Reshared post from +Les Jenkins
Well that's not good.
Hackers steal records on 4.5 million patients from healthcare system
Data included Social Security numbers as well as names, birth dates.
'As we note each month, while the majority of Chrome and Firefox users are all using the newest version of those browsers, Internet Explorer has a large user base that's using old versions. Internet Explorer 8 is currently the most widely used version of the browser. Microsoft started making Internet Explorer updates automatic with Internet Explorer 9 and made them automatic from day one with Internet Explorer 10. The result was that versions 10 and 11 spread much more quickly than their predecessors. But unlike the competition, the carrot of better performance and standards compliance never had a corresponding stick of non-support.'
In some ways here, Microsoft is the victim of its own success. By its historic ownership of a huge swathe of the browser market, a lot of web-based apps were written for — and are still supported by — older versions of IE. This is a huge problem for my company in fact, where we have older versions of apps that only work with, say, IE8 (and would cost a significant bundle to upgrade), or older custom apps (or discontinued commercial apps) that only work with IE8 and would be non-trivial to replace. We've been making efforts, but it's definitely one of those "don't spend money until you absolutely have to" kind of situations.
Don't get me wrong — I think the goal's a good one. But it's not just laziness or ignorance that leaves a lot of IE8 out there in the world, and while forcing this upgrade will ultimately pay off, it won't be done without a lot of pain.
Support for old versions of Internet Explorer to be dropped—in 2016
In 18 months, only the newest version of IE on each version of Windows will be supported.
Want to know why people don't update Java more frequently? For me, it's this.
Yeah, this is sounding, in Schneier's words, "squrrelier and squrrelier."
(h/t +Mary Oswell)
Embedded Link
Schneier on Security: Over a Billion Passwords Stolen?
Over a Billion Passwords Stolen? I’ve been doing way too many media interviews over this weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords. As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me.
This particular threat is a lot more insidious. Tech protection doesn't work; the exploit is in the firmware and behaves just like legitimate devices. USB is meant to work this way.
And good practices aren't much help, either, because USB is ubiquitous, and this could be a problem with anything — a thumb drive, a full-fledged USB storage device, a phone, a keyboard, a mouse, a charger, a charging station, a cable — pretty much anything that plugs into your USB port could be rigged to use this exploit.
So, ultimately, there's no defense, as things go now. Really. I mean, don't stop doing the things you do now (see (a) and (b)), but until someone comes up with a much more clever way of detecting things doing what they are supposed to be doing but for bad ends, there's not much to be done.
And, yes, this is something that could be used most obviously by hackers or other miscreants of various sorts. It's also clearly something that could be done by a government, a corporation, or anyone else. Sleep tight!
Reshared post from +Les Jenkins
Well, this is very concerning indeed.
This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”
Researchers devise stealthy attack that reprograms USB device firmware.
Same thing happens if you login to Chrome and have it back up your settings — all those userid/passwords you tell Chrome to remember also get backed up, which is even, potentially, a bigger concern.
But, then, browser password files are notoriously weak (coughLastPasscough), if someone was skimming PCs. And WiFi passwords? WiFi security is near-laughable for anyone who actually wants to penetrate it. And even assuming Google is using those passwords (or the NSA or FBI are compelling Google to hand over so they can), it still requires a physical presence to get to those networks.
Of the various security concerns folks should have, this seems to rate way low on the chart. Indeed, the security aspects of having to go around and ask people for the passwords to those WiFi networks again probably represents a bigger issue than having Google auto-restore the WiFi passwords to your new Android phone.
Embedded Link
Google knows nearly every Wi-Fi password in the world
By default, Android devices phone home, copying Wi-Fi passwords to Google servers. While they may be encrypted, it seems fairly obvious that Google can read these Wi-Fi passwords. And if Google can read them, the U.S. government can compel them to turn over the passwords. WPA2 encryption? Extra-long random password? It’s all meaningless.
Yup. APT status isn't just for China any more.
Reshared post from +Brandon Downey
In case you missed this, Microsoft has this post about protecting its users.
Here's the key quote:
If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.
That's right, Microsoft just called the US government the APT — a term generally thrown around to describe the actions of governments such as the PRC.
And it's true — if the US government is willing to tap the cables belonging to US companies to conduct broad surveillance of foreigners, there is really no difference.
Kudos to Microsoft for calling it like it is.
Embedded Link
Protecting customer data from government snooping – The Official Microsoft Blog – Site Home – TechNet Blogs
News and perspectives covering the top stories, events and activities from Microsoft. The content for this blog includes the official information and stories from all of Microsoft’s primary businesses.
'I became encouraged this web site by simply this relative. I’m not beneficial whether this text is usually composed by means of him or her when nobody else understand these kinds of certain in relation to our issue. That you are excellent! Many thanks!'
I don't think I could write that myself if I tried.
This was commenting on this: http://wist.info/stanton-elizabeth-cady/19498/
Yeah, maybe I won't approve that one.
We get these calls (or voice messages from them) at least weekly. Or we have. I'll be tickled if they go away, preferably forever.
"Hello, this is Rachel at cardholder services, calling in reference to your current credit card account. There are no problems currently with your account. It is urgent that you contact us concerning your eligibility for lowering your interest rates. Your eligibility expires shortly, so please consider this your final notice. Please press the number '1' on your phone to talk with a live operator about lowering your interest rate. Or press the number '2' to discontinue further notices. Thank you, and have a great day."
Buh-bye, Rachel!
Reshared post from +Ars Technica
Busted.
Embedded Link
“Hi, this is Rachel from RoboCaller services calling. Press 1 to be scammed.”
FTC shuts down five robocallers, aims to eliminate “Rachel” for good.
Google+: View post on Google+
Guess I was microblogging a lot yesterday.
Serious Stuff
Fun stuff
It exists because it works.
"But who would possibly respond to such a ridiculous email?" you might well ask..
But the cost of sending email is so cheap, that only getting 1 response for every 12.5 million spam emails sent is enough to turn a tidy profit.
Given that you can probably convince 1 in 12.5 million people to do practically anything, I expect we'll be seeing spammers around for a long time. #ddtb
Reshared post from +Michelle Marie
Success Rate of Spam
via: http://goo.gl/dCjNtDid you know that spammers get only one response to every 12,5 million emails they send?
But what is even more interesting, yet even with this apparently abysmal response rate, it is enough for them to make a nice profit. The researchers from University of California UC San Diego sent about 469 million junk e-mail messages for the fake pharmacy campaign. The response rate was less than 0.00001%.
However, these conversions would have resulted in revenues of $2,731.88 — a bit over $100 a day for the measurement period, said the researchers.
I get spam …
From: ProfessionalWomen
Subject: You have been chosen as a distinguished women of 2011NAPW_recognizes women for their achievements in business and YOU_have been carefully selected.
We would like to highlight all of your achievements.
To Accept Your_Invitation Please_Visit_Here.
You keep using that term “carefully selected” … I don’t think it means what you think it means …
The subject line “Your Ex Has Recently Searched For You” isn’t terribly effective, since (a) she has my email address, and (b) I don’t live in terror of her finding me (see (a)).Best regards,
*** Me
Your email “YAHOO MSN AWARDS NOTIFICATION” would probably be marginally more convincing …
… if you didn’t send it from a Google Gmail account.
Actually, no, it wouldn’t, but it would be a lot less funny.
This came through under the subject line: SCAMERS HAVE CONFESSED,THAT THEY STOLE YOUR MONEY (sic).
The Federal Government of Cotonou Benin through provisions in Section 419 of the Criminal Code came up with punitive measures to deter and punish offenders.
The Advance Fee Fraud section deal mainly with cases of advance
fee fraud(commonly called 419) such as obtaining by false pretence through
different fraudulent schemes e.g. contract scam, credit card scam,
inheritance scam, job scam, loan scam, lottery scam, “wash wash” scam (money
washing scam), marriage scam. Immigration scam, counterfeiting and religious
scam. It also investigates cyber crime cases.This is to officially announce to you that some scam Syndicates were
apprehended in Cotonou Benin few days ago and after several interrogations
and tortures your details were among those mentioned by some of the scam
Syndicates as one of the victims of their operations.
Torture … even scammers who are pretending to fight scammers are doing it.
After proper investigations and research at Western Union Money Transfer and
Money Gram office to know if you have truly sent money to the scam
Syndicates through Western Union Money Transfer or Money Gram, your name was found in Western Union Money Transfer database amongst those that have sent money through Western Union Money Transfer to Nigeria and Cotonou Benin this proves that you have truly been swindled by those unscrupulous persons by sending money to them in the course of getting one fund or the other that is not real.Right now we are working hand in hand with Western Union and Interpol to
track every fraudsters down, do not respond to their e-mails, letters and
phone calls any longer they are scammers and you should be very careful to
avoid being a victim to fraudsters any longer because they have nothing to
offer you but to rip-off what you have worked hard to earn.
Yes. A word to the wise is sufficient.
In this regard a meeting was held between the Board of Directors of The
Economic and Financial Crimes Commission (EFCC) and as a consequence of our
investigations it was agreed that the sum of five milion three hundred thousand US Dollars (US$5.3m,should be transferred to you out of the funds due to you from Federal Government of Nigeria and Benin Republic.We have deposited your fund at Western Union Money Transfer agent location
EMS Post office Cotonou Benin Republic. We have submitted your details to them so that your fund can be transferred to you,but they recontacted us that the funds are too large to be transfered via western union or money gram,so the only option is to transfer these said 5.3million usd to you ,in form of an INTERNATIONAL ATM CARD,that will still contain the same amount, …
Do you know how long it would take to withdraw “five milion dollars” in $250 increments from the ATM?
… so go ahead and contact the persenell that will help you make sure this ATM CARD gets to you but you are only required to send to her the delivery charges of 150usd (ONE HUNDRED AND FIFTHY UNITED STATES DOLLARS) and after that she will make sure that this CARD reaches you within 24hrs
I’ll tell you what, Benin: you keep the “five milion dollars” and use it to buy a good spell checker, okay?
Contact the PERSONELL through the email address stated
below,inform her about this notification letter and the transfer of your
fund;CONTACT NAME:SARAH WILSON
Email:( [redacted] )
Remember that you are not the only scam victim ,we have so many scam cases in our office but you are lucky to fall among one of the people that will be getting these compensation funds,so if you feel reluctant to claim it ,we will cancel your name and sign it on the next scam victim waitiing on line to claim his/her compensation funds.
Yours sincerely,
ISAAC MOHAMED
Assistant Investigation Officer.
The International police Crimes Commission (I.P.U.C)
Rue/056 akpakpa Cotonou Benin Republic
If I cancel my name, will nobody ever, ever send stuff like this to me again? Because that would be worth “five milion dollars”, too.
