Dangerous Security Bug in iOS and OS X


Feburary 25, 2014: Apple releases update for OS X

Apple: Instructions on updating OS X

Arstechnica: Apple releases OS X 10.9.2, patches SSL flaw and adds FaceTime Audio support

Update iOS NOW!

Apple has released an update to address a very serious security problem with iOS 7 and iOS 6. If you have an iPhone, iPod, or iPad install the update immediately.

Apple has not yet released an update for the OS X, though it promises one shortly. If you use Safari on Mac, consider using Firefox or Chrome instead (though this is not a guaranteed solution). This page will be updated when an OS X update is released.

The vulnerability affects the way SSL connections are verified. In other words the operating system is not able to determine if a connection to a secure website, i.e. banking, online shopping, Gmail, etc., is real. Attackers could impersonate a real website, tricking the user to enter their credentials; or an attacker could intercept and read the encrypted traffic between the user and the secure website.

More Information:

Posted in Apple, Safe Computing | Comments closed

Target Credit & Debit Card Data Breach


What happened?

A data breach occurred at Target stores between November 27 and December 15 where criminals stole 40 million credit and debit card numbers including customer name, expiration date, and CVV.

Am I at risk?

If you swiped your credit or debit card in a Target store between November 27 and December 15 you are potentially at risk for fraudulent purchases and identity theft.

Online shoppers at Target.Com are not affected by this data breach.

What should I do now; how can I protect myself?

Fraudulent Charges: Check your online statements often for fraudulent charges. Criminals will often make a small charge of $1 or $2 to make sure the card works before they go on to buy large items. If you see any strange charges to your account contact your bank for assistance.

Defend Against Identity Theft: Federal law entitles you to one free credit report every 12 months from each of the three credit reporting agencies (Equifax, Experian, TransUnion). Review your credit reports and contact your bank and credit agencies to correct any mistakes on your report.

Go to https://www.annualcreditreport.com/ to receive all three reports.

Go to FTC.Gov for signs that your identity has been stolen: http://www.consumer.ftc.gov/articles/0271-signs-identity-theft

If you believe you are a victim of identity theft please contact your local law enforcement and to the Federal Trade Commission: www.consumer.gov/idtheft or (877) IDTHEFT (438-4338).

How did this happen?

The cause of the breach is still unreported and unknown. Target along with third party investigators and the Secret Service is currently investigation this data breach.

Related Information

Statement From Target: https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

Mass.Gov Consumer Affairs – Identity Theft Resources: http://www.mass.gov/ocabr/consumer/identity-theft/

OnGuardOnline.Gov: Are you affected by the recent Target Attack: http://www.onguardonline.gov/blog/are-you-affected-recent-target-hack

Sohpos.Com: Target Confirms 40m filched payment cards: http://nakedsecurity.sophos.com/2013/12/20/target-confirms-crooks-may-have-spent-holiday-shopping-season-feasting-on-40m-filched-payment-cards/

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

BBC: the 12 cyber-scams of Christmas


Christmas is a time of celebration and generosity. Unfortunately it is also a time where criminals try to exploit this charity to replace their stockings of coal with your money.

From insecure and fake websites to phishing emails and fake anti-virus alerts Christmas scams prey on your generosity and kindness. Read these 12 cyber-scams and take a bit of care to make your Christmas and holiday season happy and safe for you and your family.

The BBC: The 12 cyber-scams of Christmas


Image credit: Flickr mccun934

Posted in Malware, Anti-Virus, Phishing, Scams, Safe Computing | Comments closed

Adobe Hack – 38 Million User Records Stolen

Adobe Hack

On October 3rd, 2013 hackers broke into the Adobe network and stole account details for 38 million active users. This data including email address, encrypted password, and password hint has been released to the Internet. Though the passwords were encrypted Adobe used an insecure method of encryption and a large number of the passwords have been discovered.

Check to see if your email address was one of the stolen accounts.

Enter your email address here: https://lastpass.com/adobe/

Change your Adobe password and the password for any online accounts that share the same email and password combination.

Password Takeaways:

Nearly 5%, or about 2 million users had the password of “123456”.

Many of the password hints reference “family member name”, “birthdate”, “pet name”, or “same as all other accounts”. The last hint highlights the reason why these types of breaches are so dangerous. Unfortunately it is common for people to use the same email and password for multiple online accounts.

When one user account get compromised, all corresponding user accounts with the same email address and password get compromised.

The top 10 passwords by Adobe users

1. 1,911,938 123456
2. 446,162 123456789
3. 345,834 password
4. 211,659 adobe123
5. 201,580 12345678
6. 130,832 qwerty
7. 124,253 1234567
8. 113,884 111111
9. 83,411 photoshop
10. 82,694 123123

Online Safety

  • Create strong passwords unlike the ones on this top 100 list.
  • Use different passwords for different accounts
  • Do not use the same password for your bank as your Facebook or Twitter accounts
  • Use a password manager such as KeePass or LastPass to store all your passwords
Posted in Safe Computing | Comments closed

Holiday and Black Friday Cyber Scams and Malware

Online internet Christmas shopping concept

US-Cert and McAfee have released their annual warning about holiday season phishing scams and malware campaigns. Criminals love this time of year because people are more open to being tricked by scams if they involve a holiday theme and message. Black Friday and cyber Monday offer many opportunities for scammers to deceive online users.

You may be in the giving spirit but that probably does not include giving your credit card number and personal information to criminals.

Watch out for the following scams:

Electronic greeting cards or shipping notification emails that may contain malware: Malware such as the very dangerous CryptoLocker are hidden in email attachments. It is not a stretch to add a holiday theme to these emails to lure and trick the user into opening the attachment.

Learn about: phishing emails

Get: free Anti-Virus software

Online Shopping Scams: Online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers: Fake online shopping sites rapidly appear this time of year. Remember, if a deal is too good to be true, it is probably a scam.

Learn how to spot: a fake online shopping website.

Gift Card Scams: Once again, if a deal is too good to be true, it is probably a scam. Watch out for fake websites selling discounted gift cards or offers to win a gift card. These sites are designed to steal your credit card and personal information.

Only purchase gift cards from reputable websites like Amazon.com and Newegg.com or directly from the retailer to avoid the criminals.

Charity Scams: Requests for charitable contributions may be phishing scams and may originate from illegitimate sources claiming to be charities: It is a sad fact that criminals pray on the generosity of others. Before you give to a charity first verify that they are a legitimate organization and not a scam.

Research the charity at:


McAfee’s Online Safety Tips for the Top 12 Holiday Scam

Holiday Season Phishing Scams and Malware Campaigns

image credit: www.fbi.gov

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

Phishing Email 11/12/2013: Important – New Outlook Settings

The following phishing email has been received by members of the Northeastern community. The email includes the attachment, Outlook.zip, that contains an exe file designed to install malware on your computer.

If you receive this email please delete it immediately. Do NOT open the zip file attachment.

Contact the Service Desk, 617-373-4357 if you have any questions.

From: “Administrator Administrator”@nunet.neu.edu
mailto:”Administrator Administrator”@nunet.neu.edu
Sent: Tuesday, November 12, 2013 10:21 AM
To: xxxx
Subject: Important – New Outlook Settings

Attached Email Body

Please carefully read the attached instructions before updating settings.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQAx

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@nunet.neu.edu and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

And there are 2 attachments, a text file and a zip file both attached to this ticket.

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

CryptoLocker Prevention Updated

The CryptoLocker Ransomware is continuing to spread, encrypting the data of innocent users.

Security researcher Brian Krebs has released a post with a couple of good resources to help prevent infection including:

  • Group Policy to block CryptoLocker across a domain
  • CryptoPrevent, a small utility to stop CryptoLocker on an individual computer
  • Backup data to a cloud service in the event that your local copy gets corrupted

Krebs on Security: How To Avoid CryptoLocker Ransomware

Additional Tips for Prevention:

  • Running up to date anti-virus software (there have been reports that Windows Defender does not stop CryptoLocker). Install one of these third party software packages.
  • Keep Windows up to date with software and security patches
  • Keep Java and Adobe Acrobat reader up to date with software patches
  • Uninstall Java if you do not need it
  • Do not open unsolicited email attachments

Here are more tips on how to avoid malware on your computer.

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

Northeastern University Purchasing & Accounting Spear Phishing Email

The Service Desk has received reports of a spear phishing email supposedly sent from the Northeastern Procurement Department. This email did not originate from Northeastern University. It is fraudulent, using real employee information to trick the reader into giving out information for a credit account.

If you receive the following email please disregard and delete from your inbox. Do not reply, it is a fake.

From: Jim [redacted] [mailto:jim[redacted]@north-eastern-university.org]
Sent: Thursday, October 31, 2013 3:13 AM
To: contracts@[redacted].com
Subject: Account Setup.

Hello Sales,

I am Jim [redacted],Purchasing & Accounting Services at Northeastern University,it’s my pleasure to inform you that our Uuniversity have chosen to do business with your organization on net term, do let us know if it’s acceptable with your organization and how to open a credit (Net Term) account in your organization.

Thanks for your anticipated response.

Jim [redacted] ,.
Assistant Director, Procurement Services, Accounts Payable Officer
Northeastern University
360 Huntington Ave,
Boston, Massachusetts
02115, United States.

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed