Microsoft Support & Discussions

The digital dust has settled, for now at least, on last week’s Distributed Denial of Service (DDoS) attack against DNS service provider Dyn. Some of the rumors we’ve heard for attack on Dyn include: The DDoS was an experiment to see how big an attack could be if the crooks really wanted. The DDoS was a practice session for an attack on the forthcoming US election. The DDoS was a show of strength, in case Julian Assange of Wikileaks turned out to be dead. So far, however, the most likely explanation we’re aware of is that Dyn recently published a article about the risk of DDoS to service providers. Dyn dealt with the extent to which an open-source DDoS attac…

Let's start at the beginning. In August 2016, we learned that a hacker known as Peace was offering for sale 200 million Yahoo user accounts on the dark web. More than a month later, the American tech company gave us some more awful news: a "state-sponsored actor" had hacked its computer system back in 2014 and compromised at least 500 million users' accounts. Some users of Yahoo's free web-mail subsequently sued the company as reports emerged that the breach could have affected computer users who didn't even own a Yahoo account. That was enough fishy business for BT and a number of other companies to begin investigating Yahoo. One security firm in particular s…

Mobile security consultant Henry Hoggard uncovered a worrying failure in how PayPal had implemented its two-factor authentication (2FA) feature: Recently I was in a hotel needing to make a payment, there was no phone signal so I could not receive my Two Factor Auth token. Luckily for me Paypal’s 2FA took less than five minutes to bypass. Any suggestion that PayPal's 2FA security is flawed is definitely a serious concern, so how did he do it? Well, if you don't have your mobile easily to hand to receive your 2FA code from PayPal they'll give you the option of answering your special security question instead. However, Hoggard discovered that meddling with th…

Update: Dyn reports that as of about 9:30 a.m., service has been restored and affected sites and services should start returning to normal. Read on to see what happened and how big it was. Original story: Users of dozens of popular sites and services — including Spotify, Twitter, Github, Reddit, Airbnb, and others — are grumbling about slow load times, missing content, or sites just plain being down periodically today. The good news is: no, it’s not just you. The bad news is: big chunks of the internet aren’t working because of a deliberate attack. The core issue is a massive DDoS attack against DNS host Dyn, as TechCrunch first spotted. A DNS hosting service is …

One of the early victims of an exploding Samsung Galaxy Note 7 said that the company offered to cover his expenses, including damage to the hotel room he was staying in at the time his phone caught fire. Now that the phone has been officially recalled and Samsung is in crisis, customers report that Samsung hasn’t handled customers whose phones have actually caught fire very well. The Guardian US spoke to multiple fire victims who have remarkably similar stories. They who say that Samsung has been uninterested in helping customers whose homes were damaged or left uninhabitable by fires started by exploding phones, and that the company has made it clear that getting the …

Welcome to Week 3 of National Cyber Security Awareness Month! This week’s theme, brought to you courtesy of the National Cyber Security Alliance of US businesses and government agencies, is about recognizing and combating cybercrime. That includes all manner of online crime, be it crooks stealing personal information for monetary gain, identity theft, or online radicalization and recruitment to terrorist networks. It also includes things that some of us might not even realize are crimes, like guessing at passwords, using somebody else’s photo, trolling, cyberbullying or getting back at an ex by posting their intimate photos online. Here are examples we’ve seen…

ATM explosive attacks increased by as much as 80 percent in the first half of 2016, reveals a new report. The European ATM Security Team (EAST) tracked 492 explosive attacks. Some used solid explosive material to pull off their heists, though they were a minority at 110 of the incidents. All the rest made use of gas. But let's be frank. It doesn't matter that much to us what bad guys are using to blow up the cash machines. EAST Executive Director Lachlan Gunn says while it's not good that thieves are conducting those types of attacks in the first place, the fact that those techniques are on the rise is extremely concerning. As he explains in a blog post: "T…

Netflix is telling some password-reusing customers to reset those well-trodden logins after it spotted some of them in a batch of purloined credentials. The news was first reported by AdWeek, where writer Steve Safran said on Friday that he’d received this email: As part of our regular security monitoring, we discovered that credentials that match your Netflix email address and password were included in a release of email addresses and passwords from a breach at another company. The email didn’t give details about how many accounts were affected. Netflix is resetting affected users’ passwords for them and then prompting them to change it to a new one. The e…

How easily are computer users fooled by bogus technical support scams? For anyone living in the US, a new study from Microsoft suggests the chances of losing money when encountering this kind of scam are a surprising – and shocking – one in five. The firm questioned 12,000 people who’d run into tech support cons in 12 countries (1,000 per country) uncovering marked national variations in susceptibility. Top of the list was India, where 22% of those targeted fell for the ruse, with the US and China close behind on 21% and 16% respectively. Only 2% of Britons lost money, making them by some distance the most resistant nation of those studied, with Germany, Denma…

900 bugs. That’s a lot. $5,000,000. That’s a lot, too. That’s how many bugs Facebook’s pioneering bug bounty program has uncovered since it launched five years ago – and how much Facebook has paid for them. The social network giant celebrated the program’s fifth anniversary with a blog post and self-assessment – and for anyone who’s either running or contemplating a bug bounty program, it’s quite instructive. As The Register notes, Facebook’s program: Pays generously when it receives notice of flaws and working proof-of-concepts, provided they are not already public or used in attacks against users. Simple math shows the average payment has run roughly $5,500,…

Verizon could reduce the price it will pay to acquire Yahoo, or walk away from the deal completely. That could happen if Verizon cannot be reassured that the consequences of Yahoo's massive data breach hasn't had a material impact on the troubled search engine's business, reports BBC News: A legal representative for Verizon, Craig Silliman, told reporters: "I think we have a reasonable basis to believe right now that the impact is material and we're looking to Yahoo to demonstrate to us the full impact. If they believe that it's not then they'll need to show us that." He added that Verizon was "absolutely evaluating [the breach] and will make determinations about…

How do you think your customers would feel if they visited your business’s website one day and were greeted with an offensive image, malicious code, religious propaganda or a form designed to steal their passwords? My guess is that you wouldn’t be happy, and your customers would be concerned that your website might have been hacked and that their personal information could have fallen into the hands of criminals. So how would you feel knowing that hackers could pull off an attack like this without changing a single byte of your website’s code? Without even having to access the content on your web server. Welcome to domain hijacking. The first thing to reali…

A new Android malware loves users' love of selfies. How much? Enough to ask them to take one so that it can steal access to their accounts, and potentially steal their identity. The unnamed malware masquerades primarily as a video codec or plugin. In some cases, it arrives as a fake Adobe Flash Player app, a tactic which other Android malware including Marcher and Android/Spy.Agent.SI have employed. Amusingly, in at least one of the instances shown above, the attackers have called their malicious app "Abode Flash Player" rather than Adobe Flash Player. Regardless of the disguise, the end result is always the same. If successfully installed, the trojan a…

As a seasoned (some would say ‘power’) user you know how demanding good password selection can be – there are so many different things to consider. It’s a statement and a public performance; a password is a micro-haiku that lets the office newbie know they’re playing with the big boys when you hand them that careworn yellow post-it. It’s precious and you want to get it right because you only get one. YOLOAYORNOPNMWTAGIIS* as they say. Nothing says “I’m logical and good with numbers” like 123456 but is that really the real you? Where do your loyalties lie? Your head says pet’s name but your heart says sports team + championship winning year. And what abou…

Police in Thane, India, last week busted a call center devoted to Internal Revenue Service (IRS) scamming, detaining 700 people and arresting 70 of them for allegedly calling to threaten thousands of Americans with arrest over supposedly unpaid taxes. As the Wall Street Journal tells it, police said at a news conference on Wednesday that 200 police had raided 3 bland buildings in the Mumbai suburb the night before: Police said three nondescript office buildings on the edge of this booming Mumbai suburb were packed with hundreds of people posing as Internal Revenue Service officials in a scam that has vexed Americans for years. Thousands of calls went out from nin…