go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: article commentary

Go to Homepage [0], contents or to navigation menu



Breach at online chain, takes credit cards, CVV, and magecart is to blame

Today, OI read an article about a breach at a children’s retailer who was bilked out of credit card data, CVV, and potentially more. You’d think this type of story came from Krebs on Security, but it didn’t. This story came from Cyberscoop. Children’s apparel company Hanna Andersson discloses data breach is the name of the article, and its the first of its kind for this year.

I’m not sure if other children’s stores were hit, although Target of 2014 sells everything including children’s clothing. This outfit sells pajamas of different kinds A Magecart-style attack was put on this web site, and of course we’ve talked about magecart before and how difficult it is to defend from.

The exposed data included payment card numbers, expiration dates, and CVV codes, along with customers’ names, billing addresses, and shipping addresses. Law enforcement officials recently told executives at Portland, Oregon-based Hanna Andersson that there was evidence of a breach, Edwards said.

I’m not sure if this will be the last timne we see this, because Magecart is so pervasive once embedded in websites.

I’m wondering if we’ll see more types of this sort this year? Only time will tell.

It is unclear how many customers were affected by the incident. While it doesn’t appear that every customer who visited the website during the two month
period was victimized, Edwards said, the company is notifying anyone potentially affected. It is also offering customers a year of credit monitoring and
a $1 million “insurance reimbursement policy.”

If you are effect by this breach, watch your statements for any type of unauthorized charge. Even the small ones can be trouble if you know you didn’t do it. They start small, and then get larger, so please make sure to do this.

The company didn’t respond to comment before press time.

Hanna Andersson is known for selling pajamas, some of which are themed around popular Disney movies. The breach shows that, regardless of the end product
being sold, anywhere on the web that houses financial data is a potential target for criminals.

Hanna Andersson’s letter to customers did not identify any suspects who may be behind the breach.

There are other types of links leading to other things that might be of interest, so please read the full article.

Thanks so much for reading, and make it a great day!

Comments (0)

Use WordPress database? Better update it!

We do not use this plug in on the blog, but saw this article via Twitter called: This WordPress vulnerability could let hackers hijack your entire site and it talks about a plug in called word press database. It allows someone to manage the database, but the vulnerability makes the entire web site disappear if the hacker wanted. Read the entire article on this one, it sounds pretty serious enough.

Comments (0)

Another article dealing with January’s patch tuesday

I recently read an article The NSA discovered a severe flaw in Microsoft Windows 10 and I found this one quite interesting. The fact the NSA now wants to have their name on vulnerability fixes is a step in the right direction. I’d suggest this article given a read, because it goes with the others in the set from this blog post and even this blog post covering a Trend Micro article as well. Just another article from a different point of view.

I think this must be the worse vulnerability Microsoft has had to date and it was recently talked about as part of Security Now 749 when it was linked to Krebs article found on the first 2020 patch tuesday blog which is linked here as well. Enjoy!

Comments (0)

Google Play is more Secure than other google stores according to Trend Micro

I just read an article which is number driven, and I covered one of these articles before. This one, from Trend Micro, is entitled Defend Yourself Now and in the Future Against Mobile Malware and its a great article to read. The topic of adware is really driven hone in this article, saying that a lot of apps in the android ecosystem are driven with this type of app.

One of the problems that Android and even IOS may have is that its hard to tell the difference between a fake application and a real one. Staying with the play store and IOS store and not jailbreaking your phone is the best solution, according to the article.

As 2020 is under way, here is what Trend Micro is thinking will be more of a problem.

• More intrusive adware.
• Cryptocurrency mining malware. This will run in the background, eating up your device battery and computing power. Trend Micro noted a 450% increase
in infections from 2017 to 2018.
• Banking Trojans designed to harvest your log-ins so hackers can get their hands on your savings. Our detections of this malware soared 98% between 2017-18.
• These attacks have evolved from simple screen lockers to malware designed to encrypt all the files on your device.
• Premium rate services. Some malware will covertly text or call premium rate SMS numbers under the control of the hacker, thus making them money and costing
you potentially significant sums.
ExpensiveWall malware, for example, was found in 50 Google Play apps and downloaded millions of times, charging victims’ accounts for fake services.
• Information theft. Some malware will allow hackers to eavesdrop on your conversations, and/or hoover up your personal data, including phone number, email
address, and account log-ins. This data can then be sold on the dark web and used in follow-on identity fraud attempts.

Its a good idea to read the section on how you can protect yourself, which includes staying on the official application stores.

Trend Micro blocked over 86 million mobile threats in 2018 and it is looking to grow quite exponentially. This is going to be the norm as people are moving mobile only.

There are a lot more linked things in this article besides what I’ve linked, and I think this is something we should be aware of. Have thoughts? Leave those comments!

Comments (0)

Do you use lastpass? A minimal issue has been found and fixed

Lastpass is reporting today that a small number of users were getting error messages due to an upgrade which they rolled back. This weekend blog update posted today, goe in to detail as much as they have. I feel that this is part of what I was saying within this blog post when we talked about password managers. No password manager is going to be bug free, and this Lastpass update is to notify the entire community what is going on and what they’re doing to fix the issue. This goes for those who may not have noticed like myself. I’m glad to know just the same!

Comments (0)

A very comprehensive password manager review

Hello folks,

I recently got an email from someone at a web site called Consumer Advocate. They have a very nice article which is lenghty that deals with password managers.

I personally use Lastpass, and yes, I do know about the breaches they’ve potentially had, but I feel that they’ve been straight forward with the information they had and what they were able to share.

This article, published on the 17th of January of this year, covers a number of managers I’ve never heard of. Best Password Manager and it is definitely comprehensive.

I want people to check it out, knowing that each manager may not meet your individual needs. While I did get a new phone and I had trouble with Lastpass a little bit, it wasn’t because of my lack of my password, Lastpass didn’t know who I was when I had clear my firefox and it caused issues with the phone not knowing who I was. It was rectified, although the first email didn’t elicite the response I needed.

I did like the idea of phone support, and there is only one company in the list that does this. Maybe 2 if you count the paid version of Roboform which I’ve heard of, and my dad had used.

The guy’s name is Joey who sent this, and we thank him for posting an email to us about this helpful resource for people who might find it of interest.
He wanted me to add it to the post Here’s something to ponder: Should User Passwords Expire? Microsoft Ends its Policy I posted that article in June of 2019 and while I don’t go back and add things like this to that post, a new post would be more helpful. I’m linking back to that piece in this post because I think its still valuable in the discussion. What do you guys think?

Please let me know what you think of the article.

Password managers that are mentioned include:

  • DASHLANE
  • ROBOFORM
  • STICKY PASSWORD
  • PASSWORD BOSS
  • SPLASHID KEY SAFE
  • BITWARDEN

None of these i’ve ever heard of except Roboform. Lastpass is mentioned, but one gentleman quoted in this comprehensive article says that if your password manager of choice has been breached, than its not trusted. Lastpass fixed the breaches quickly, and from what I remember and its mentioned in the article, that particular aspect should be recommended. However, the person quoted said they can’t trust them. GRC’s Steve Gibson can, because he’s had insight conversations with the founder of Lastpass who is also named Joe. I’d use whatever you find of value, but i’d read the article anyhow and give these a try. I’m not looking to change at this time, but maybe someone who isn’t using any manager will find this of value.

Comments (0)

Phishing for apples, getting different links

I don’t want to use the same article title for this post as the post Krebs on Security wrote in regards to Apple and their recent Phishing expeditions. I’m not saying that Apple is sending out these emails at all, but I am saying that Apple is now the target of such email sending lately.

According to the article Phishing for Apples, Bobbing for Links apple’s web site is now being utalized to harvest these sites.

I don’t remember if I reported that Michael in Indiana, someone who has published some audio for the podcast as of late, sent me a very interesting email and asked me to look at it. The email in question was definitely a phish, but the web site went to apple’s web site but a very different link. I went to both pages, looking at the URL’s very carefully.

KrebsOnSecurity heard from a reader in South Africa who recently received a text message stating his lost iPhone X had been found. The message addressed
him by name and said he could view the location of his wayward device by visiting the link https://maps-icloud[.]com — which is most definitely not a legitimate
Apple or iCloud link and is one of countless spoofing Apple’s “Find My” service for locating lost Apple devices.

While maps-icloud[.]com is not a particularly convincing phishing domain, a review of the Russian server where that domain is hosted reveals a slew of
far more persuasive links spoofing Apple’s brand. Almost all of these include encryption certificates (start with “https://) and begin with the subdomains
“apple.” or “icloud.” followed by a domain name starting with “com-“.

This is just one paragraph of this article. The post has brackets to hobble the links from being clickable, and I think they’re worth sharing.

  • apple.com-support[.]id
  • apple.com-findlocation[.]id
  • apple.com-sign[.]in

  • apple.com-isupport[.]in
  • icloud.com-site-log[.]in

As people new to the Internet come to this blog to learn, the article mentions that savvy readers know this and normally either check the link to see where they’re really going, or don’t bother clicking.

The problem we as blind people have is that these emails just say verify your account, as the link, and we don’t have any way of verifying the link. To make matters worse, Safari to my knowledge will only show apple.com when we double tap on the link to see where we’re going. This makes it quite hard for us to really verify these links, so I aught to say, check the address. In Michael’s case, the address that it was sent from was completely different than those that apple may use. Also, keep in mind that not all Phishing emails will be alike. They may be still coming riddled with mistakes, non-sensical aspects to evade detection by changing letters in certain words, and other aspects that I may not cover here.

Of course, any domain can be used as a redirect to any other domain. Case in point: Targets of the phishing domains above who are undecided on whether the link refers to a legitimate Apple site might seek to load the base domain into a Web browser (minus the customization in the remainder of the link after the first forward slash). To assuage such concerns, the phishers in this case will forward anyone visiting those base domains to Apple’s legitimate iCloud login page (icloud.com).

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing
scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

This is sound advice, but sometimes the curious get curious. I would say to check the address. In mail, find the name where it says from and look carefully at the address. You can see where it goes without adding it to your contact. When done, double tap done.

Since a lot of people now have iphones and/or android devices and not necessarily a computer, this may be the only way for us to be safe. Thanks Brian for giving us yet another very interesting article to talk about and bring a different way of presenting a different aspect to this phishing problem.

Have any other advice to share? Please leave your comments here, and we’ll be in touch. Thanks so much for reading!

Comments (0)

A search engine for searching for personal info shut down

Hello folks,

In my article posting yesterday, it occurred to me that I didn’t cover something that made the cyberscoop news in a good way. Cyberscoop covers government stuff as well as good news like the article entitled WeLeakInfo, a search engine for breached personal data, shut down and thats a good thing. I’ve never heard of this site, but anything to allow people to search for things that could be harmful like breach info is a good thing.

U.S. authorities have shuttered a website claiming users could scour more than 12 billion records compiled from some 10,000 data breaches to purchase usernames,

Thats a lot of info, and I could see why this web site was shut down. If you were looking to see if your info was out, thats one thing, but to look to see about others so you can use it and use the info to take over other accounts isn’t OK and should not be allowed.

I’m passing this along in the good news category, let me know your thoughts. Should search engines up for people to search whatever you want to, even if that means that people can lose their accounts to others?

Comments (0)

Equifax is back in the news … can’t get a dime

Hello folks,

According to the latest on Equifax, also known as equiphish, they’re now claiming in this article entitled Equifax to pay customers $380.5 million as part of final breach settlement, I doubt that we will ever see a sent of that. For me anyway, I can’t prove that my info is being used or hahs been use for ill gain, so that means I don’t get a dime of this money. While the settlement is great for those who are effected, the reputation of the company is beyond repair. To make things worse, the other credit monitoring services are just as guilty for similar fates but not as bad. I really don’t know what else to write about this, except that I have articles on Vocal covering my thoughts long term.

Besides those two, this tech blog search will cover a ton of stuff from podcast notes, to many other articles across the landscape. I want some of that nmoney! Even if I have to put it away elsewhere for my future needs, this is something everyone has been effected from, even if its just news worthy and nothing personal has happened. The fact its out there is damaging enough.

Update:
January 18th, updated the post to fix HTML and some spelling mistakes found.

Comments (0)

Don’t let the vulnerabilities get you down

I read an article entitled Don’t Let the Vulnera-Bullies Win. Use our free tool to see if you are patched against Vulnerability CVE-2020-0601 and it was quite interesting. This is going in to more details on one of the worse vulns Microsoft has had, that they need to fix several major versions of Windows. This blog post which was posted several days ago talks about some of the articles I’d not had read and since have, in regards to patch tuesday. The lead article gives more info about the second Krebs article that was posted in the earlier blog post.

Comments (0)

We’ve got a capture, its hopefully the first of many

I meant to write about this, but now I’m thinking about it. Krebs on Security posted a blog post about a capture and I love posting these things. Alleged Member of Neo-Nazi Swatting Group Charged was posted on January 10th and I recently read it within the last couple of days. I found the story enlightening, and I think you might too.

What interested me about this story is that Brian, and/or his family, was eventually targeted in whatever this group was up to. Hopefully, there are more stories like this one this year, its lovely to see!

Comments (0)

Question: Are we looking for more or less threats this year and if so what kind?

Hey folks,

I want this to be a post where you can ponder and form your own opinion. The trends set forth by experts are predictions of what may happen, what may be seen, and what could happen. In no way is it exact, and its a retrospective.

With that out the way, the article entitled The Everyday Cyber Threat Landscape: Trends from 2019 to 2020 caught my attention recently. Trend Micro has a great history of predicting what may happen, what is seen, and what is far out there. I really like the work they do in this field, and they can be known as a true leader in this field.

Headings within this article include:

  • Top five threats of 2019
  • What to look out for in 2020
  • How to stay safe
  • How Trend Micro can help

Trend Micro has had a lot of experience in this field, and the longest serving company and innovating to stay one step ahead of the threat actors if possible is a stepping stone.

Here are the top threats we need to be aware of. Remember there could be more we are not aware of.

  • Home network threats
  • end point threats
  • mobile security threats
  • online accounts under attack

  • breaches

You would want to hope that breaches which contain personally identifiable information would be going down, especially since services like Paypal, Apple Pay, Google Wallet, and others are in use by some people. I know that Apple Pay is being taken by stores because recently I’ve implemented and used it a few times within the last couple of weeks. It does make it convenient!

I see that when it bills my credit card, the credit card has the last 4 digets, and even in there, it has the last 4 of a different account number altogether. If there is a breach, nobody can do anything with that number as my understanding of this is tied to the phone itself, and so each phone will have a different account number.

If I’m wrong, someone please correct me, but this is how I understand it.

What can we expect in 2020 according to this article?

  • Smart homes under siege
  • Social engineering online and by phone
  • Threats on the move
  • Worms make a comeback

I’m not going to paste the article in full as there are links to various other aspects of this including text messaging and other things, so its best to click through to the article and read it.

Since I only have one computer, thats good enough for me. I must keep it as safe as possible, this is definitely something I’m trying to do every day.

There are basic common things we should do when it comes to staying safe. Make sure we apply patches and get router updates. I need to figure out how to get in to my router and see if there are any updates to apply. I’ve never had to worry about that, but at some point, I need to figure this out. I don’t even know the name of the modem/router I even have or how to get in to it.

Feel free to discuss this one, as I know it’ll be a big topic this year. Thoughts are welcome.

Comments (0)

Yahoo forcing random password resets … am I the only one supporting someone having trouble?

This is more of a curiosity thing than anything else, but I have a hunch from what I’m told that this has been going on for a number of years now.

The service AT&T has email service. When we started with this service it was known as SBC Yahoo! Through the years, some have gotten straight att.net addresses although the web site is a dot com for everything else.

In this world, we’ve got many types of people with varying degrees of capability in the technology world. We also know that Yahoo! email has been breached and that came to light three years after the fact.

When you authenticate as an SBC Yahoo! customer using mail, you go to the Yahoo! mail web site.

The authentication is your full email address I.E. jrimer2002@sbcglobal.net which belongs to me. It also asks for your password, which is the account password for that address.

Here’s the problem. I was able to switch the account to a different interface two weeks or so ago. But for awhile now, ATT Yahoo! account holders need to reset their password every two weeks.

My grandmother has had an SBC Yahoo account for a number of years, and has never experienced this until recently. I never experienced it, although I don’t use my SBC address anymore, in favor of my accounts on my domain and my gmail. I understand this has been going on for a couple of years now, and enough is enough! The National Institute of Standards and Technology (NIST) folks changed the guidelines where passwords are not needing to be changed as often, as long as there is not a valid reason for the passwords to be reset.

My grandmother is older than most on this blog, reads facebook, comments on things, plays games, checks email, and does some shopping on amazon for things she needs. Nobody except ATT Yahoo! services have prompted her to change her password.

Here is my hunch based on what I know:

  • passwords may not be as secure as they should
  • company never sent email to my knowledge about said policy
  • too much time was spent on hold trying to get the issue resolved and
  • frustration as to why no email can be accessed and wondering why the account was locked out.

I’ve never seen any of this behavior with any company before. Unless there was a valid reason, I’ve never changed my password, even after all of these breaches. The fact my biological data is potentially out there now, its game over for me! I know this, and I’ve been working hard to make sure I don’t use the same password everywhere and thats why I have Lastpass, the last password you’ll ever need.

I’m thinking that this is targeted because of the potential weakness of the passwords given to me, yet my password may not be all that secure over there anyhow. I’m thinking it may be the same password i use somewhere else.

So ATT, what gives? Why are you making an elderly person who has no knowledge of why and what to do about the issue if you don’t tell them in writing or email or phone?

If this issue persists, I’ll have no choice but to help her either set up a gmail, or even set up an address on the domain purchased for her and hosted through me. Then, I’ll either have to show her that web mail, or set it up through Tunderbird.

For someone who has so much in the way of notifying people and companies, I’m not going to be impressed with having to have her do all of this, and I can hopefully have mail forwarded to the new address in the meantime, but this is enough! Was it the weak passwords? You can check the hashes without knowing the password, and if you notice its weak, reach out! There is no need to make someone change their password every two weaks without probable cause. I know nobody else who is going through this experience, and I’ve not been tipped off to any articles saying there is a problem of this scope.

If anyone else is experiencing this, I’d love to hear from you. Please get in touch!

Comments (2)

The Worst Hacks of the Decade

It’s been a rough 10 years in cybersecurity—and it’s only getting worse.

Source: The Worst Hacks of the Decade

Security Now for Christmas which was taped on Monday will cover this, but I saw this today. I wonder how worse it can get now? Just reading a few of these and using headings to see what the rest was makes this interesting. I believe we’ve covered all of these through the years.

Comments (0)

Apple Releases iOS 13.3 and iPadOS 13.3 with Some Fixes for Blind and Low Vision Users, but also a Regression to Smart Invert

I know I’m a little late. Call it a little more late than I intend. On the 10th of December, Applevis released a post that talks about the release of 13.3. When I got my knew phone, I noticed that it needed an update, and I promptly got everything up to date.

On a future podcast, I’ll talk about some of what I’ve noticed with my new phone, and I still have quite a lot to do with the setup of the phone. Here is the link to the blog post from AppleVis and I hope you enjoy your day!

Comments Off on Apple Releases iOS 13.3 and iPadOS 13.3 with Some Fixes for Blind and Low Vision Users, but also a Regression to Smart Invert

10 Ways To Legally Get Free Internet At Home (And In Public)

On the 12th of November, someone emailed me about this particular article. 10 Ways To Legally Get Free Internet At Home (And In Public) which I’ve finally gotten a chance to read. Since it has been awhile, I thought I’d finally take a look.

While Net Zero has been around for quite a number of years, I’m honestly surprised they’re in this list.

This is only a resource. I’m not saying you should go totally free, read the entire article and decide how you want to proceed.

I enjoyed reading this article, and maybe someone can find the information of value as we look to proceed in todays digital age.

Comments Off on 10 Ways To Legally Get Free Internet At Home (And In Public)

FTC Warns of Ongoing Scam Spreading Scary Terrorism Allegations

The U.S. Federal Trade Commission (FTC) warned consumers today of an active scam campaign targeting potential victims with letters designed to scare them with fake money laundering and terrorism allegations.

Source: FTC Warns of Ongoing Scam Spreading Scary Terrorism Allegations

This is only a portion of an article I think people should see, especially during this time of year in shopping online and in store. Please be as careful as you can.

Comments Off on FTC Warns of Ongoing Scam Spreading Scary Terrorism Allegations

How easy is it to get a domain? Very easy in fact

Before I talk about the article which I’ve been thinking about lately, I want to mention getting a domain in general is easy. In fact, I’ll mention a phraise from the article “too easy.” Thats it.

For most domains, you just pay the money requested, turn on the option for identity protection, and away you go. For other domains, there may be more steps like having an SSL certificate installed, or even proof of address or phone number.

One of the things they do say is that you should have “accurate records” for the directory, or you could be terminated but I don’t know how true that really is. I know someone who may have put a false address in place, but I don’t want to outright confirm or deny anything, especially since things have changed.

Now, lets talk about this article entitled It’s Way Too Easy to Get a .gov Domain Name and why I think there should be a change. According to research for this article, someone reported that government domains do require some form of letterhead from the governmental agency. I suppose the letterhead will have a letter telling the registering company what the use will be, but I am unclear about that. Now, the guy who did the research baught the domain, sent in the forms, and had the domain and he didn’t work for the government.

I think that if we need to prove who we are, by supplying our contact info, we should also supply valid documentation to prove who we are if we’re buying domains that require that. I have a .com,, .net, and .info and all I’m using for different purposes. I also have a .org yet I’m only running the site, I’m not employed by the company who is now paying me to run it. I wasn’t asked for documentation for the organization, and I would have provided it upon request. Is this the same type of thing that may be utalized for the .gov domain discussion in the article?

I would suggest everyone take a look at this governmental thing, and lets discuss what you think we can improve the security of our domains. This is why miscreants are able to buy large swaths of domains because there’s no validation and questioning of what will be done with it. Even if you ask for identification by calling to verify who you say you are, that would be a start. Even clicking a link to verify they’ve got the proper email address for registration would be a start.

I’d be interested in your thoughts. I’ve been thinking about this article after a long days worth of work, and now its time to put it to paper or in this case, virtual paper. Thoughts?

Comments (2)

Its time to post some good news

I know I’ve read at least one of the two articles from Krebs in regards to some good news in the arrest department.

I don’t remember if I read that, but thats some of the good news that I’ve found in the arrest department. This aught to be fun if I didn’t read two of the three articles. Maybe its time that I start catching up on some of this stuff.

If you’ve seen these in passing, what did you think?

Comments Off on Its time to post some good news

Hospital breaches leading to more heart attacks? You bet!

While I’m getting my day started, I’ve been wanting to try and play some catch up. I’ve been thinking this morning about an article that Krebs On Security penned on his blog entitled Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks as it has some very serious repercussions. It seems as though the people who send these types of things don’t really care if people die.

Every day, people die for one reason or another. Every day, people are living another day. Why does it have to happen where ransomware is the cause of someone dying because they can’t get the care they need?

How will it feel to them if they died because they sent this to some hospital, then something happens and they can’t get treated? Lets imagine that they survive, get treated, and live to tell the story? What type of story will they be telling? If they die, there is no story, but the family who grieves has no answers and doesn’t really understand what the hell they did. To me, this is just another step lower in the problem of what ransonmware can do.

I’ll be talking about this one on the podcast, this is just sad. Lots of numbers here.

Comments Off on Hospital breaches leading to more heart attacks? You bet!

Older Posts »

go to sections menu


navigation menu

go to sections menu