Computer News & Safety – Harry Waldron Rotating Header Image

February, 2017:

Windows 10 Edge – Import favorite sites from other browsers

Below are techiques that allow saved bookmarks to be easily imported to the HUB central area that are stored in other browsers

Did you know you can easily import your favorite sites from other browsers including Chrome, Internet Explorer and Firefox with just two clicks, and see them organized in the Hub? Hub lets you to access your favorites, downloads, reading list and history all in one place.  To import your favorites, go to the Hub and click Settings on the top right. Select the browser you want to import favorites from and click Import.  All your imported favorites will show up in the Hub under the Favorites section

Security – Danger of Internet connected toys for children FEB-2017

There are dangers noted in privacy if parents are not careful with controls and supervision, as shared below

Data from internet-connected smart teddy bears has been leaked and ransomed, exposing children’s voice messages and more than half a million customer accounts, according a security expert.  In a blog post, cybersecurity expert Troy Hunt says that an unnamed source contacted him about a data breach affecting the CloudPets range of stuffed animals. The Bluetooth-connected toys let parents upload and download messages to and from their children via an app.

The CloudPets database had allegedly been left exposed online. “Someone sent me data from the table holding the user accounts, about 583k records in total,” wrote Hunt, in his blog post. “There are references to almost 2.2 million voice recordings of parents and their children.” Hunt added that the information was sent to him by “someone who travels in data breach trading circles,” and said that others had also accessed the information. “The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom,” he wrote.

Steven Malone, director of security product management at security company Mimecast told Fox News that users need to think carefully about the security implications of the Internet of Things, where a wide range of devices are connected to the web. “Just because you can connect a device to the Internet, it doesn’t mean you should!” he wrote.

AMD – New Vega Radeon branded as next generation graphics cards

AMD has shared some of their future plans for the next generation chipsets for their low cost graphic card solutions designed for engineers or gamers

Although we have not yet been given full access to AMD’s upcoming Vega graphics architecture, what the company has provided is the official branding for its new flagship parts. While we all knew that these graphics cards would be based on the Vega architecture, which supersedes Polaris, we didn’t know that “Vega” would actually find its way into the name of shipping parts.  Upcoming cards will take on the Radeon RX Vega branding instead of, for example, Radeon RX 470. AMD also showed off the Vega logo

Radeon RX Vega graphics cards will begin shipping during the first half of 2017 and are still built on a 14nm FinFET process, like their Polaris predecessors. However, AMD is bringing second generation High Bandwidth Memory (HBM2) to the table along with twice the peak throughput per clock compared to previous generation architecture. The Geometry Pipeline, which is now even more efficient, is also joined by a New Compute Unit and next generation Pixel Engine.

Amazon Cloud Services – Recovery from brief outage FEB-2017

Approximately 30% of cloud based applications are hosted through this facility, a major incident today temporarily impacted websites and users mostly in eastern part of USA.

[RESOLVED] Increased Error Rates

Update at 2:08 PM PST: As of 1:49 PM PST, we are fully recovered for operations for adding new objects in S3, which was our last operation showing a high error rate. The Amazon S3 service is operating normally.

Update at 1:12 PM PST: S3 object retrieval, listing and deletion are fully recovered now. We are still working to recover normal operations for adding new objects to S3.

Update at 12:52 PM PST: We are seeing recovery for S3 object retrievals, listing and deletions. We continue to work on recovery for adding new objects to S3 and expect to start seeing improved error rates within the hour.

Update at 11:35 AM PST: We have now repaired the ability to update the service health dashboard. The service updates are below. We continue to experience high error rates with S3 in US-EAST-1, which is impacting various AWS services. We are working hard at repairing S3, believe we understand root cause, and are working on implementing what we believe will remediate the issue.

Youtube – Over one billion hours viewed daily by all users

As one of the most popular and most free streaming resources on Internet, user should always be watchful for security threats and abide in accordance with digital laws protecting artists and contributors.

YouTube users are now watching more than a billion hours of videos every single day, the company has announced. Put back-to-back, that’s more than 100,000 years of footage, split between the millions of YouTube users across the world. The company announced the figure in a blog post published on Monday, but said that the billion-hour milestone was actually reached last year. YouTube said that it was now focusing more on the length of time people spent watching YouTube videos, rather than the overall views a video received — an internal decision made “a few years back” that it said would help the company understand if users enjoyed a video in question.

Security – FBI life cycle report for business email compromise

As the frequency & severity of cyber-security attacks are increasing, the FBI has developed excellent documentation and diagrams releated to how these threats evolve over time.  They begin with a discovery process, followed by targeted attacks, that can lead to compromised systems.

Since 2013, when the FBI began tracking an emerging financial cyber threat called business e-mail compromise (BEC), organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world—from non-profits and well-known corporations to churches and school systems. Losses are in the billions of dollars and climbing.

At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.

Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals.

Those techniques include online ploys such as spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware. The perpetrators are so practiced at their craft that the deception is often difficult to uncover until it is too late.

According to the FBI’s Internet Crime Complaint Center (IC3), “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion.”

Malware – Ransomware attacks grow by 50 percent during 2016

In malware, one can “follow the money” in evaluating the most popular attack methods designed.  Unfortunately highly destructive malware attacks can create business down time, permanent loss of data where items are not backed up, or payment of the ransom to get data back again.

Ransomware is the fastest growing malware across industries, up 50% in 2016, compared to 2015, according to new data from endpoint security provider Carbon Black. Criminal use of malicious software to encrypt files or hard drives of unsuspecting victims is so widespread that some states are enacting legislation to make recent ransomware attacks easier to prosecute. In September, California became the latest state to offer specific anti-extortion guidelines to prosecute criminals who demand ransoms, usually in bitcoins, to unlock victims’ systems. But even with the rise in recent ransomware attacks, these viruses represent only a small percentage of total malware.

Malware continued to target all industries in 2016, with manufacturing companies (21.8%), non-profit organizations (16.4%) and utilities and energy (15.6%) hardest hit, according to Carbon Black, which based its findings on data from more than 1,000 organizations, representing 2.5 million endpoints. Of the dozen or more malware families tracked, Locky, which was used in one of four recent ransomware attacks, accounted for 2.17% of total malware.

Password security – 2017 NIST password recommendations for enterprises

This article shares an informative guide for 2017 NIST password recommendations to protect corporate systems

It’s not surprising one of NIST’s first password recommendations is PINs should be six digits long and passwords should be a minimum of eight characters, with a maximum length of 64 for more sensitive accounts. Remembering a password longer than eight characters is not necessarily easy, but NIST’s new guidelines allow the use of all printable ASCII characters, as well as all UNICODE characters, including emoji, to improve usability and increase variety. Combine this with the recommendation that users should be encouraged to create longer phrases instead of hard-to-remember passwords, or passwords based on character swaps, such as “pA55w0rd” — which may appear complex, but, in fact, are not — and it opens the way for long, complex and easy-to-remember passwords.

Also, passwords should no longer be automatically expired after a certain period unless there’s a good reason, such as they have been forgotten, or there’s suspicion they have been phished or stolen and could therefore be subjected to an offline brute-force attack. This would mean there has to be some form of monitoring in place to detect potential compromises.

There is also advice on how to store users’ passwords safely. All passwords must be hashed, salted and stretched when stored. This will dramatically reduce the ability of hackers to cost-effectively crack passwords either in bulk or individually. Systems also need to check new passwords against a dictionary of known bad choices. Administrators need to ensure this dictionary matches its users most likely choices, which depending on location and industry, may not necessarily exactly match the world’s 100 most likely passwords; having 100,000 such entries is suggested as a good starting point.

Facebook Security – FBI publishes dangers associated with Romance Scams

The FBI has an issued an informative awareness document on the growing dangers of Romance Scams as follows:

“I’m very active on Facebook,” said the woman, who agreed to share her story in the hopes that others might avoid becoming victims. “I thought it was safe.” After she friended Charlie—without verifying his bogus claim that they had a mutual friend—“he would read my wall, I would read his wall. We would post things, he would like things. Then it got to where we would share e-mails. We started sharing pictures.”

According to the FBI’s Internet Crime Complaint Center (IC3), which provides the public with a means of reporting Internet-facilitated crimes, romance scams—also called confidence fraud—result in the highest amount of financial losses to victims when compared to other online crimes.

Romance scammers often say they are in the building and construction industry and are engaged in projects outside the U.S. That makes it easier to avoid meeting in person—and more plausible when they ask their victims for help. They will suddenly need money for a medical emergency or unexpected legal fee. “They promise to repay the loan immediately,” Beining said, “but the victims never get their money back.”

The scammer’s intention is to establish a relationship as quickly as possible, endear himself to the victim, gain trust, and propose marriage. He will make plans to meet in person, but that will never happen. Eventually, he will ask for money.

In 2016, almost 15,000 complaints categorized as romance scams or confidence fraud were reported to IC3 (nearly 2,500 more than the previous year), and the losses associated with those complaints exceeded $230 million. The states with the highest numbers of victims were California, Texas, Florida, New York, and Pennsylvania. In Texas last year, the IC3 received more than 1,000 complaints from victims reporting more than $16 million in losses related to romance scams

Security – Google publishes two zero-day Microsoft vulnerabilities

As Google products must be compatible with Microsoft and other vendor software, the Google security research teams give a 90 day period for vendors to patch and will automatically publish details once the deadline is reached.  While this policy forces vendor to update in the next release, there is some risk in publishing vulnerable code details which can be exploited into a malware attack, as the vendor prepares finalized release.  Google documents it developed this policy to protect it’s users on those impacted vendor platforms.   Conversely, many security professionals favor only private disclosure.

With Microsoft canceling an update on Feb. 14, the company missed patching two vulnerabilities in time to meet Google’s 90-day deadline. For the second time in as many weekends, Google released details of a security issue in Microsoft’s software, which the Windows maker failed to patch after postponing the release of a regularly scheduled update on Feb. 14.

Google funds a group of researchers known as Project ZeroThey publish details of security flaws after giving the software vendors 90 days or less to fix the issues. Both of the vulnerabilities in Microsoft software were found last November and their details scheduled to be disclosed this month.  Microsoft typically releases software updates on the second Tuesday of the month, but scrapped plans for a February update—which would have landed on Valentine’s Day—when it detected an unspecified issue with the fixes.

Google did not respond to a request for comment, but Microsoft provided a statement. “We believe in coordinated vulnerability disclosure, as disclosing before a fix is released could put customers at potential risk,” the company stated through a spokesperson. “Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”