Apple Voice Memos App

Apple also introduced its “Shared Library” feature on iTunes a while ago. This allows users to share their iTunes library for legal listening purposes across a network. This can be great at workplaces with lots of creative types who have great music collections.

Just one small problem. Put these two features together and you have a potential security nightmare. And we don’t mean in the theoretical edge-case way. This is a very real possibility we have encountered “in the wild” more than once.

Here’s the issue. Once your library is shared across a network, so are your private voice memos. That may not be a big deal at home or if you work at a small company, but if you happen to be on a shared network like a coffeehouse or a hotel, or work with confidential data? Now you have a real problem.

Conversely, this could be a simple method for corporate espionage. Find out what hotel your competitor is staying at and log in to the WiFi. Granted, this assumes your competition uses iTunes at work (uncommon) and has sharing on (common).

Our advice: if you use the Voice Memo feature on your iPhone, turn off iTunes Library Sharing! It’s not worth the risk of others hearing—or worse, sharing— your private memos.

No related posts.

This came up at our discussion at ISSA on Thursday so I thought I’d mention it.  Gizmodo published a great article about the problems with passwords.  Couldn’t agree more.  They mention tools like 1Password which is a great app that stores passwords and gives people a shot at creating complex passwords.  I hope we’ll start to see better options for authentication at home.  If you know of some other tools, let us know.

No related posts.

There’s a great writeup on the Bobijou phishing scam over at Purple Car.

No related posts.

About a month ago my daughter asked if she could sign up for facebook.  A couple of her friends had just done it and she wanted to be a part of the fun.  My reaction surprised me;  I didn’t immediately say no.  That took whole hours.  I started investigating it, looking at it as a parent first.  Of course the first message I sent was to Dave, asking for his opinion.  What follows are some observations and a lot more questions.

The first issue I discovered was that facebook has a policy that requires you to be over the age of 13 to use the service.  (My daughter is…not 13)  Of course kids lie and sign up with or without consent of their parents.  I began to realize that dealing with facebook with a kid is a tough problem:

• Letting an underage kid sign up means you’re agreeing to break rules with your kids
• Not getting them signed up soon enough may result in creating pressures that will encourage them to sign up without your knowledge
• Not letting them sign up wont allow them to build skills that will eventually be necessary

Beyond Facebook, some of the sites I looked at:

Webkinz (web site that accompanies the stuffed animals)

Togetherville (Most promising site in my opinion, links to Facebook for parents)

(I also looked at Kidswirl and Whyville and several others but wasn’t impressed.)

Other resources:

The Online Mom is a great website with a lot of articles that cover opinions on a wide range of ages.

This is still a work in progress and we’re interested in your thoughts.  How would you recommend approaching this issue?  What additional sites are you looking at for kids and what online resources have been helpful?

No related posts.

This scam popped up on Facebook this week. I saw it on my profile this morning. The scam looks harmless enough. A friend of yours has posted what appears to be a video of a laughing baby on your Facebook Wall. Clicking the link will trigger most modern browsers to throw up a phishing site warning.

Do not click on this link! Simply delete the post. Your friend is not a spammer. Their account was likely highjacked. Be a good friend. Tell them their account has been highjacked and encourage them to change their password, log out and back in under the new password.

TIP: Many of these scams originate in Eastern Europe and English is not their first language, hence the poor grammar and occasional misspellings.

No related posts.

According to CNET, criminals are using fake LinkedIn invite email to scam people into clicking links that lead to the Zeus botnet. The scam targets Windows users only and may be the first time the Zeus botnet has targeted LinkedIn users.

According to CNET, “Researchers saw tens of billions of messages related to the attack yesterday, Henry Stern, a senior security researcher at Cisco Systems, told CNET. “There have been some bursts today, but nothing like yesterday,” he said. “The botnet responsible for this is still in operation and it’s just doing something else right now.”

Fake LinkedIn email links to the Zeus botnet.

No related posts.

Scam Spotting, No. 9: WOW IT WORKS scam
Click image for full-size version

I myself, was hit by it on my own Facebook page. I hadn’t been on the page all day but started receiving dozens of texts from friends that I was spamming them.

Here’s how the scam seems to work:

Scam Spotting, No. 9: WOW IT WORKS scam. Event Page
Click image for full-size version.

1. A victim (in this case, me) is randomly chosen from Facebook. Well, not quite randomly. It seemed to target members with more than 1,000 friends.
2. The victim’s name is added to the WOW IT WORKS app as a creator on Facebook’s Developer section.
3. The victim’s name is used to send out an invite to a fake event called WOW IT WORKS. The invite is sent to all of the victim’s friends; in my case, over 1,300 people received the scam invite.
4. The victim’s name is shown on the event as “attending”.
5. The event location is a short URL to a scam Web site that will infect the user’s machine with malware.

TIP: Always check the link and reviews of any app before adding it. If an app has thousands of players, but only a few fans, or hundreds of negative reviews, it’s a scam. It did not come from your friend. Your friend’s account was either unknowingly compromised, or they were tricked by it as well.

Scam Spotting, No. 9: WOW IT WORKS scam. App Page
Click image for full-size version.

Have you seen this scam on Facebook? How did you react?

No related posts.

The Stuxnet worm has been followed by several security experts for weeks now, but only this week are the results coming in and they aren’t good. The worm is far more advanced than anyone suspected. In fact, Roel Schouwenberg, a senior anti-virus researcher at Kaspersky said of the worm, “These guys are absolutely top of the line in terms of sophistication.”

According to Symantec:

Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

Read more at Krebs.

No related posts.

Thought I’d take a minute and send out a reminder about an annoying but necessary topic:  Patching.  There are quite a few patches that have been released in the last few days.  Microsoft, Adobe and Apple are all addressing some serious security issues.  So…Please take some time to update your systems.  It will reduce the likelihood of identity theft and other horrors.

1:  Microsoft OS.  Use the Microsoft updates link in Internet Explorer or visit the Microsoft Update page.  There are approximately 34 updates that are required.  Grab a coffee and sit back.  It takes a while.

2:  Adobe Flash player.  Adobe has been experiencing some serious issues recently and there’s a new one out.  You can either check for the updates button within the adobe applications or visit their website here.

3:  iPhone.  This one is a large download too.  You can access this by connecting your iPhone to your system and in iTunes, select your iPhone.  In the summary page click on the “Check for Update” button.  Instructions are here.

Patching is something many people avoid or ignore.  Treat it like mowing your lawn:  Do it with a beer and it’ll seem like less of a chore.

No related posts.

A strange email scam is making the rounds. It appears to be coming from Evite.com, but none of the recipients know the sender. Sounds like it could just be a case of mistaken identity, but there’s more to it. People who have received the emails have received several in a row, each one addressed to a different person about a different event. The links go to a 404 error page not run by Evite.com.

We’ve only heard of small numbers of people receiving this and no damage has been reported, but we’re keeping our eyes on this one.

No related posts.