going on?! Anyone know how to stop it?"

This is neighbor spoofing... where robocallers pretend to be neighbors with familiar looking phone numbers. NPR explained neighbor spoofing is:

"... when callers disguise their real phone numbers with a fake phone number that has the same area code and prefix as yours. The idea is you might be more likely to pick up because maybe you're thinking, this call could be my neighbor or my kid's school, someone I know... Even the chairman of the Federal Communications Commission, Ajit Pai, cannot escape... The calls have gotten so aggravating to Pai, he is doubling down and making the fight against spoofers a top priority for the FCC. Robocalls and telemarketers are the No. 1 complaint the agency gets from the public. New technology has made spoofing easier to do and harder to detect. Last year, people received about 2.5 billion robocalls every month...this spring, the FCC started investigating ways to let phone carriers block calls from spoofers..."

The best solution is a system where phone companies authenticate callers. That would stop or block neighbor spoofing. Until then, the FCC is using deterrence. Back in June, the FCC proposed a $120 million fine against a habitual robocall scammer, Adrian Abramovich, based in Florida:

"Over the course of several years, Abramovich's companies disrupted emergency services, bilked vulnerable consumers out of thousands of dollars and hurt legitimate businesses, the FCC contends... TripAdvisor was deluged by consumer complaints about robocalls that the company had not initiated or authorized. After conducting an internal investigation, TripAdvisor determined that the offending calls were linked to a Mexican hotel and resort chain that had contracted with Abramovich for advertising services."

Consumers interested in something they could do might consider Nomorobo, which works (landline or mobile) with many service providers. Users of Apple and Andorid OS phones might investigate Hiya. Windows and BlackBerry phone users can check the CTIA Wireless Association's guide for free (or low-cost) mobile apps to block robocalls.

Robocalls from schools, physicians, airlines, and law enforcement are helpful, while robocalls from scammers aren't. The best solution -- true authentication -- can't come fast enough. Consumers and businesses are suffering.

While I don't wish anything bad on anyone, I am happy that FCC Chairmann Pai is also directly feeling the pain. Perhaps, now he knows how consumers feel. The loss of broadband privacy and Pai's push to kill net neutrality annoy consumers almost as much as neighbor spoofing.


Russian Malware Targets Hotels In Europe And Middle East

FireEye, a security firm, has issued a warning about malware targeting the hotel industry within both Europe and the Middle East. The warning:

"... a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic... Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks... in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network..."

The key takeaway: criminals use malware to infiltrate the WiFi networks at hotels in order to steal the login credentials (IDs, passwords) of traveling business and government executives. The criminals know that executives conduct business while traveling -- log into their employers' computer networks. Stealing those login credentials provides criminals with access to the computer networks operated by corporations and governments. Once inside those networks, the criminals can steal whatever of value they can access: proprietary information, trade secrets, customer lists, executives' and organization payment information, money, or more.

A variety of organizations in both the public and private sectors use software by FireEye to detect intrusions into their computer networks by unauthorized persons. FireEye software detected the breach at Target (which Target employees later ignored). Security researchers at FireEye discovered vulnerabilities in HTC smartphones which failed to adequately protect users' fingerprint data for unlocking phones.

Security warnings earlier this year mentioned malware by the APT28 group targeting Apple Mac users. The latest warning by FireEye also described the 2016 hack in more detail:

"... the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network..."

So, travelers aren't safe even when they use strong passwords. How should travelers protect themselves and their sensitive information? FireEye warned:

"Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible."


Hacked Amazon Echo Converted Into Always-On Surveillance Device

Image of amazon Echo Wired reported how a white-hat hacker provided proof-of-concept that a popular voice-activated, smart home speaker could easily be hacked:

"... British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion."

Amazon sells both new and refurbished speakers. Newer models also include cameras. All are probably high-value targets of hackers and spy agencies.

Reportedly, Amazon has fixed the security vulnerability in newer (2017) models. The company advises customers to keep the software on their speakers current, and purchase speakers from trusted retailers. However (bold emphasis added):

"... Barnes agrees that his work should serve as a warning that Echo devices bought from someone other than Amazon—like a secondhand seller—could be compromised. But he also points out that, contrary to the implication of the company's statement, no software update will protect earlier versions of the Echo, since the problem is in the physical connection its hardware exposes.

Instead, he says that people should think twice about the security risks of using an Echo in public or semipublic places, like plans for the Wynn Hotel in Las Vegas to put an Echo in every room."

Voice-activated smart speakers in hotel lobbies and rooms. Nothing could go wrong with that. All it takes is a prior guest, or criminal posing as a hotel staff or cleaning person, to hack and compromise one or more older devices. Will hotels install the newer devices? Will they inform guests?

For guaranteed privacy, it seems hotel guests may soon have to simply turn off (or mute) smart speakers, smart televisions, and personal assistants. Convenience definitely has its price (e.g., security and privacy). What do you think?


Microsoft Fights Foreign Cyber Criminals And Spies

The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:

"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.

Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."

Kudos to Microsoft and its attorneys.


Real Scams, Real Cons and Fake Law Enforcement

[Editor's Note: Today's guest post is by Arkady Bukh of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. Aware consumers know how to recognize scams.]

By Arkady Bukh, Esq.

A man in Nigeria died recently. When the coroner went to the home for the body, he found $25 BILLION dollars. Apparently, the decedent had been trying to give away his money for years, but no one answered his email.

If you've been on the Internet for over, say, one-hour, you recognize the source for that joke. The Nigerian email scam is so infamous it's been given its own, easily recognizable, name: The Nigerian Email Scam.

Despite scams and cons being popular online, they're not confined to the virtual world. They crop up in the real world, too. Often, in unexpected ways.

Pennsylvania Teen Tries to Scam and It Doesn’t Go Well at Home
Police in Westtown Township nabbed a teenage boy in March after linking the kid to a scam involving fake traffic tickets. The fraudulent fines were placed in mailboxes at four homes. Each fake ticket claimed the homeowners' vehicle was captured on camera speeding in nearby West Chester. An accompanying note asked for $96 to be left in the mailbox.

"It does look real," said Jackie McGlone, a West Chester resident.

Detectives have found the photographs of the vehicle's' plates were taken while the car was parked in their owner's' driveway and unoccupied.

Police tracked the 16-year old boy, who lives in the area, by a tip phoned in by the teenager's dad.

The teen's father found some notifications waiting to be mailed and called the police. Charges are pending.

Truckers Lose Big Money in Oregon
In 2013, an Oregon-based scam dug into the pockets of truck drivers with automated calls telling them to pay their unpaid traffic tickets using re-loadable debit cards — or face a penalty.

The caller identified himself as, "Alex James Murphy of the Oregon State Police," and informed drivers of a bench warrant for an outstanding speeding ticket. To pay, the drivers were told to buy re-loadable prepaid cards through Green Dot MoneyPak, put $154 on the card, and then call a second phone number to provide the card information.

If the driver does all that, they'll find out there was never an unpaid speeding ticket and their $154 has hit the road. The scam, which occasionally crops up in difference places, first appeared on the radar in November 2012 and had gone through a few variations since.

An offshoot which also relies on confusing the lines between a con artist and legitimate law enforcement agencies is the “Support Your Sheriff” sticker scam. The Federal Trade Commission's website has a page warning consumers about cons which play on citizens' desire to help support local law enforcement.

Fake Police
A vehicle which appears to be an unmarked police car pulls you over. The ‘officer' says you are about to be handed a large fine and see points added to your driver's license. "However," says the supposed-cop, "you can avoid this by paying a smaller fee, up front, in cash."

That's not a tactic used by legitimate law enforcement agencies anywhere. Real cops want to make sure the law is obeyed and not about a discount if a speeder pays on the front end. Legitimate cops will issue a real ticket that must be paid in person, or mail, at the department.

If in doubt, request another officer to come to the scene. It's your right.

Phishing Scam
Someone receives an e-mail message claiming them they are guilty of a traffic violation. A wise person will delete the email immediately. Any email saying you owe money for traffic tickets is a phishing scam.

Usually, the email says the person needs to pay for the traffic citation right now. The e-mail includes a link where the individual to find details. The link often contains a computer virus, and can redirect the user to a phishing page meant to request personal information from the user.

Buy a Sticker and Get Out of Jail Free
Scammers have called individuals at work and home at claiming the local Department of Public Safety (DPS) offers decals for autos with the DPS logo to waive their next traffic ticket.

The caller instructs the person to place the sticker next to the car's license plate. To get the sticker, the vehicle owner must pay $10. Many persons fall for the scam as $10 is smaller than any traffic ticket issued after 1946.

If you get a traffic citation, you broke the law. You will pay for that. There is no such thing as a law enforcement sticker which gets you one free traffic ticket.


Russian Cyber Attacks Against US Voting Systems Wider Than First Thought

Cyber attacks upon electoral systems in the United States are wider than originally thought. The attacks occurred in at least 39 states. The Bloomberg report described online attacks in Illinois as an example:

"... investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016... In early July 2016, a contractor who works two or three days a week at the state board of elections detected unauthorized data leaving the network, according to Ken Menzel, general counsel for the Illinois board of elections. The hackers had gained access to the state’s voter database, which contained information such as names, dates of birth, genders, driver’s licenses and partial Social Security numbers on 15 million people, half of whom were active voters. As many as 90,000 records were ultimately compromised..."

Politicians have emphasized that the point of the disclosures isn't to embarrass any specific state, but to alert the public to past activities and to the ongoing threat. The Intercept reported:

"Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light."

Spear-fishing is the tactic criminals use by sending malware-laden e-mail messages to targeted individuals, whose names and demographic details may have been collected from social networking sites and other sources. The spam e-mail uses those details to pretend to be valid e-mail from a coworker, business associate, or friend. When the target opens the e-mail attachment, their computer and network are often infected with malware to collect and transmit log-in credentials to the criminals; or to remotely take over the targets' computers (e.g., ransomware) and demand ransom payments. Stolen log-in credentials are how criminals steal consumers' money by breaking into online bank accounts.

The Intercept report explained how the elections systems hackers adopted this tactic:

"... the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers. But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company... The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded..."

Experts believe the voting equipment company targeted was VR Systems, based in Florida. Reportedly, it's electronic voting services and equipment are used in eight states. VR Systems posted online a Frequently Asked Questions document (adobe PDF) about the cyber attacks against elections systems:

"Recent reports indicate that cyber actors impersonated VR Systems and other elections companies. Cyber actors sent an email from a fake account to election officials in an unknown number of districts just days before the 2016 general election. The fraudulent email asked recipients to open an attachment, which would then infect their computer, providing a gateway for more mischief... Because the spear-phishing email did not originate from VR Systems, we do not know how many jurisdictions were potentially impacted. Many election offices report that they never received the email or it was caught by their spam filters before it could reach recipients. It is our understanding that all jurisdictions, including VR Systems customers, have been notified by law enforcement agencies if they were a target of this spear-phishing attack... In August, a small number of phishing emails were sent to VR Systems. These emails were captured by our security protocols and the threat was neutralized. No VR Systems employee’s email was compromised. This prevented the cyber actors from accessing a genuine VR Systems email account. As such, the cyber actors, as part of their late October spear-phishing attack, resorted to creating a fake account to use in that spear-phishing campaign."

It is good news that VR Systems protected its employees' e-mail accounts. Let's hope that those employees were equally diligent about protecting their personal e-mail accounts and home computers, networks, and phones. We all know employees that often work from home.

The Intercept report highlighted a fact about life on the internet, which all internet users should know: stolen log-in credentials are highly valued by criminals:

"Jake Williams, founder of computer security firm Rendition Infosec and formerly of the NSA’s Tailored Access Operations hacking team, said stolen logins can be even more dangerous than an infected computer. “I’ll take credentials most days over malware,” he said, since an employee’s login information can be used to penetrate “corporate VPNs, email, or cloud services,” allowing access to internal corporate data. The risk is particularly heightened given how common it is to use the same password for multiple services. Phishing, as the name implies, doesn’t require everyone to take the bait in order to be a success — though Williams stressed that hackers “never want just one” set of stolen credentials."

So, a word to the wise for all internet users: don't use the same log-in credentials at multiple site. Don't open e-mail attachments from strangers. If you weren't expecting an e-mail attachment from a coworker/friend/business associate, call them on the phone first and verify that they indeed sent an attachment to you. The internet has become a dangerous place.


FCC Says Denial-Of-Service Attacks Caused Its Site To Crash Sunday Morning

Federal communications Commission logo Last weekend, the U.S. Federal Communications Commission (FCC) website crashed during a key period when the public relied upon it to submit feedback about proposed changes to net neutrality rules. Dr. David Bray, the FCC Chief Information Officer, released a statement on Monday that the crash was due to a distributed denial-of-service (DDoS) attack:

"Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC. While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments. We have worked with our commercial partners to address this situation and will continue to monitor developments going forward."

The FCC’s , Electronic Comment Filing System (ECFS) is the site the public users to submit and review feedback about proposed changes. Bray's statement did not identify the "bad actors" responsible for the DDoS attack, did not state the countries or locations of the illegitimate site traffic, nor offer much in the way of any substantial details.

A DDoS attack is when hundreds or thousands of internet-connected devices, often coordinated by malware and/or criminals, overwhelm a targeted website by trying to access it simultaneously. This type of attack prevents legitimate users from accessing the targeted site to perform desired tasks (view/buy products, register for services, view videos, get help, contact representatives, etc.). This can easily disable the targeted website for hours, days, or weeks. It can also disrupt businesses, and cause financial losses.

This blog and its hosting service experienced a DDoS attack in 2014 when offshore advertisers retaliated after the hosting service implemented stronger measures to block illegitimate traffic. An October, 2016 DDoS attack against Dyn, a major DNS provider, interrupted many popular websites and services including Spotify, Reddit, and Twitter. Some DDoS attacks are about politics or censorship. A September, 2016 DDoS attack disabled the Krebs On Security blog.

Generally, security experts are concerned about botnets, collections of internet-connected devices used to perform DDoS attacks. These devices can include home WiFi routers, security cameras, and unprotected computers infected with malware. Often, home devices are used without consumers' knowledge nor consent.

Others were skeptical of the FCC's explanation. Some people attributed the crash to John Oliver, the host of the "This Week Tonight" show on HBO. In 2014, the show's viewers crashed the FCC site trying to submit feedback about net neutrality. Oliver published a similar video this past weekend in support of net neutrality.

Broadcasting & Cable reported:

"Fight for the Future is calling on the FCC to release logs on the attack to an independent third party—a security researcher or media outlet—to independently verify the attack. "The agency has a responsibility to maintain a functioning website to receive large numbers of comments and feedback from the public," said Evan Greer campaign director for Fight for the Future. "They can't blame DDoS attacks without proof, they need to fix this problem and ensure that comments on this important issue are not lost."

MediaPost reported that at least two U.S. Senators have demanded answers:

"Senators Ron Wyden (D-Oregon) and Brain Schatz (D-Hawaii) are also seeking answers from the FCC. "As you know, it is critical to the rulemaking and regulatory process that the public be able to take part without unnecessary technical or administrative burdens," the lawmakers write. "Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue."

They are asking the FCC to provide details about any malicious traffic, including how many devices sent malicious traffic to the agency. The lawmakers also have asked the FCC whether it requested investigatory assistance from other federal agencies, and whether it uses any commercial protection services."

A reasonable demand for the FCC to provide proof. If the DDoS attack was a new form of 21st-centry censorship to stop concerned citizens (e.g., voters) from submitting feedback in support of net neutrality, then we all need to know. And, we need to know what the FCC is doing to protect its systems.


Researchers: Thousands of Android Apps Collude To Spy on Users

Got an Android phone or tablet? Considering an Android phone? Then, pay close attention. Researchers have found that more than 20,000 pairs of Android apps work together to spy on users: collect, track, and share information without notice nor consent. The Atlantic magazine explained:

"Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone... A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data... Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information. When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data..."

Researchers at Southern Illinois University and at Virginia Tech collaborated on the highly technical report titled, "Collusive Data Leak And More: Large-Scale Threat Analysis of Inter-App Communications" (Adobe PDF). The report compared DIALDroid to other inter-app analysis tools, and analyzed whether the data leaks were intentional or unintentional (e.g., due to poor design).

The vulnerabilities the researchers found seem three-fold. First, there is the stealth collusion described above. Second, how the data collected and where it is sent are problematic. The Atlantic article explained:

"When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS."

Third, the vulnerabilities apply to apps operating on corporate networks. The researchers warned in their technical report:

"User Applications. Although DIALDroid is for marketplace owners, Android users can also benefit from this tool. For example, enterprise users can check possible inter-app collusions using DI-ALDroid before allowing certain apps to be installed on the devices of their employees. Moreover, a large-scale public database similar to ours, when regularly updated, can be queried by users to find out possible inter-app communications to or from a particular app."

"Marketplace owners" refers to organizations running online app stores. "Enterprise users" refers to information technology (I.T.) professionals managing (and securing) internal organization networks containing highly sensitive, confidential, and/or proprietary information. Corporate, government, health care organizations, and law firms immediately come to mind.

Prior blog posts and firmware reports have identified numerous vulnerabilities with Android devices. Now, we know a little more about how some apps work together secretly. Add this new item to the list of vulnerabilities.

Android phones may be cheaper than other brands, but that comes at a very steep cost. What are your opinions?


Espionage Groups Target Apple Devices With New Malware

ZDNet reported about a group performing multiple online espionage campaigns which targeted:

"... Mac users with malware designed to steal passwords, take screenshots, and steal backed-up iPhone data. This malware, discovered by cybersecurity researchers at Bitdefender, is thought to be linked to the APT28 group, which was accused of interferring in the United States presidential election. Bitdefender notes a number of similarities between the malware attacks against Macs -- which have been taking place since September 2016 -- and previous campaigns by the group, believed to be closely linked to Russia military intelligence and also dubbed Fancy Bear. Known as Xagent, the new form of malware targets victims running Mac OS X and installs a modular backdoor onto the system which enables the perpetrators to carry out cyberespionage activities... Xagent is also capable of stealing iPhone backups stored on a compromised Mac, an action which opens up even more capabilities for conducting cyberespionage, providing the perpetrators with access to additional files..."


Survey: Internet of Evil Things Report

Pwnie 2017 Internet of Evil Things report A recent survey of information technology (IT) professionals by Pwnie Express, an information security vendor, found that connected devices bring risks into corporate networks and IT professionals are not keeping up. 90 percent of IT professionals surveyed view connected devices as a security threat to their corporate systems and networks. 66 percent aren't sure how many connected devices are in their organizations.

These findings have huge implications as the installed base of connected devices (a/k/a the "Internet of things" or ioT) takes off. Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. The regions that will drive this growth include North America, Western Europe, and China; which already comprise 67 percent of the installed base.

Key results from the latest survey by Pwnie Express:

"One in five of the survey respondents (20%) said their IoT devices were hit with ransomware attacks last year. 16 percent of respondents say they experienced Man-in-the-middle attacks through IoT devices. Devices continue to lend themselves to problematic configurations. The default network from common routers “linksys” and “Netgear” were two of the top 10 most common “open default” wireless SSID’s (named networks), and the hotspot network built-in for the configuration and setup of HP printers - “hpsetup”- is #2."

An SSID, or Service Set Identifier, is the name a wireless network broadcasts. Manufacturers ship them with default names, which the bad guys often look for to find open, unprotected networks. While businesses purchase and deploy a variety of connected devices (e.g., smart meters, manufacturing field devices, process sensors for electrical generating plants, real-time location devices for healthcare) and some for "smart buildings" (e.g., LED lighting, HVAC sensors, security systems), other devices are brought into the workplace by workers.

Most companies have Bring Your Own Device (BYOD) policies allowing employees to bring and use in the workplace personal devices (e.g., phones, tablets, smart watches, fitness bands). The risk for corporate IT professionals is that when employees, contractors, and consultants bring their personal devices into the workplace, and connect to corporate networks. A mobile device infected with malware from a wireless home network, or from a public hot-spot (e.g., airport, restaurant) can easily introduce that malware into office networks.

Consumers connect a wide variety of items to their wireless home networks: laptops, tablets, smartphones, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. Last month, the U.S. Federal Trade Commission (FTC) filed a lawsuit against a modem/router maker alleging poor security in its products.

Security experts advise consumers to perform several steps to protect their wireless home networks: change the SSID name, change all default passwords, enable encryption (e.g., WEP, WPA, WPA2, etc.), create a special password for guests, and enable a firewall. While security experts have warned consumers for years, too many still don't heed the advice.

The survey respondents identified the top connected device threats:

"1. Misconfigured healthcare, security, and IoT devices will provide another route for ransomware and malware to cause harm and affect organizations.

2. Unresolved vulnerabilities or the misconfiguration of popular connected devices, spurred by the vulnerabilities being publicized by botnets, including Mirai and newer, “improved” versions, in the hands of rogue actors will compromise the security of organizations purchasing these devices.

3. Mobile phones will be the attack vector of the future, becoming an extra attack surface and another mode of rogue access points taking advantage of unencrypted Netgear, AT&T, and hpsetup wireless networks to set up man-in-the-middle attacks."

The survey included more than 800 IT security professionals in several industries: financial services, hospitality, retail, manufacturing, professional services, technology, healthcare, energy and more. Download the "2017 Internet of Evil Things Report" by Pwnie.


Millions Of Android Smartphones And Apps Infected With New Malware, And Accounts Breached

Security researchers at Check Point Software Technologies have identified malware infecting an average of 13,000 Android phones daily. More than 1 million Android phones have already been infected. Researchers named the new malware "Gooligan." Check Point explained in a blog post:

"Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year... Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe... We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified... Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began..."

Check Point chart about Gooligan malware. Click to view larger version This Telegraph UK news story listed 24 device manufacturers affected: Archos, Broadcom, Bullitt, CloudProject, Gigaset, HTC, Huaqin, Huawei, Intel, Lenovo, Pantech, Positivio, Samsung, Unitech, and others.The Check Point announcement listed more than 80 fake mobile apps infected with the Gooligan malware: Billiards, Daily Racing, Fingerprint unlock, Hip Good, Hot Photo, Memory Booster, Multifunction Flashlight, Music Cloud, Perfect Cleaner, PornClub, Puzzle Bubble-Pet Paradise, Sex Photo, Slots Mania, StopWatch, Touch Beauty, WiFi Enhancer, WiFi Master, and many more.

Check Point is working closely with the security team at Google. Adrian Ludwig, Google’s director of Android security, issued a statement:

"Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware... Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point... to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps... Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected... We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push... We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future."

How the gooligan malware works by Check Point. Click to view larger version Android device users can also have their devices infected by phishing scams where criminals send text and email messages containing links to infected mobile apps. News about this latest malware comes at a time when some consumers are already worried about the security of Android devices.

Recently, there were reports of surveillance malware installed the firmware of some Android devices, and and the Quadrooter security flaw affecting 900 million Android phones and tablets. Last month, Google quietly dropped its ban on personally identifiable web tracking.

News about this latest malware also highlights the problems with Google's security model. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Hopefully, the introduction last month of the Pixel phone will address those problems. A better announcement would have also highlighted security improvements.

For the Gooligan malware, Check Point has develop a web site for consumers to determine if their Google account has already been compromised:  https://gooligan.checkpoint.com/. Check Point advised consumers with compromised accounts:

"1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”

2. Change your Google account passwords immediately after this process."

A word to the wise: a) shop for apps only at trustworthy, reputable sites; b) download and install all operating-system security patches to protect your devices and your information; and c) avoid buying cheap phones that lack operating system software updates and security patches.


Security Flaws Place 900 Million Android Phones And Tablets At Risk

Researchers have found a security flaws that could place as many as 900 million Android operating system (OS) phones and tablets at risk. The four vulnerabilities, called "Quadrooter," allows attackers to take complete control of phones which use the Qualcomm chip. Which phones are affected? C/Net reported:

"Google's own branded Nexus 5X, Nexus 6, and Nexus 6P devices are affected, as are Samsung's Galaxy S7 and S7 Edge, to name just a few of the models in question. The recently-announced BlackBerry DTEK50, which the company touts as the "most secure Android smartphone," is also vulnerable to one of the flaws."

Researchers at Check Point discovered the security flaws. The Check Point blog explained:

"QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device... Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm..."

The Check Point blog listed affected phones and tablets. It also emphasized:

"This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data."

Wow! There it is in writing for all to read. And we know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones.

Reportedly, Google said the security patch will be available in September.

We've been here before. Google needs to fix its Android security model. If it doesn't (or can't), that may make consumers doubt the reliability and trustworthiness of Google driverless cars.


6 Tips To Protect Yourself From Callers Offering Energy Discount Scams

Recently, I received a phone call offering "discounts on my Eversource bill." The caller identified himself as "Kevin." I have no idea if that is his real name. Kevin explained that I could get discounts by giving him some simple personal information. His then asked for my ZIP Code.

Right. I was born at night, but not last night.

I told Kevin that I don't share my personal information over the phone without knowing who the caller is. I asked him to provide four items: a) his full name, b) his company name, c) his company's phone number, and d) his company's website address.

Kevin replied, "okay." The next thing I heard was a loud click as he hung up.

Now, there are real companies offering discounts on electric utilities. Clearly, Kevin was not one of them. After receiving robocalls before from energy scammers, I have learned to demand these four data elements before sharing any personal information on the phone.

Eversource logo To protect yourself and your money from scam artists, Eversource advises residential customers:

"1. Always verify whether these callers are legitimate by asking for some basic information about your account. Our representatives will always be able to provide the name on the account, the account address, and the exact past due balance.

2. Never immediately pay, regardless of what the caller knows about your account. If they request an immediate payment using a third-party service, at another location or via a prepaid debit card, hang up immediately and contact us directly to verify your account status.

3. If you are suspicious, hang up and call us ​at 800-592-2000. Also, please report this to your local law enforcement.

4. Never wire money to someone you don’t know – regardless of the situation. Once you wire money, you cannot get it back.

5. Do not accept offers from anyone, including those claiming to be Eversource employees, to pay your bill or provide any other service for a fee.

6. Do not click on links or call numbers that appear in unexpected emails or text messages – especially those asking for your account information. If you click on a link, your computer could become infected with malware, including viruses that can steal your information and compromise your computer."

And, learn how to spot these five energy scams. Demanding that the caller clearly and completely identify their self also seems to work.


Shooting In Orlando: Hate Crime, Terrorism, Or Both?

Was the mass murder this past weekend in Orlando (Florida) a hate crime or terrorism? As a society, we've been here before, too many times. We've asked ourselves this question recently after a church shooting, and after a clinic shooting.

So, it seems appropriate to revisit the definitions. From the U.S. Federal Bureau of Investigation (FBI) website:

Hate Crime: "A hate crime is a traditional offense like murder, arson, or vandalism with an added element of bias. For the purposes of collecting statistics, the FBI has defined a hate crime as a “criminal offense against a person or property motivated in whole or in part by an offender’s bias against a race, religion, disability, sexual orientation, ethnicity, gender, or gender identity.” Hate itself is not a crime—and the FBI is mindful of protecting freedom of speech and other civil liberties."

International Terrorism: "... means activities with the following three characteristics: 1) Involve violent acts or acts dangerous to human life that violate federal or state law; 2) Appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and 3) Occur primarily outside the territorial jurisdiction of the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum.*

Domestic Terrorism: "... means activities with the following three characteristics: 1) Involve acts dangerous to human life that violate federal or state law; 2) Appear intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination. or kidnapping; and 3) Occur primarily within the territorial jurisdiction of the U.S."

Some politicians want to classify the event as one type (e.g., terrorism) and not another (e.g., hate crime), while ignoring the related issues: the gun violence continues without effective background checks and the assault-style weapon used in Orlando is fast becoming mass shooters' weapon of choice. There's also the long history of anti-LGBT violence in LGBT clubs.

When you consider the above definitions, the following variations seem possible:

Venn diagram of hate crime, terrorism possibilities

Thoughts? Comments? Fed up? Find your senator, and find your representative.