Tag Archive for Data breach

| February 27, 2021
Comments Off on 5 Reasons to Never Unsubscribe from SPAM Email

5 Reasons to Never Unsubscribe from SPAM Email

5 Reasons to Never Unsubscribe from SPAM EmailWe all get unsolicited commercial emails, aka SPAM. Cisco’s Talos estimates that in January 2021 86% of emails sent were SPAM emails. That means that of the almost 145 billion emails sent 122 billion were SPAM email. The math works out to over 6 SPAM emails for each legit email. At best SPAM is annoying. At its worst, SPAM can be a threat to your PC and your personal information. SPAM email is a threat because 94% of malware is delivered by email, and one in every 3,000 email messages contains malware a payload.

SPAM email is big business

SPAMersSPAMers can make millions per year. TechRadar says an average full-time SPAMer makes around $7,000 a day – over $2.5 million a year. They can make this kind of money because email spam costs them very little to send. Most of the costs of SPAM is paid by the recipient and the carriers. The SPAMers do not have to pay for all the internet bandwidth tied up in the delivery of their spam emails. SPAMers send out millions of messages on behalf of online merchants who want to sell a product. SPAMers get paid for sending SPAM email messages, regardless of whether recipients buy any of the advertised products. They also re-sell their SPAM emails lists to other SPAMers. SPAMers can get up to $22,000 for a list of stolen email credentials. In some cases, these cybercriminals also get a percentage of the sale. For pharmaceuticals, the commission can be as high as 50%. A good example is “penis-related spam” which has a 5% click rate, meaning that 5% of the recipients actually open the spam mail and click on the link in the mail.

Why you get SPAM emails

There are a number of reasons why you get SPAM emails.
  1. victim of a data breachYou are the victim of a data breach. Any company you do business with could be vulnerable. Check haveibeenpwned to see if your account has been compromised – smaller breaches might not be listed.
  2. You posted your email address online. You put it on Facebook or other social media, on a website, or as a public comment. Once on the web, your email is considered fair game for SPAMers.
  3. At some time you opted in or neglected to opt out. When you signed up for something, buried somewhere was that little checkbox. You didn’t indicate you’d rather be left alone. The service for which you opted-in is either inundating you or they shared your email address with interested parties.

Never unsubscribe from a SPAM email

The “unsubscribe” button is a scamSo how do you stop SPAM from flooding your inbox? The first step is do not unsubscribe from SPAM. Ignore the convenient “unsubscribe” button at the bottom of the message from the Nigerian prince. The “unsubscribe” button is a scam. The cyber-criminals to get more info about you and increase the number of SPAM emails you receive.

1. When you unsubscribe, you confirm to the sender that your email address is valid and in active use. SPAMers now know the account is active and the volume of SPAM you receive will most likely go up. Now that you have validated your address, the SPAMer will sell it to his SPAMer friends. Now you will get SPAM from a completely new source.

A Federal Trade Commission study found that more than half the time, responding to a “remove me” option resulted in either no change or more spam emails.

2. In addition to giving away your email address, unsubscribing delivers lots of information about your email software. Emails contain meta-information that hackers can use to devise attacks.

3. When you respond to the SPAM email, SPAMers think you are interested in the subject matter—whether it’s getting money from a foreign prince, a penny stock tip, or a diet supplement.

4. If your response opens up a browser window, you’re giving away even more information about yourself. By opening a browser SPAMers learn information about your:

    • Geographic location,
    • Computer operating system,
    • Web browser.

Additionally, the SPAMer can give you a cookie. A cookie allows the attacker to track you across any other websites they own. They will be able to identify you personally.

install malware on your computer,5. Worst of all, if you visit a website owned by a spammer, you give them a chance to install malware on your computer, even if you don’t click anything. These attacks, known as drive-by downloads, can be tailored to use exploits the SPAMers knows you’re vulnerable to—thanks to the information you’ve shared about your operating system and browser.

How to stop SPAM email

Use SPAM filters – SPAM filters work by looking at the nitty-gritty technical details of the email. What it’s about. What it says. How it says it. How many other people are getting that same email message? If it looks like SPAM, then the email is placed in your SPAM or junk mail folder instead of your inbox. spam filtering machine learning algorithmsIf you’re using webmail, like Gmail, Outlook, or Yahoo!, then you have a pretty good SPAM filter already. Gmail claims their SPAM filtering machine learning algorithms are 99.9% accurate. You can improve the default SPAM filters. You need to train your SPAM filter. To train your SPAM filter – report SPAM every time that you find it in your inbox. Whether you use, Gmail Yahoo, Outlook or Thunderbird, you should take the time to learn and understand its SPAM filtering features. When you flag an email as SPAM, your email app will use this information to refine its spam filter. The SPAM email filter will automatically get better at detecting SPAM emails in the future. This could be either globally if enough other people say the same things about emails like that. Keep flagging SPAM emails and the number of SPAM emails in your inbox should decrease – perhaps dramatically – over time.

Stay safe out there!

Related article   Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized | Tags: , , , , , , ,
| December 9, 2020
Comments Off on These Passwords are Not Protecting Your Info

These Passwords are Not Protecting Your Info

These Passwords are Not Protecting Your InfoIt is 2020 and among all the other things going on during this dumpster-fire of a year – passwords are still a problem. According to a list of the 200 worst passwords of 2020 from NordPass, millions of people are still using “123456” and “password” as part of their login credentials. These passwords are the worst you can use year in and year out they have been the worst since I started tracking them on the Bach Seat in 2011.“123456,” has been breached more than 23 million times alone, according to NordPass. To protect your data – stop using “123456″ and “password.”

Half of the top 25 passwords are new offenders for 2020. But NordPass says any of the top 25 bad passwords typically take less than a second to crack. Don’t be fooled – using some variation of the number bar, such as “000000″ or “123123” does not add extra security to your account. Similarly, any adjacent-key letter combo you are using such as “qwertyuiop” or “asdfghjkl,” can be easily cracked in less than a second’s time, the company said.

2020's Worst Passwords

2020 RankPasswordChange from 2019
1123456-
2123456789-
3picture1New
4password-
512345678+1
6111111+3
7123123+3
812345-1
91234567890New
10senhaNew
111234567-6
12qwerty-9
13abc123-2
14Million2New
15000000New
161234New
17iloveyou-9
18aaron431New
19password1New
20qqww1122New
21123New
22omgpopNew
23123321New
24654321New
25qwertyuiop-10

data breach researchMethodology: The list of passwords was compiled by Nordpass,  which sells a password manager, in partnership with a third-party company specializing in data breach research. They evaluated a database that contained 275,699,516 passwords in total.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| November 27, 2020
Comments Off on Does that Doggy E-Toy Protect Privacy?

Does that Doggy E-Toy Protect Privacy?

Does that Doggy E-Toy Protect Privacy?Thanks to COVID it is the virtual silly season. No more jamming into malls it is online shopping now. Half of shoppers spend some of their money on pet treats and other supplies this holiday season. If your virtual gift list includes presents for your four-legged buddy – be careful, there are some puppy toys out there that can compromise your privacy while Fido is entertained. Mozilla’s “Privacy Not Included” project analyzed the security of pooch-gifts, and the results are not good for your privacy.

Internet of ThingsAll of these technologies can become part of the Internet of Things (IoT). IoT technology interconnects them. For example, IoT connects the camera in your living room with the smartphone on your desk, allowing you to monitor your pet while you’re at work. IoT enables the collection and interconnectivity of data, which is extremely important when considering your safety and privacy.

Dogness iPet Robot – This doggy toy costs $299.00 and has all the bells and whistles to keep Fido entertained. It moves and chases your pooch. It has an HD video camera with night vision to record your pup, two-way audio to talk to your doggo, a laser to chase, and the ability to toss treats to your buddy with the click of a button in the app. The iPet Robot connects over Wi-Fi so your home network better be secure – otherwise, somebody could take over the rolling spybot and catch your pooch – or you – in a compromising position.

Dogness iPet RobotThe Dogness iPet Robot also comes with Mozilla’s “*Privacy Not Included” warning. The bot can roll around your house with a night vision camera and microphone while connected to Wi-Fi. Mozilla says that both the Dogness device and app can snoop on you. The researchers report the device doesn’t encrypt your data. Dogness doesn’t state what information is collected from the robot, or what they do with it. Dogness uses artificial intelligence, but the reviewers could not determine how the firm uses AI.

If that is not scary enough, in March 2020, it was reported that Dogness left its Amazon ElasticSearch server exposed, containing the usernames, emails, clear-text passwords, and session cookies of its users. The unprotected information has led to the complete exposure of its production SQL database and application source code and the complete takeover and control of its pet feeding devices and associated accounts.

Mozilla could not determine if the Dogness iPet Robot meets its Minimum Security Standards.

Cheerble WickedboneCheerble Wickedbone Interactive Gaming Toy For DogsThis $78.99 interactive bone is next on the naughty list. You can control this interactive bone through an app on your phone that connects through Bluetooth. From the app you can make the bone roll around and change colors. When you get bored, a 20-minute interactive mode can entertain your pup without you.

The app requires access to your phone’s GPS location data—why? That’s a good question. Additionally, the reviews could not determine if the firm encrypted your data, required strong passwords, or used AI to make decisions about you. And like most IoT devices, it doesn’t seem to have a way to manage security vulnerabilities. Mozilla says this pet toy does not meet its Minimum Security Standards for these reasons.

Fitbark GPSFitbark– I first wrote about Fitbark back in 2013. The Fitbark GPS costs $99.95 + subscription + the costs of Verizon’s LTE-M cellular network coverage. It is a bone-shaped tracking device that goes on your dog’s collar and will track her just about anywhere in the U.S. It also connects to Wi-Fi.

The Fitbark monitors your dog’s activity, sleep habits, scratching habits, and stress 24/7. You can link it to your FitBit, Google Fit, or Apple HealthKit apps and you can stress about your doggo’s health too.

Mozilla reports that Fitbark tracks your dog’s movements and whereabouts with Bluetooth, Wi-Fi, and GPS. With all that tracking, an attacker could keep tabs on you or your pup. The app does collect personal data, including name, email, phone number, address, date of birth, profile photo, dog’s health, and biometric data.

Felik Pet CompanionThe Felik Pet Companion—This mouse-shaped bot costs $129.00. It has a camera and artificial intelligence that tracks your pet, learns from their movements, and reacts to how they hunt so it can simulate real prey. Felik connects to the Wi-Fi in your house and has an app where you can schedule play throughout the day.

Mozilla says the firm seems to take privacy and security seriously. They built security and privacy-aware features into the dog toy, like the ability to toggle Wi-Fi on and off with a physical button, an indicator light when the camera is streaming, and even an on-device firewall.

Since it has a camera and a microphone, it could be sued to snoop on you. The app tracks your location. The product uses AI to analyze your personal data to make decisions about you. However, users can request an explanation about any decisions taken as a result of automated decision-making by contacting Felix.

rb-

The Felik Pet Companion is the only online dog-toy that I would allow in my home.  

The Mozilla *Privacy Not Included buyer’s guide investigates the privacy and security of connected toys, gadgets, and smart home products. They flag products they think consumers should think twice about before buying. Mozilla looks at how well they can confirm a product meets a Minimum Security Standard.

 

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 28, 2019
Comments Off on Data Privacy End Run

Data Privacy End Run

Data Privacy End RunIn an attempt to end-run stricter data privacy regulation the Business Roundtable, an association of CEOs of America’s largest companies, sent an open letter to the U.S. House and Senate urging the politicians to pass a comprehensive national data privacy law. According to CircleID, the heart of the letter is the creation of federal privacy laws that the companies argue should replace various state-level laws that have already been passed.

CEOs of America's largest companiesThe CEOs want one law that governs all user privacy and data protection across the U.S., which would simplify their lives. From the letter:

Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws.

Among the items hidden deep in the CEO’s “consumer privacy framework [more here]” are some onerous provisions.

  • Private individuals should not be allowed to sue companies if those companies violate the data privacy law itself.
  • Potential pay-for-privacy schemes and
  • Overriding existing state data privacy protections already signed into law.

The Data Privacy Blog points out that in 2019, a number of states passed new and expanded data breach notification laws, including:

  • California.
  • data breach notification lawsIllinois,
  • Maine,
  • Maryland,
  • Massachusetts,
  • New Jersey,
  • New York,
  • Oregon,
  • Texas, and
  • Washington.

Also, since July 1, 2019, Delaware, New Hampshire, and Connecticut have enacted laws imposing new cybersecurity requirements on insurance companies.

ZDnet points out that many privacy advocates (and even some tech CEOs) believe the CEOs aren’t really looking after users’ interests, but their own. There’s a belief that companies are trying to aggregate any privacy lawmaking in Congress, where lobby groups can water down any meaningful user protections that may impact bottom lines. Open Secrets reports that the Business Roundtable has spent over $6.6M lobbying in D.C. so far in 2019. As followers of the Bach Seat know, money talk and citizens walk in D.C.

Among the CEOs who were involved in the end run included;

The Data Privacy Blog points out the coincidence that the CEO’s framework comes just months before the California Consumer Protection Act is set to go into effect in 2020.

throw money at the politiciansFollowers of the Bach Seat know many companies make money by selling customers’ personal or device-usage data. Privacy policies with too many teeth could prevent companies from selling your data to pay the CEO’s average salary of $17.2M. The LA Times reports that compensation for American chief executives increased by 940% from 1978 to 2018, while pay for the average worker rose only 12% over the same 40-year period.

rb-

Seems to me that the goal of this proposal of the leading CEO’s is not to protect our privacy. Their goal is to centralize the rule-making in the D.C. swamp and throw money at the politicians to do the Business Roundtable’s bidding. Then the CEOs will be able to maintain the status-quo and normalize the existing digital surveillance system that serves them well.

LobbyingThe CEO’s sudden interest in data privacy has more to do with the growing wave of real reform at the state level and the calculation that Trump will be booted from office and less business-friendly POTUS will take his place in 2020. And little to do with citizen’s privacy.

The digital rights organization Electronic Frontier Foundation supports a private right of action for any national consumer privacy law, as such a right would further enable members of the public to fight back against companies that violate the law.

The EFF wrote the best way to protect ordinary people’s privacy is action.

It is not enough for government to pass laws that protect consumers from corporations … to ensure companies do not ignore them … empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights.

Signatures from Facebook CEO Mark Zuckerberg and Apple CEO Tim Cook were notably absent from the list although both have, in the past, supported a comprehensive federal privacy law.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 7, 2019
Comments Off on $2.9M Per Minute Lost to Cybercriminals

$2.9M Per Minute Lost to Cybercriminals

Updated 10/27/2019 – On October 22, 2019, the FBI issued a warning about cybercriminals running e-skimming attacks, also known as Magecart attacks. These attacks have been happening since 2016, but have intensified during 2018 and 2019. These attacks started out by exploiting vulnerabilities in open-source e-shopping platforms. However, over the past two years, attackers evolved their attack methodology, and any online store is now susceptible to attacks, regardless if it runs on top of an open-source platform or a cloud-hosted service.

$2.9M Per Minute Lost to CybercriminalsCybercriminals cost the global economy $2.9 million every minute of 2018. This shocking statistic comes from RiskIQ‘s latest Evil Minute report. RiskIQ specializes in online attack surface management, providing threat discovery, intelligence, and mitigation. The San Francisco, CA-based firm figured that a total of $1.5 trillion was lost to cyber-criminals in 2018. Some of the more ominous info-bits they presented include:

  • RiskIQ logo$25 per minute, the cost to top companies due to security breaches.
  • $17,700: lost from phishing attacks per minute
  • $22,184: the projected by-the-minute cost of global ransomware events in 2019

Other statistics include:

  • 8,100: identifier records compromised every minute
  • 2.4: phish traversing the internet per minute
  • 0.32: blacklisted apps by-the-minute
  • 0.21: Magecart attacks detected every minute

Lou Manousos, CEO of RiskIQ said in the presser, “As the scale of the internet continues to proliferate, so does the threat landscape.

Magecart hacks

Magento .logoThe report specifically calls out attacks that target e-commerce. They focus on the Magecart hacks. Magecart hacks have increased by 20% in the last year. By some estimates, the Magecart supply chain attacks have resulted in the theft of more credit card information than more infamous breaches at Home Depot and Target. According to reports, Magecart was behind the 2018 cyber-attacks on British Airways and Ticketmaster which together compromised the info of over 425,000 of the firm’s customers.

Magecart attack is a credit card skimmer that intercepts card numbers and information when a payment card is swiped at the point of sale. Unlike gas card or ATM skimmers, there is almost no way for a consumer to determine that Magecart skimming is about to take place. There is no physical manifestation of Magecart and it is not always easy to catch, because it takes advantage of universal code and other applications not typically related to payments.

ecommerace

Magecart is a consortium of at least six different hacking groups that target flaws in online shopping cart systems. The attackers like Magento to steal customer payment card information. Magento, an open-source e-commerce platform written in open-source PHP. At least initially attackers exploited a PHP Object Injection flaw (CVE-2016-4010) in the popular online shopping cart.

In order to run this compromise, the Magecart attacker substitutes a piece of Javascript code, either by altering the Magento source code or by redirecting the shopping cart using an injection to a website that hosts the malware to steal the credit card and user information.

Trend Micro Mirrorthief attack chainRiskIQ CEO Manousos warns;

Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies.

 

RiskIQ infographic

rb-

Firms that fall victim to attacks don’t just lose card info. They also lose time and productivity. Restoring hacked data and systems takes time and resources. The damage to a company’s reputation can cost it new and existing customers. Then there are the legal penalties from PCI, HIPAA, and the courts that come with mishandling customer information.

Like I keep saying – time to go back to the cash economy.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »