Thought I’d take a minute and send out a reminder about an annoying but necessary topic:  Patching.  There are quite a few patches that have been released in the last few days.  Microsoft, Adobe and Apple are all addressing some serious security issues.  So…Please take some time to update your systems.  It will reduce the likelihood of identity theft and other horrors.

1:  Microsoft OS.  Use the Microsoft updates link in Internet Explorer or visit the Microsoft Update page.  There are approximately 34 updates that are required.  Grab a coffee and sit back.  It takes a while.

2:  Adobe Flash player.  Adobe has been experiencing some serious issues recently and there’s a new one out.  You can either check for the updates button within the adobe applications or visit their website here.

3:  iPhone.  This one is a large download too.  You can access this by connecting your iPhone to your system and in iTunes, select your iPhone.  In the summary page click on the “Check for Update” button.  Instructions are here.

Patching is something many people avoid or ignore.  Treat it like mowing your lawn:  Do it with a beer and it’ll seem like less of a chore.

No related posts.

A strange email scam is making the rounds. It appears to be coming from Evite.com, but none of the recipients know the sender. Sounds like it could just be a case of mistaken identity, but there’s more to it. People who have received the emails have received several in a row, each one addressed to a different person about a different event. The links go to a 404 error page not run by Evite.com.

We’ve only heard of small numbers of people receiving this and no damage has been reported, but we’re keeping our eyes on this one.

No related posts.

Yesterday morning, an hour before the sun rose, my wife was on her way to fly to Los Angeles. We live in a somewhat affluent neighborhood (Grosse Pointe) which is situated next to one of the most depressed parts of Detroit. Right on the border of these two different worlds is a Marathon gas station that we often stop at, and it is here that my wife was robbed. Mack and Alter, for those who know the area.

She drove a small Toyota pickup and noticed a man wearing a hoodie at the pump across from her was staring at her purse. Instinctively, she threw her purse on the passenger seat and locked up the truck. Just as she was putting the hose back in the gas pump, she heard a smash behind her. She swung around to see the man in the hoodie pulling her purse out, dive into his car and squeal out of there. All in the course of about 2 seconds.

One of the many things I love about my wife is her ability to keep her head when all about her are losing theirs. She ran after the car long enough to memorize his plate (turned out, the car had been stolen earlier that morning). Then she ran into the gas station and yelled for a paper and pen to write it down. American Express was great. They told her that within the last 15 minutes, the robber had already made three purchases at as many gas station and she would not be responsible for them.

Let me add at this point, that the guys who run this Marathon station are the nicest you’ll ever meet. Always smiling and considerate. They let my wife borrow their phone for as long as she needed as her iPhone was in her stolen purse.

The next thing she did was brilliant. She made a mental walkthrough of her purse and wallet, visualizing each card, piece of jewelry, everything. Within 30 minutes in a dangerous gas station parking lot at 6AM, she had canceled every card, her travel plans and contacted myself and her parents. The first thing I did was dial 611, which on AT&T will allow you to remotely cancel an iPhone. Since the iPhone was under my account, I was able to do this. Don’t worry—you can’t just randomly cancel someone’s phone as a prank!

Then we contacted Scott (co-creator of Social Threat) as he deals with identity theft a lot. We weren’t sure if this would happen, but never assume. He gave us the link to an identity theft protection service run by Experian. We signed up immediately and feel much better about our safety.

Then I treated my wife to a new iPhone 4.

TIP: If you are robbed, think like my wife:

1. Try and get any details you can: license plates, color, make and model of vehicle, physical descriptions of people. Tattoos are great identifiers.
2. Shut your eyes and visualize what was stolen. What did it look like when you last had it? What was in it? This will come in handy later for the police report and your insurance company. This may be one of the most important things you can do.
3. Cancel cards immediately. Do not wait until you get to safety. They will be putting charges on your cards within minutes if they are pros.
4. Always keep paper copies at home of everything: photocopy your cards, your drivers registration, etc. Buy a safe (you can get great fireproof safes at most office supply stores) and keep these copies in there. You’ll thank me later.

Have you been robbed? How did you handle it? Any additional tips?

No related posts.

According to the brilliant Jeremiah Grossman, a severe vulnerability exists in Safari 4x and 5x allowing a malicious Web site to invade via the Autofill feature. More frightening, this vulnerability exists even if you haven’t filled out anything on the page.

TIP: Safari users are recommended to turn off Autofill immediately until Apple posts a patch or update to Safari. To turn off Autofill:

1. Safari Menu > Preferences > Autofill
2. Uncheck all Autofill options
3. Close Preferences

UPDATE: Looks like a variant idea was posted by Patrice Neff back in 2009. Still hasn’t been fixed! Also, Jeremiah suspects this may be a Webkit issue, which means Chrome, Konqueror and a few other browsers such as OmniWeb, iCab and possibly even the Android mobile browser will be affected.

No related posts.

We will be speaking in Ann Arbor, Michigan at Connor O’Neal’s at the LA2M. Scott and I will both be there to talk about privacy, Facebook, Apple, Google and where the Hell Micro$oft is these days. Come see us!

If you’re unable to attend the event, you can see it live online here.

Event details
Location: Conor O’Neills
Address:
318 South Main Street
Ann Arbor, MI
Phone: 734.272.4698
Email: info@la2m.org

No related posts.

WTF. You’d think after the humiliation and financial risks caused by social sharing site Blippy.com that we reported earlier this week, they would have either fixed it right, or shut the service down until they were certain everything was secure. But as reported on Blippy’s own blog, another four credit card numbers showed up in Google search results yesterday.

Possibly more disturbing is that Blippy is claiming only four individuals’ accounts showed up altogether, whereas other reputable sites like Mashable are reporting the number is closer to 200.

Possibly related posts:

1. Blippy.com compromised.
2. Botnets and Blippy and iPhones. Oh my!

Hundreds of credit cards exposed.

UPDATE: Blippy responds in their blog.

As reported by Mashable today Blippy, the online “service” that allows you to see what others have purchased and share your purchases, had an embarrassing and potentially dangerous security issue today. According to Mashable:

“Tipster Trey Copeland wrote to us with a link to results for the search: site:blippy.com +”from card”. That search returns results showing detailed purchase information for transactions. Each result highlights that there was a “debit card transaction” or “card transaction,” the amount spent, the specific location (address included) and the full card number.”

Mashable included a screenshot of Google’s search results, which show a number of compromised credit card numbers exposed. Don’t bother trying that search query: you’ll get an error message from Google instead.

The social media team I run at C-E has long speculated that this would happen. We couldn’t imagine why on earth anyone would share their purchases and trust all their credit card numbers to a social site that doesn’t sell anything.

TIP: As we warned a few weeks ago, there’s no reason to join Blippy. You do not ever need to share your purchases. It makes you a target. If you are a member, take immediate action to remove your financial information.

A generous nod to Gary Olson for the story.

Possibly related posts:

1. Credit card numbers showing up in Blippy—AGAIN!
2. Botnets and Blippy and iPhones. Oh my!

We’ve been exploring the issues we’re facing in social media and Dave and I have been talking about how we got here. One of the common issues we continue to see are links that claim to give access to a resource of interest, when in fact it’s a link to a piece of malicious software (malware).

Thinking back to how we got here, I recalled the first time I accessed a resource on the Web. It was with an early browser called Lynx. I went to a website and clicked on a link to a map of a building. Except, the browser couldn’t render the image file, I had to download it and open it with another program. The crude nature of this process made it very clear that the file I was accessing, picture.gif, was exactly that:  an image file.

Today, we access the same resources through increasingly confusing naming conventions. We used to tell people to pay attention to the URL they’re accessing. Today many of these addresses are encoded so that it’s impossible to discern what they are or where they’re located. When we started using Twitter, we had limited character space so we started to shorten the URLs, obfuscating them further.  This has made it very difficult to give guidance to people about safe practices in regard to URLs.

It’s still important to look at the links you’re clicking on and make an effort to determine if the destination appears to be legit.  www.gmail.ru is probably something you shouldn’t trust.

I’m not sure anyone is working on a solution for this and it’s probably going to get worse before it gets better. In the mean time, pay attention to the things you CAN recognize:

• Microsoft’s page on recognizing malicious URLs
• My favorite:  Carnegie Mellon has comic strips and a game to teach how to recognize phishing links

Do you have thoughts about how to improve the issue with URLs?  Do you know of anyone who’s working on this?

Possibly related posts:

1. Twitter goes after phishing and malware

FarmVille Scam: Click-jacking scam
Click image for full-size version.

Here’s the attribute to watch out for:

1. Despite the proper spelling and artwork this time, the scammers still gave a huge clue: FarmVille has a capital ‘F’ and ‘V’. Their version is all lowercase.
2. No logo on the “Allow Access” screen
3. Hundreds of negative reviews, but only two fans.
4. The “Allow Access” screen says that farmville is for “Sending buildings to friends.” Since when?

TIP: Always check the link and reviews of any app before adding it. If an app has thousands of players, but only a few fans, or hundreds of negative reviews, it’s a scam. It did not come from your friend. Your friend’s account was either unknowingly compromised, or they were tricked by it as well.

Possibly related posts:

1. Scam Spotting, No. 6: FarmVille Cash
2. Scam Spotting, No 7: F’acebook Antivirus
3. Scam Spotting: No. 1: Who is checking my profile

A large number of WordPress users are noticing that they cannot log into their blogs this weekend. Or if they can log in, their site has an iframe that points to a malware site (networkads.net/grep). Original posts on the story pointed it at blogs hosted by Network Solutions. NetSol, however, claims it is not just them—that other hosts are being infected as well. They mention a “rogue plugin” however they will not say which one it is, and so far, the only complaints have been from NetSol blogs. Another early “fact” claimed by many was that this attack was only hitting 2.92 users, but comments indicate other versions have been hit as well.

Sucuri Security has a fantastic write-up of the attack, details and the fix, which will likely scare those unfamiliar with PHPMyAdmin. According to Sucuri:

“What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing is does is to modify your “siteurl” inside the “wp-option” table to point to http://networkads.net/grep/, breaking the site layout completely.”

If you find yourself infected, and are confused by the directions, do yourself a favor: ask a geeky friend to do this for you. It’s not beginner stuff.

TIP: One thing you can do immediately without accessing your wp-options table is turning off, then simply removing your xmlrpc.php file from your WordPress install. It’s always at the top level (root) of your WordPress install.

Has your blog been hit by this attack? How did you fix it?

Possibly related posts:

1. 9 Security Plugins Your Blog Must Have
2. Let’s Talk About Passwords