Happy Saturday folks, welcome to the security box for this week. I normally get the blog up within 24 hours, better late than never posting it at all.
The show notes are extensive as normal, and I think its the way to go so people can read my thoughts on the items as well as listening to them on the podcast.
The RSS has had the program up, Here is the link to the RSS for those who need it.
Don’t have RSS? Here is the 156.28mb file for you to get.
I hope those who listen find the shows of value, and I’ll be back this coming Wednesday on the independent channel of the mix’s suite of servers for another edition of the program.
Have you really thought on password managers lately? If not, the main topic may be of interest to you. While there were no calls this week, I feel the way I did the notations and lead the discussion, may make you think about whether its time to get one.
Welcome to podcast 36 of the security box. On this edition of the program, we’ll be talking about password managers. Herbie Allen is along with a Things to Ponder section talking about Scams, one in particular dealing with Amazon. We also have a webinar that will be of interest from F-secure. We’ll have news, notes and more. Hope you’ll enjoy the program!
Topic: Choosing a good password manager
Lastpass writes good articles, and this one is no different. How would you choose a good password manager? There are 5 different things that could make your decision that are highlighted within this article. They include:
- How many devices do you own?
- What are those devices (Android, Apple)?
- Who do you need to share with?
- What other type of information would you want to store besides passwords?
- Are you concerned about data breaches and your personal information being at risk?
While the article talks about Lastpass features, the heading entitled “Choosing a password manager ” goes in to detail about the different teers of Lastpass. There are definitely alternitives, and you can explore those alternitives. While Lastpass has lots of features, you don’t need all of these features, and you alone need to decide what will work for you.
Webinar: Attackers Get Personal | F-Secure Live Webcast
Over the weekend, I had decided to go through Youtube and found this very interesting webinar. It talked about three different topics by three different people.
About the webinar:
Taken from Youtube directly it states:
Get an inside view into the cyber threats that challenge our recovery from the pandemic and beyond.
Highlights from the Threat Landscape – Christine Bejerasco
2020 was an unprecedented year. But did this reflect in the threat landscape? Christine takes a look at various areas that highlight some of the threats recently encountered.
Healthcare data under attack – Mikko Hyppönen
The healthcare industry’s outdated IT and security infrastructure has caught the attention of cyber criminals, right when we need it the most. Mikko will discuss what we can do to secure our most essential industry.
Thinking like an attacker – Tomi Tuominen
The different stages of a targeted attack keep evolving. Tomi offers the latest insight into how attackers think and how to make their life more difficult.
Topic covered
- Which threats businesses must face
- How cyber criminals threaten the health care sector
- Why a good cyber defense depends on seeing weaknesses through an attackers’ perspective
What to Watch
Things to ponder
Herbie Allen, main owner of the Mix, will be submitting something of interest dealing with scams and Amazon. Its a three minute listen, and we can open it up to thoughts on that. I later show a recent text message, go through the link, and show you what going on with the link.
News Notes and commentary
- Fiserv used an unclaimned domain that sent out email to customers to do various email tasks like varifying accounts, automating password resets and other tasks that may not have been thought of. A researcher, Abraham Vegh,, contacted Krebs on Security to discuss what he found with the elicit domain which he baught to see what he was seeing. Some of what he saw included bounce messages, messages for out of office replies and even more. To read more, read the Krebs on Security article entitled Fintech Giant Fiserv Used Unclaimed Domain for all of the details.
- Is it really time to get rid of SMS verification?I think it’ll be time sooner than later. Customer service representatives can be tricked in to changing account info, especially if they are low paid, according to the article from Krebs on Security. The article talks about a company called Sakari , who offers a $16 product that allows you to receive text messages from any phone number in the United States. The letter of authorization that needed to be signed by the customer indicated that it could not be used for harassment, inappropriate behavior, or possibly violating the law. As the researcher has indicated, people were able to sign up with the service and do what they want. When approached with more detail, the researcher in question said that it was not just this company that can do this. The article goes in to more detail on this research including Sim Swapping and possibly other tactics that might be used. The question: Can We Stop Pretending SMS Is Secure Now? should be asked and the article is well worth the read.
- You think Joker and his stash of jokes are gone? Let’s think again. According to a Trend Micro report, not so fast. I’m not sure what happened to the article, somehow something happened where parts may be missing. We’ll link it here, but they’re back to their old tricks that may be new. This article talks about signing up for services by selecting the phone operator, put in the MSISDN (Mobile Subscriber Integrated Services Digital Network,) get a One Time Password, enter that code and bingo, you’re subscribed to services. While the text I have may have been truncated, the article should be read just the same. No Laughing Matter: Joker’s Latest Ploy is the article, take this very seriously.
- Think using one password was absolutely safe? Better think again. According to an article by Lastpass’s Amber Steel, hackers found a username and password online, used it, and gained access to 150,000 cameras in places like schools, fire departments, offices, gyms and more. These are security cameras for some 24,000 customers. The article linked here will have more. 150,000 Security Cameras Hacked Because of One Password is the article, give it a read. Think about changing your password immediately.
- WeLeak.Info is back in the news, but probabluy not in a good way. According to an article by Krebs on Security, the site now leaks information about the customers that were at the site buying and selling information. The first paragraph says:
A little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com, a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. In an ironic turn of events, a lapsed domain registration tied to WeLeakInfo
let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card.The article talks about putting an email address in the site, and getting all possible passwords available with that email address. There’s more, WeLeakInfo Leaked Customer Payment Info is the article, better take a look at it.
- Finally, we’ve got some good news in two members getting arrested and charged. These two have also been sentenced as well. According to the article, “in fraud we trust” is the mantra of the group, and the two people are named Sergey Medvedev of Russia and Marko Leopard of North Macedonia. There’s more to the story, so read Two Infraud members sentenced for role in $568 million crime gang, US says and we hope that it will be called “In Fraud we don’t trust” in the future.
Thanks so much for listening to today’s program and reading the accompanying notations. We hope you’ve enjoyed the program as much as I have putting it together for you, and make it a great day!