Pete Recommends – Weekly highlights on cyber security issues January 5, 2020

Subject: Privacy scare leads Wyze to unpair all devices from Google Assistant and Alexa, you’ll need to add them back
Source: Android Police
https://www.androidpolice.com/2019/12/27/privacy-scare-leads-wyze-to-unpair-all-devices-from-google-assistant-and-alexa-youll-need-to-add-them-back/

Smart home appliance maker Wyze has responded to what it calls an “alleged” data breach against its production databases by logging all users out of their accounts and has strengthened security for its servers. Customers endured a lengthy reauthentication process as the company responded to a series of reports claiming that the company stored sensitive information about people’s security cameras, local networks, and email addresses in exposed databases.

The company said it decided out of caution to adjust access permissions for its databases and wipe all active login tokens — this also cleared users’ Alexa, Google Assistant, and IFTTT integrations as well. Customers who employed two-factor authentication complained shortly after the token refresh that their login attempts were denied due to various errors. Wyze updated its bulletin late last night to report it had fixed the 2FA login process.

Filed:

Sample category RSS: https://www.androidpolice.com/smart-home/feed/


Subject: Can TSA Take Your Phone? Everything You Need to Know
Source: MakeUseOf
https://www.makeuseof.com/tag/tsa-electronics-rights/

Increased security at US airports has people worried about the security of their mobile devices. But can the Transportation Security Administration (TSA) take and search your phone?Let’s explore if airport security can search your phone, and what to expect if they can.

Explore more about: Smartphone Security, Travel.

RSS https://www.makeuseof.com/service/security/feed/


Subject: Have you taken a look at what Conde Nast, Yelp, Hulu and others grab?
Source: USA Today
https://www.usatoday.com/story/tech/2019/12/28/have-you-taken-look-what-conde-nast-yelp-hulu-and-others-grab/2750460001/

You knew that every time you went online and typed away, companies took every one of your inputs to study, market and share with others.But did you really realize the extent of it?

A new California law, going into effect in January, has produced an avalanche of privacy law updates this week, no doubt flooding your inbox. The changes affect nearly everyone, since all the companies do business in California.

Here’s how Jessica Guynn described the law, in her preview piece this week. The California Consumer Privacy Act “will grant consumers the right to see the personal information that companies collect about them and stop them from selling it.”

The only hitch, as you’ll be able to tell from reading the privacy updates that went out, is this: the process of communicating with the companies and requesting them to stop will not be easy. And it won’t magically stop the firms from grabbing your info and profiting from it.

Have you taken a look at the privacy updates?

I’m assuming you didn’t. Most people don’t. So I did.

see other tech-focused articles:

https://www.usatoday.com/tech/


Subject: Apple News No Longer Supports RSS
Source: Michael Tsai blog via Slashdot
https://news.slashdot.org/story/19/12/27/2122211/apple-news-no-longer-supports-rss

Mac developer Michael Tsai reports that Apple News no longer supports RSS. The news comes from user David A. Desrosiers, who writes: Apple News on iOS and macOS no longer supports adding RSS or ATOM feeds from anywhere. Full-stop, period. It will immediately fetch, then reject those feeds and fail to display them, silently without any message or error. I can see in my own server’s log that they make the request using the correct app on iOS and macOS, but then ignore the feed completely; a validated, clean feed. They ONLY support their own, hand-picked, curated feeds now. You can visit a feed in Safari, and it will prompt you to open the feed in Apple News, then silently ignore that request, after fetching the full feed content from the remote site. Simon Willison, creator of Datasette and co-creator of Django, points out that Apple News still hijacks links to Atom/RSS feeds — “so if you click on one of those links in Mobile Safari you’ll be bounced to the News app, which will then display an error.”

blog posting:
https://mjtsai.com/blog/2019/12/26/apple-news-no-longer-supports-rss/

blog RSS feed 😉
https://mjtsai.com/blog/feed/

Tag Cloud for blog:
https://mjtsai.com/blog/tag-cloud/

RSS article tag:
https://mjtsai.com/blog/tag/rss/


Subject: 7 types of virus – a short glossary of contemporary cyberbadness
Source: Naked Security
https://nakedsecurity.sophos.com/2019/12/28/7-types-of-virus-a-short-glossary-of-contemporary-cyberbadness/
OK, technically, this article is about malware in general, not about viruses in particular.
Strictly speaking, virus refers to a type of malware that spreads by itself, so that once it’s in your system, you may end up with hundreds or even thousands of infected files……on every computer in your network, and in the networks your network can see, and so on, and so on.These days, however, the crooks don’t really need to program auto-spreading into their malware – thanks to always-on internet connectivity, the “spreading” part is easier than ever, so that’s one attention-grabbing step the crooks no longer need to use.But the word virus has remained as a synonym for malware in general, and that’s how we’re using the word here.

So, for the record, here are seven categories of malware that give you a fair idea of the breadth and the depth of the risk that malware can pose to your organisation.

To jump to a specific item, click in the list below:

  1. KEYLOGGERS
  2. DATA STEALERS
  3. RAM SCRAPERS
  4. BOTS, aka ZOMBIES
  5. BANKING TROJANS
  6. RATS (Remote Access Trojans)
  7. RANSOMWARE
  8. WHAT TO DO?

Malware category RSS feed:
https://nakedsecurity.sophos.com/category/security-threats/malware/feed/


Subject: US Army bans soldiers from using TikTok over security worries
Source: Military.com via CNN Wire via WPMT FOX43
https://fox43.com/2019/12/30/us-army-bans-soldiers-from-using-tiktok-over-security-worries/

The US Army has banned the use of the hugely popular short video app TikTok by its soldiers, calling it a security threat.The Army has joined the Navy in barring the use of the app on government-owned phones, following bipartisan calls from lawmakers for regulators and the intelligence community to determine whether the Chinese-owned app presents a threat to national security and could be used to collect American citizens’ personal data. Military.com was the first to report on the decision.

“There was a Cyber Awareness Message sent out on 16 December identifies TikTok as having potential security risks associated with its use,” Army spokesperson Lt. Col Robin L. Ochoa told CNN on Monday night. “The message directs appropriate action for employees to take in order to safeguard their personal information. The guidance is to be wary of applications you download, monitor your phones for unusual and unsolicited texts etc., and delete them immediately and uninstall TikTok to circumvent any exposure of personal information.”

Reuters reported that the Navy also made a similar decision in mid-December, telling sailors that anyone who hadn’t removed the app from their government-issued phone would be banned from the Navy intranet.


Subject: The 5 Best Authenticator Apps for Protecting Your Accounts
Source: Gizmodo
https://gizmodo.com/the-best-authenticator-apps-for-protecting-your-account-1840711013

If you switch on two-factor authentication (2FA) on your accounts—and you really should—then you need something else besides a username and a password when you log in on a new device. That’s where a good authenticator app comes in.Many people will opt for giving the service their phone number so they can be texted a code to authenticate. But text message, or SMS, authentication is easy to hack. There’s also the privacy concern of giving, say Facebook, your phone number. Instead, you should use an authenticator app, which supplies a code via an app on your phone. The app is usually unique to your specific device so hackers will need physical access to get around it, and you’re not having to give up a phone number to big companies who may use it inappropriately.

Some accounts ask you to install a very specific authenticator app, but for others (including Google) you can take your pick: The Android and iOS app stores have a number of options to pick from. If you’ve always defaulted to one authenticator app in particular, it’s worth having a look at what else is around.

Site RSS: https://gizmodo.com/rss

See also A guide to the gadgets, and how to make them work for you:
https://gizmodo.com/c/field-guide


Subject: Chrome extension caught stealing crypto-wallet private keys
Source: ZDNet
https://www.zdnet.com/article/chrome-extension-caught-stealing-crypto-wallet-private-keys/

A Google Chrome extension was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals. The extension is named Shitcoin Wallet (Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn), and was launched last month, on December 9. According to an introductory blog post, Shitcoin Wallet lets users manage Ether (ETH) coins, but also Ethereum ERC20-based tokens — tokens usually issued for ICOs (initial coin offerings). Users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install a Windows desktop app, if they want to manage their funds from outside a browser’s riskier environment….

Topic: Security


Subject: Major US companies breached, robbed, and spied on by Chinese hackers
Source: WSJ via FoxBusiness via https://www.bespacific.com/major-us-companies-breached-robbed-and-spied-on-by-chinese-hackers/

WSJ via FoxBusiness: “The hackers seemed to be everywhere. In one of the largest-ever corporate espionage efforts, cyberattackers alleged to be working for China’s intelligence services stole volumes of intellectual property, security clearance details and other records from scores of companies over the past several years. They got access to systems with prospecting secrets for mining company Rio Tinto PLC, and sensitive medical research for electronics and health-care giant Philips NV. They came in through cloud service providers, where companies thought their data was safely stored. Once they got in, they could freely and anonymously hop from client to client, and defied investigators’ attempts to kick them out for years. Cybersecurity investigators first identified aspects of the hack, called Cloud Hopper by the security researchers who first uncovered it, in 2016, and U.S. prosecutors charged two Chinese nationals for the global operation last December. The two men remain at large. A Wall Street Journal investigation has found that the attack was much bigger than previously known. It goes far beyond the 14 unnamed companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group Inc., one of Canada’s largest cloud companies; Tieto Oyj, a major Finnish IT services company; and International Business Machines Corp…”…

beSpacific Subjects: Cybercrime, Cybersecurity, Intellectual Property, Internet, Knowledge Management, Legal Research, PC Security, Privacy


Subject: Why Abbreviating The Date In 2020 Could Be Risky
Source: CBS Pittsburgh
https://pittsburgh.cbslocal.com/2020/01/03/why-abbreviating-date-2020-could-be-risky/

(CBS Local) — Here’s something to add to your list of new year’s resolutions: don’t abbreviate the year 2020 when signing financial and legal documents. Why? Experts say the date could be easily changed and used against you. Usually when we write the dates of the year, most of us will chop off the first two numbers and write, for example, 3/23/19.But in the year 2020, the experts say everyone should write, for example, the date as 3/23/2020. That’s because if you write 3/23/20, anyone could easily add a couple of digits to make it look like another year in the past or a year in the future, for example, 3/23/2015 or 3/23/2022.Writing the year 2020 in full “could possibly protect you and prevent legal issues on paperwork,” Hamilton County, Ohio, Auditor Dusty Rhodes tweeted on New Year’s Eve.

Posted in: Communications, Cybersecurity, Gadgets/Gizmos, Government Resources, KM, Legal Research, Privacy, RSS Newsfeeds, Search Engines, Social Media, Spyware, Technology Trends, Viruses & Hoaxes