Advertisers Still Want to Know Who You Are, What You Are Doing

As more users install ad blocking software and browsers such as Firefox and Safari start blocking some ad trackers by default, advertisers decided to come up with a new solution to track everything you do.

This new technique is a bit technical, but I will try to keep it high level.

Typically, the company tracking you is a separate company from the company who’s website you are visiting because not only do people want to know what you are doing on their website, but also what you are doing on every other website in the world.  This logic is what created the third party ad tracking business.

But browsers can tell, if you are visiting ABC.COM, if that web page makes a request for some data from XYZ.COM – a third party.

Those requests come in many forms.  It could directly load data from or save data to that third party.

Or it could save a “cookie” from that third party with information associated with the site you are visiting so the ad tracking company can track you everywhere.

As people have become smart to this and taken anti-tracking measures, advertisers tried Adobe Flash cookies.  That didn’t work well because many people (like me) think Flash is insecure and even Adobe is killing it in December 2020.

So the ad trackers came up with a new idea.

If ABC.COM wants to track you, the ad tracking company asks ABC to create a new subdomain, say and point that subdomain to the tracking service.  Since the core part of is still, it doesn’t look to the browser like there are any third parties.  But since the tracking company runs, they can collect whatever data they want.

It turns out that it is possible, with some work, to block this if you use Firefox, but not with any other browser.  Most browser makers are in the business of selling your data, so they are a bit conflicted.

In fact, a Google search provides lots of articles on how to do this yourself.

Advertisers are just trying to make a buck, not do you in (mostly).   Source:  The Register


Security News for the Week Ending November 29, 2019

The Problem with Big Data is, Well, That it is Big

On October 16th researchers revealed that they had found an exposed database with 4 billion records covering 1.2 billion people.  The first database contained information on 1.5 billion unique people (note these numbers do not exactly match) including work phone numbers and mobile phone numbers.  The second database contains hundreds of millions of scraped profiles from LinkedIn.  The data appears to be linked to “data enrichment” firms, People Data Labs and, but the firms say that the server doesn’t belong to them.  They did not say that the data did not originate from them.  Likely, the server belongs to one of their customers.  The good news is that the databases do not contain passwords or credit cards, but still there is a lot of data there.  The term data enrichment is an expression for “we aggregate data from a bunch of sources and put it all together, so if all YOU have, for example is a person’s email, we can tell you how much they make, how many kids they have and the roads they travel on to work, etc…”  Source: Computer Weekly.


California DMV Made > $50 Million Last Year Selling Your Data

First the law requires you to provide all kinds of information to the DMV.  Then the DMV sells that information to anyone who’s check clears.  And they do not need to ask your permission.  In theory the law restricts who they sell your data too, but there are a lot of exceptions. One example was a private investigator who bought the information and gave it to his stalker client who killed the person.  Another is data brokers like Lexis/Nexus.  Maybe the law should be changed, but in the meantime the DMV loves the cash.  Source: Vice


Another Public Leakware Attack

As I said in my November 19, 2019 post titled “Argh – They Have a Name for it Now – Leakware“, leakware is becoming more popular.  Now we have a case of the security and building facilities firm Allied Universal ($7 billion in revenue, 200,000 employees).  Allied was breached and the hackers want money.  To make a point, they leaked 700 megabytes of data.  They say that they have 4 GB+ more to leak and they will give it to Wikileaks.  They posted the sample data to Bleeping Computer’s forum, which took it down and also to a Russian crime forum who was not so supportive.  The hackers initially wanted $2 million.  Not they want $4 million; Allied offered $50k.    A bit of a gap.  Allied says that they take security seriously but didn’t say what they planned to do to protect the stolen data.  If these hackers are Russian, there really isn’t much they can do other than to negotiate.  They have brought in security experts after the breach.  While it is useful to close the barn door once the horses are gone and the barn is burned to the ground, that probably won’t make much difference to the customers who’s data was compromised.  Stay tuned for lawsuits.  Assuming this trend continues, we need to create different defenses for ransomware.  Source: Bleeping Computer

That Thanksgiving e-Card – Yup, Its Malware

With the holiday season starting, the purveyors of malware  are in the holiday spirit too.  They are sending out millions of MALICIOUS, INFECTED e-greeting cards.

Open the card and you, too, will be infected.  In one campaign, the malware is the emotet password stealing trojan.

Open that card and all of your passwords will be sent to Russia or China or some other friendly place.

When I get one of these cards, I send the person who sent it a note thanking them, but telling them that, in an unfortunate sign of the times, it is too risky to open it.

Then I hit the delete key.  Source: Bleeping Computer

Tips to Keep Remote Workers Safe(Safer) – Part 2

Yesterday’s list was so long I decided to break it into two posts.  Here is the second part.

To recap – here are some recommendations from Dark Reading. Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more. Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

11. Turn on auto update – Installing updates is a pain and even though updates sometimes happen at inconvenient times, they are important.  The challenge with updates is that there are so many.  Whether it is your laptop, phone, tablet, desktop and then, of course, all of the applications too.  Add to that your firewall, digital assistant, Wi-Fi and whatever else.  Updating it could be a full time job.  Which is why so many updates are missing.  The largest data breach in US history (Equifax) was caused by one missing patch.  If it is possible to automatically update, turn that feature on.  It just makes life easier.  ESPECIALLY for those Internet of Things devices.

12. Segment off your personal network – here is one you probably didn’t think of.  Put your work computer on  its own network segment – give it its own Wi-Fi hotspot.  If you isolate your work computer then if your kid’s computer gets infected, it won’t infect you.

13.  Use a password manager – passwords are a weak spot.  People can’t remember a thousand passwords so they either make them all the same, so when one web site is breached, they all are or they make them easy to guess.  Some people ask their browsers to remember their passwords.  After all, what could go wrong by asking the one part of your computer that talks directly to the Internet to store all your passwords.  There have been numerous attacks against browser password stores and many companies disable that feature for that reason.  Password managers actually make using unique, crazy passwords easy.

14. Enable Multi-Factor Authentication – Not only that, but it is better to do that with an app such as Google Authenticator or Authy instead of a text message.  If you have the option and a business is storing your sensitive data – like a bank – and they don’t offer multi-factor authentication, find a new bank.  I mean it.  Really.

15.  Avoid Browser Extensions – Speaking of not asking your browser to do un-natural acts, browser extensions are often security nightmares.  To the extent that you can avoid them, do so.  For one thing, it slows things down.  For another, many times they have bugs.  And going back to number 11, they often don’t automatically update.  It is a matter of security vs. convenience.  Your choice.

16.  Carry a spare portable battery for your phone or tablet – DO NOT use those handy USB charging ports in airports and other public places.  They can literally infect your device.  An alternative to a portable battery is to use the AC power outlet.  That won’t infect things.

17. Make sure you share documents securely –  In the mortgage business where I spent many years, loan officers often asked for bank statements, tax returns and other personal information via email.  Not exactly secure.  If you don’t have an ENCRYPTED email solution, ask your company for one.  If you need to control access, don’t use solutions like Dropbox.  Work with your IT department to figure out the best, secure, controlled access solution.

18. Be skeptical.  And then be more skeptical – you have a lot of things to do.  You have a lot of emails to read.  You have a lot of web sites to visit.  Bad actors are counting on that.  We hear about people falling for scams every day.  The FBI said that between Mid 2016 and mid 2019 losses due to scams reported to them totaled over $26 BILLION.  That is a lot of money.

19. If you have a remote working policy, follow it.  If you don’t have one, create one –  When it comes to reducing risk, you need to tell employees what they should and should not do.  If you don’t have one then you can’t complain if employees do things you don’t want them to.  For certain industries, these policies are legally required.  In fact you should have a complete set of security policies which are in addition to typical employee HR policies.

20.  Last but not least, get to know your IT and security folks – we really don’t want to make your life difficult.  We are working hard to protect the company and that includes making sure the company does not get breached or sued due to losing customer’s data.  Those kind of incidents can cost a company a lot of money and sometimes that translates to layoffs or even closing the company’s doors.  If you need something, ask.  We may not be able to do it, but hopefully we can explain why.

That is the end of this list.  If you have questions, please reach out to us – refer to number 20 above.

Based on information from Dark Reading. 

Tips to Keep Remote Workers Safe(Safer)

As my son likes to say, nothing it bulletproof – it all depends on the size of the bullet.  Likewise, nothing is 100% secure (except the computer that has never been taken out of the box)  but your actions can improve the odds dramatically.

Here are some recommendations from Dark Reading.  Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more.  Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

So here are the tips:

  1. When working remotely, use two computers – one for work and one for personal stuff.  Besides the fact that malware on one might not infect the other, there are many other reasons that you might want to do this (like not wanting your boss to snoop on your personal stuff or backup your nude selfies on the company backups).
  2. Use only approved software on your company computer – many companies won’t let you install other software but many do let you.  There is a reason they approve the software that they do;  it goes through a vetting process.  It might be inconvenient, but so is getting breached.
  3. Don’t rely on a consumer-grade router, Wi-Fi hotspot or Firewall – I could go on all day about this one.  If your router, Wi-Fi or firewall is provided by your home Internet provider, you can assume that it is the best equipment that your provider can buy for $5 or $10.  Some Internet providers require that you use their equipment but there are no rules that say that you can’t put your own  firewall between the box your Internet provider uses and your computers.  That is what I do.  My firewall cost me $200.  But it runs the same software that you use in your office.  This is a case of you get what you pay for.  My Internet provider has not patched their firewall since 2013.    I am sure that there were no bugs fixed in the last 6 years.
  4. Ensure that your Firewall is configured securely – Your Internet provider will configure any equipment that they provide to minimize the number of support calls that they get.  That saves them money.  If that happens to make things more secure, that is a coincidence.  Mostly, it will make things less secure.  YOU are responsible for the security of your home network.
  5. Connect to your corporate network using a VPN – Using a VPN will definitely improve the security of your connection.  If you are a techie and you manage cloud servers from home, use a VPN connection to manage those as well.  Again, many free VPN services are worth exactly what you pay for them.  And some of them are even run by China – I am sure those are very secure.
  6. Be wary of public Wi-Fi – I am sure that your local coffee shop has all the best intentions when they offer you FREE Wi-Fi, but again, you get what you pay for.  Their IT department likely manages the network in between grinding and serving coffee.
  7. Harden your wireless access point(s) – There are lots of ways to improve the security of your Wi-Fi, especially when you are located in a high density location.  A friend of mine lived in New York and never paid for Internet, he only mooched off neighbor’s Wi-Fi.  Wi-Fi 6 is coming soon as is WPA-3.  Both will improve your security but both will require either software or hardware upgrades.
  8. Keep a very close watch on your stuff when you travel – I recently did a TV interview discussing a poor fellow who got his credit cards stolen while he was in the grocery store.  90 minutes later the crooks had racked up $23,000 worth of charges on his cards.  Hotel rooms and hotel safes are notoriously insecure.  If you don’t need to take it when you travel LEAVE IT AT HOME!  Otherwise, secure it as best you can.
  9. Update system and software patches regularly – this includes your phone and your tablet, in addition to your computer and ONLY update from a secure location – NEVER from public Wi-Fi.  Note that this includes all of your apps in addition to your operating system.
  10. Update your system’s firmware – do you even know what firmware is?  It is the software that runs the software that you see.  Almost nothing is done in pure hardware these days.  That includes updating the firmware in your firewall, router, Wi-Fi and especially your phone.  Some equipment can be configured to automatically update (Apple is really good about this) and while that might, occasionally cause problems, overall, auto-update is the way to go.

Come back tomorrow for more tips.  That’s all for now.

Security News for the Week Ending November 22, 2019

Huawei Ban – Is It A National Security Issue or Bargaining Chip?

Back in May, President Trump issued a ban on US companies buying from or selling to Huawei (see here).  Since then, the government has issued an extension to the ban 90 days at a time and the government just issued another extension.  They are doing this at the same time that they are trying to get US allies to not use Huawei products in the rollout of those country’s 5G networks.   This tells China that we are not serious about this and don’t really think Huawei is a security risk – whether it is or not.

There are two problems with the ban.  The first is that US telecom carriers currently use lots of Huawei gear and it will cost billions to replace it.   Second, US companies and likely Republican donors make billions selling parts to Huawei, so the administration is reluctant to stop that flow of money into the country.

Congress is considering a bill to fund $1 billion over TEN YEARS as a down payment on removing Huawei gear from US networks.  If the US actually implements the Huawei ban, then those companies will no longer get software patches, The Chinese might even announce the holes so hackers can attack US networks.  In addition,  if the equipment breaks, carriers won’t be able to get  it fixed.   Life is never simple.

Carriers that have to spend money replacing Huawei will have to delay their 5G rollouts, turning the US into even more of a third-world cellular network than we already are.   Source: ITPro

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies

The hacker or hacker group Phineas Fisher has offered up a bounty of $100,000 for other hackers who break into “capitalist institutions” and leak the data.  The group said that hacking into corporations and leaking documents in the “public interest” is the best way for hackers to use their skills for social good.  That is not a great message for businesses who are trying to defend themselves.

Phineas Fisher has a long track record of breaking into companies and publishing embarrassing data, so this is not just an idle threat.  Source: Vice

Russian Hacker Extradited to the United States May Be High Value Asset

We see from time to time that hackers are not too bright or act in not so bright ways.  In this case, a Russian hacker, wanted by the US was arrested when he entered Israel in 2015.  The US says that he ran the underground credit card mart CARDPLANET which sold over a hundred thousand stolen cards.  Why a Russian hacker would think that visiting Israel would be safe seems like he thought, maybe, no one knew who he was or that he is not very smart.

After Israel arrested him at the request of the US, the Russians tried to bargain him back to Russia under the guise of trying him there.  When the Israelis told them thanks, but we will handle this ourselves, Russia convicted a young Israeli woman on trumped up drug charges and she is serving a 7 year sentence in Russia.  Even that did not sway Israel to return him.  In the mean time, the Israelis have turned him over to us and he waiting trial here.

Some people say that Russia wants him back because he has first hand knowledge of Russian interference in the 2016 US elections, but the White House doesn’t even admit that Russia hacked the elections, so I am guessing they are not going to press on that issue, but who knows  – stay tuned.  Source: Brian Krebs

When It Affects the Boss, Well, Just Fix It

A few weeks ago Jack Dorsey, Twitter’s CEO, had his Twitter account hacked.

Up until yesterday, you had to provide Twitter with a phone number for two factor authentication and they would send you a text  message.  You could change the method later, but you had to initially give them a phone number.  HIS account was hit by a SIMJacking account (so apparently he did not change his authentication method).

As of November 21, you can now set up a Twitter account WITHOUT SMS as the second factor.  I strongly recommend that you change your Twitter 2FA method.  Source: Tech Crunch

Apple Tells Congress That You’ll Hurt Yourself if You Try to Fix Your iPhone

Congress pressed Apple on why you or a repair center (that doesn’t pay Apple a licensing fee) should not be allowed to repair your iPhone because, they say, doing such repairs could be dangerous.

They also said it costs them more money to repair iPhones at Apple stores than they charge, which is probably the best reason ever to let other people repair them.  Of course, that is not the way Apple sees it.  They said that you might leave a screw out or something.  Of course, if they provided manuals, that wouldn’t be a problem.

Apple would like you and Congress to believe that their repair monopoly is good for you as a consumer.  Apple also said that they don’t stop consumers from getting repairs from a shop of their choice, even though they modified the iPhone software to disable the phone’s touchscreen if they do get their phone repaired outside the Apple ecosystem.  Read more details here.


Android Malware Uses Screen Overlay to Steal Credentials and Credit Cards

Malware is like any other piece of software.  Version one is usually pretty crappy – want vendors like to affectionately call a “minimum viable product”.  Sometime minimal is loosely defined.

In this case the malware is called GINP.  The trojan has been in the wild since June.  In the five months since,  it has evolved.  It started out as a Google Play Verifier.  It stole incoming and outgoing text messages.

A later version added an “overlay” – a layer over the top of the screen that popped up when you opened an app like Facebook, WhatsApp or a bunch more.  That overlay asked for a credit card and that information went to the attackers.

The next version added code to make it harder to detect the app.

Then it morphed.  Today it is going after Spanish banks – 24 apps from 7 banks right now, but it looks like that is just a start.

You can imagine what the hackers might do with online banking credentials.

The overlays can mimic whatever they want to – they cover the whole screen.

One downside to the technique is that it requires the user to give it a specific permission generally used for apps for handicapped people called the “accessibility” permission.

Even if this app does not morph to US banks, users should be careful.

Look at what permissions an app is asking for – don’t just blindly say yes.

Look for telltale signs.  This malware is going to make it look  like you have been logged out of the app and need to log back in.  It will also ask for credit card info.  Don’t do that if it doesn’t seem right.

Turn on two factor authentication.  That way, at least, if they have your credentials, they don’t have the second factor. 

Be selective about what apps you install – and uninstall apps that you do not use any more.

Nothing is bulletproof, but make it harder for the bad guys.  Source: CSO Online