Archive for the ‘Vulnerabilities’ Category

Payment cards that are Near Field Communication (NFC) are experiencing charging errors in the UK

What is NFC you say? It’s a card that is intended to work without it having to touch the card reader. The problem is some people are getting charged twice even though they didn’t take the card out of their wallets or purse. It’s a good idea to get a RFID-shielding cover for your debit / credit cards and your passport. Or you can make a cover from aluminum foil, instructions here http://www.rpi-polymath.com/ducttape/RFIDWallet.php

Note: the cover might not keep the card or passport from being read entirely, but it will cut down on the distance that the contents can be read at.

I do not recommend trying to damage the RFID chip.

This story is a timely reminder to keep an eye on your financial transactions!

What is “medical record theft” and why would someone want to steal your medical information? Simple.

The hospital or clinic a person goes to most likely keeps their records on a computerized system called an “electronic medical record” or EMR. What is a thief looking for? Your medical record contains information like your insurance company information, other identity information, financial information, and drug information. The thieves use this information to steal medical services, obtain prescriptions, and maybe even identity and financial information to use in identity theft.

And what if the hospital or clinic shares information with another business partner, such as a consulting doctor?

Recent health care breaches:

  • 780,000 medical records stolen from the Utah Department of Health on April 9, 2012. The article stated that the cyber-hackers were operating out of Eastern Europe.

What can you do if your records are stolen? Here’s what the FTC recommends: http://ftc.consumerdev.org/bcp/edu/microsites/whocares/medicalidt.shtm

The FTC is holding hearings on Medical ID theft.

References: SC magazine http://www.scmagazine.com/id-thieves-find-gold-in-medical-data/article/236302/

Bitcoin is an open-source, peer-to-peer digital currency, using an MIT license. The site http://bitcoin.org/en/ explains what Bitcoin  is and how to use it. It’s a very cool idea …

So what’s the downside you ask?

All you have to do is Google “Bitcoin issues” and a bunch of hits will come up dated within the last month:

But maybe one of the worst problems of all is an article published on May 2,2013 by Parity News: http://paritynews.com/web-news/item/1034-esea-league-stuffed-bitcoin-mining-code-inside-client-software. It started as an April Fool’s joke, where the E-Sports Entertainment Association (ESEA) League mined Bitcoins from their users by inserting code in their client software. At least, one of their administrators took responsibility for the “joke,” which wasn’t very funny in the end. Several users even claimed that their video cards were damaged because of overheating caused by the ESEA malware.

A cool idea, but maybe not a mature enough technology to use yet. Sometimes it’s a good idea to wait and see, especially if it involves your money or your privacy.

Do you think more public surveillance cameras will make you safer? Will they make you feel safer? Or will they allow the authorities to track down perpetrators more easily? Reason.com’s article “Saying Privacy Is ‘Off the Table,’ NYC Police Commissioner Demands more Surveillance Cameras” is very enlightening.

B-Sides Austin March 21-22, 2013, kicked off the night before with Jeremy Zerechak’s 82-minute documentary about the origins and present reality of computer privacy issues.

Code 2600 introduces modern cyber security via Sputnik and the Cold War which brought about the Defense Advanced Research Projects and the first computer network. The film also weaves in the threads of telephone systems and phone phreaking, and the transmutation of the computer from the behemoths of corporations and governments to the homebrew hacks that birthed the Apple computer. The result was an assault on your privacy which is magnified today by government agencies and private companies that compete for the control of the information that you create about yourself.
Code2600
More subtly, in the Cold War, we could see our attackers. We would know who launched the missiles. Today, the clues left by a cyber-attack are harder to trace. The war is going on right now with the governments of the USA and China hacking each other, as well as Britain hacking Norway. And corporations are really the leading edge players: everyone – civilian or military, government or corporation – uses the same operating systems and applications programs. The military is no longer the leading edge of technology: they buy it from the same places that you do.

The success of AOL was a milestone. When the computer information service bought Time-Warner it heralded the blossoming of the information age. But we are still in the middle of the story. We will not know for 50 years how this plays out.

“What should we be teaching young people about computers?” is the wrong question. Young people should be teaching us about how they use their devices, apps, and media, because that is the future.

Official Movie Trailer on YouTube here.

Ok, now Adobe has released a security update for Flash, which applies to Flash versions for Windows, Macintosh, Linux, and Android operating systems, as well as Google Chrome and Internet Explorer browsers.

  • The version you should be running for Windows and Mac is Adobe Flash Player 11.5.502.149.
  • Linux users should update to Adobe Flash Player 11.2.202.262.
  • If you’re using Google Chrome as your browser, it should automatically update to the latest Chrome version. Chrome’s latest version runs Adobe Flash Player 11.5.31.139 for Windows, Macintosh and Linux.
  • If you’re using Internet Explorer 10 on Windows 8, it will automatically update to the latest version of Internet Explorer, which includes the latest version of Adobe Flash Player, 11.3.379.14 for Windows.
  • Android 4.x devices should be running Adobe Flash Player 11.1.115.37.
  • Android 3.x devices should be running Adobe Flash Player 11.1.111.32.

How to keep up with all these security updates? You have several choices.

  • Sign up for US-CERT email bulletins and follow the instructions.
  • Run Secunia PSI and set it to check for updates weekly.
  • Set Adobe and Java to send you updates automatically. Java will ask you questions; make sure you check for any obnoxious add-ons before you click ok.

In the Adobe security bulletin about this Flash vulnerability that you can read at http://www.adobe.com/support/security/bulletins/apsb13-04.html, Adobe recommends that you verify the version of Flash running on your device.

  • To verify the version of Adobe Flash Player installed on your system, access the About Adobe Flash at http://www.adobe.com/software/flash/about/, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
  • To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

What is Universal Plug and Play? It is a protocol that allows network devices to talk to each other and it often runs on devices unless it is turned off. I have listed a few examples of devices that might have it enabled, which include such devices as home routers, printers, smart TVs, IP cameras, and home automation systems, but there could be many other types of devices that could have it turned on.

The first thing to check is your home router. How do you find out if your router is vulnerable? Rapid7 is a security research firm that has a free website-based tool that will check your router, available here http://upnp-check.rapid7.com/. Click the button “Scan My Router.” You do not have to install any software. It should take about 30 seconds to run.

If you want to check more than your router, there is a program on that page that you can download and run.

There is also a link to a page listing answers to frequently asked questions as well as a link to a more in-depth, technical explanation if  you’re interested.

If you have Java running on your computer, you may have noticed that Oracle–maker of Java–has recently put out a security update for Java. This is a good thing and Oracle got the update out earlier than they had anticpated.

However, what you may not have noticed when you installed the update, is that they include what Ed Botts calls “foistware.” This is because Java includes the Browser Add-on from Ask.com when you update Java unless you specifically UNCHECK the box that gives your permission to install it. If you’re not paying attention, you can accidentally install this lousy toolbar. I’m not a big fan of toolbars anyway, and this one is really bad. You can try it out [don’t click on any sites unless you are absolutely sure you know the site] by going to http://www.ask.com/ and searching for something. You will see a lot of ads–a lot of dubious ads.

For more information, read Ed Botts’ column, http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/.

The important thing: uninstall the Ask.com toolbar if you installed it.