allheart55 Cindy E

The UK’s electronic communications watchdog has just clamped down on a company accused of mass spamming. Intelligent Lending Limited has been fined £130,000 (about $170,000) over the matter of close to 8 million unsolicited SMSes that it sent over a six month period in 2015. The messages looked like this: According to the Information Commissioner’s Office (ICO), the spammers claimed that they’d complied with the letter and the spirit of the rules by buying in a list of mobile phone numbers for consumers who had already consented to receive SMS ads. The ICO disagreed, arguing that consent couldn’t be that vague: Consent within the meaning of [the relevant regulation] requires that the recipient has notified the sender that he consents to messages being sent by […] the sender. Indirect, or third-party, consent can be valid but only if it is clear and specific enough. The onus, said the ICO, is on the sender who buys in a mailing list to determine that the consent given by the people who are on that list is “sufficiently clear and specific” for the purpose at hand. Just how specific this consent needs to be isn’t explicitly stated, but we’re assuming that if you’ve agreed to receive ads about hiking boots, then a sender who subsequently targets you with special offers for rucksacks or tents would probably be in acceptable territory. On the other hand, we’re guessing that a sender who tried to sell you credit – or plumbing services, or property investment opportunities – on the back of your interest in hiking would be overstepping the mark. At any rate, in this case, the ICO judged that the sender didn’t have consent, and therefore knowingly contravened the UK’s rules about electronic messaging. Learn More What you can do to help There’s a popular, and understandable, perception that it’s just too hard, and not worthwhile, to try to report spam messages to the authorities, especially SPASMS (which is what we jocularly call spam that arrives via SMS). However, there’s an easy way to make your voice heard in the UK: you can report SPASMS by simply forwarding them to the phone number 7726. (That short-code number is easy to remember: it spells out SPAM.) In this case, reports to 7726 made a big difference. The ICO treated this as a serious contravention because close to 2000 people actively flagged the messages as spam. (1896 used the 7726 short-code; 25 reported the messages directly to the ICO.) If you’re a business, you can help at the other end of the messaging chain by taking your electronic marketing responsibilities seriously. When it comes to the concept of “consent,” make as certain as you can that your recipients really have agreed to hear from people like you about the products and services that you’re trying to sell. As fellow Naked Security writer Mark Stockley wryly put it, “Don’t ask if you can borrow someone’s bicycle and then take their car instead.” Source: Sophos

:omg: I could not believe the end of the conversation by the scammer. Some of the things that he said.....:real_anger:

Man Receives Call From Scammer and Proceeds to Waste his Time. Caution : Profanity.

The New York Times has published a story quoting unnamed Yahoo insiders, and it doesn't paint a pretty picture of the firm's security priorities. There's lot to ponder in the article, but one thing that sprung out to me was a section which described how CEO Marissa Mayer clashed with Yahoo CISO Alex Stamos (who left to become Facebook's security chief in mid-2015, in a move widely applauded by the infosec community). But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google. Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services. In 2009, Yahoo is believed to have been one of the many tech firms (including Google who famously went public about it) who suffered a sophisticated attack from Chinese hackers dubbed "Operation Aurora". In 2012, 450,000 Yahoo email addresses and passwords were stolen by hackers after the company's sloppy security was exposed. In 2013, NSA whistleblower Edward Snowden revealed how the NSA and GCHQ had exploited Yahoo's systems, and were capable of intercepting users' messages as they travelled between the company's network of data centers. Meanwhile, Yahoo was being pretty dumb - what with its moronic recycled email address scheme, Marissa Mayer not bothering to have a passcode on her smartphone, and Yahoo rewarding vulnerability researchers who found a serious bug that could lead to account compromise a pathetic $12.50 t-shirt. The only silver lining was that Yahoo finally decided to switch on HTTPS by default in January 2014, although it was shockingly late to that particular party. As we were to learn last week, however, there was more trouble just around the corner. In late 2014, as we now know, half a billion account details were stolen after a massive security breach that the company is blaming on a state-sponsored attack. In 2016, Yahoo is trying to sell itself to Verizon for $4.8 billion. I wonder if Marissa Mayer wishes now that she had told Yahoo's security team to reset all users' passwords back then. Companies either get security or they don't. If the New York Times story is to be taken at face value, it's beginning to sound like the problem with security not being treated as a priority at Yahoo was coming from the very top. Source: Graham Cluley

Last week was pretty rough for Yahoo, which confirmed on Thursday that it suffered a major data breach affecting more than half a billion (yes, with a B) users. Now 500 million people with Yahoo accounts are trying to figure out what to do next… but they’re not the only ones. Courtrooms As you might imagine, Yahoo users are incredibly unhappy with the fact that their data was stolen en masse, and are even less happy with the way the company handled the disclosure. The first lawsuits against Yahoo were entered the day after the news broke, and now a pile of similar, related claims is starting to pile up. As USA Today and Bloomberg report, there are at least five cases filed against Yahoo so far. Two, one by a New York resident and one for an Arkansas woman, have been filed in the U.S. District Court in San Francisco. Both seek class-action status. Another, also by a New York resident, was filed in federal court in San Jose. And similar complaints have also been filed in federal courts in Illinois and San Diego. In one case, the plaintiff’s lawyers claim Yahoo “intentionally, willfully, recklessly, or negligently” failed to protect its systems and also failed to tell users that their data “was not kept in accordance with applicable, required, and appropriate cyber-security protocols, policies, and procedures,” in violation of the FTC Act and California law. Another complaint says, “[Yahoo’s] misconduct was so bad that it evidently allowed unauthorized and malicious access to plaintiff’s and the class’s personal information on defendant’s computer systems to continue unimpeded for nearly two years.” Legal action takes time, so it will be a while before we know how or if these cases will be consolidated, and if class-action status ends up granted. Capitol Hill A half-dozen Senators really want to know a lot more about how this breach happened and what was stolen — and also, just what Yahoo knew and when they knew it. To that end, Sen. Patrick Leahy (VT), joined by Senators Richard Blumenthal (CT), Al Franken (MN), Ed Markey (MA), Elizabeth Warren (MA), and Ron Wyden (OR) today sent a letter full of pointed, specific questions to Yahoo CEO Marissa Meyer. The letter (PDF) asks, among other questions, what Yahoo sites and services were affected, how many total users were hit, how Yahoo didn’t notice the intrusion to begin with, and what it’s doing to prevent another one. “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week,” the Senators write. “That means millions of Americans’ data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.” Separately, Sen. Mark Warner (VA) is asking the Securities and Exchange Commission to investigate whether Yahoo met mandated disclosure requirements about the breach. “Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about,” Warner wrote in a letter to SEC chair Mary Jo White. He also asked the SEC to investigate whether Yahoo made “complete and accurate” representations of its information security practices. The SEC is involved because Yahoo is in the midst of a $4.8 billion acquisition by Verizon. As part of that, Yahoo told the SEC on Sept. 9 that it did not have knowledge of any unauthorized access of its users personal data… 13 days before it announced the massive breach. C-Suite Lawsuits and letters from Congress are concrete, but the rumors in the business world are a little more ethereal and vague. That said, issues surrounding the breach could indeed complicate or even scuttle Verizon’s plans to purchase Yahoo. As Fortune explained last week, the language of the deal between Verizon and Yahoo would not allow Verizon to scrap its plans over external factors, like changes in global political or economic situations (Brexit, anyone?). Verizon can, however, either back out — or negotiate a lower price — if a court finds that the breach is an adverse event that lowers Yahoo’s value. But the more pressing issue is the same one Sen. Warner’s asking the SEC to look into: when did Yahoo find out about the breach? Because the merger agreement that Yahoo signed on July 23 specifically agrees that to their best knowledge, there have not been any incidents or claims about data loss or security breaches. And if Yahoo did know, and signed that agreement anyway, that would spell trouble. Verizon, meanwhile, said on Thursday that it only found out about the massive breach two days before Yahoo’s 500 million users, and the rest of the world, did. There are reports beginning to surface that Verizon leadership are unsure how to continue. Many analysts say that the deal is likely to progress, but that Verizon may well lower the price it’s willing to pay for now-damaged goods. Source: Consumerist

As if auto-dialed, pre-recorded robocalls weren't bad enough, scammers are now blasting out robocalls that use poorly synthesized text-to-talk programs in an effort to try to frighten people into thinking they are being sued. The following recording is just one of many robot-voiced robocalls we've received in recent weeks from scammers. They all claim that we are facing legal action. This one mentions a criminal lawsuit and provides some bogus docket number, but no reference to any actual crime; others have claimed to be from the FBI, IRS, or other agencies: What's interesting about the calls is that the call-back number provided in the recorded message matches the number that shows up on Caller ID. Usually a scam robocaller uses spoofing technology to hide behind a fake Caller ID number and then provides a different phone number for calling back. These calls are either coming from someone who doesn't care/know enough to spoof a number or is using tech to reroute calls to that number to yet another phone. Out of curiosity, we called the number back on a public phone with a blocked number. The call connected but no one ever answered. NOTE: Don't call any of these numbers back from your phone or any phone you don't want to end up identified as being a potential victim. We've filed complaints with the Federal Trade Commission about some of these calls, as they violate both the Do Not Call registry and telemarketing laws; the calls impersonating the IRS and FBI break additional laws. But it can take a while for authorities to actually track down the source of robocalls; even then it may be difficult to connect them to a human being that can be punished. That's why so many Americans just want some easy-to-use way to block these calls from ever reaching our phones in the first place. The End Robocalls campaign by our colleagues at Consumers Union has reached a milestone, gathering some 750,000 names from American consumers who want the phone companies to know they are tired of answering the phone and not knowing if that unfamiliar number is a friend, family member, some other important caller, or a jerk trying to con them out of their money or personal information. And if you think that'll never happen to me, maybe you're right, but it's happening to a lot of people, with an estimated $350 million a year lost to telemarketing scams. While the telecom industry recently partnered with the FCC to create an anti-robocall strike force to combat these unwanted calls, these same companies had long balked at actually offering robo-blocking tools to their customers. Meanwhile, third-party blockers have not yet proven to be the answer. Add-on devices often cost money and may not work the way you wish. One of the best-regarded blockers, Nomorobo, is free to use, but only on certain types of landline phones. There are wireless versions of Nomorobo and other blocking-apps, but they generally cost money. All this hassle, just to block calls that are likely illegal. Consumers are sick and tired of being harassed by robocalls and anxious for the phone companies to deliver real relief, says Tim Marvin, who heads up the End Robocalls campaign. As the Robocall Strike Force works on longer term efforts to combat unwanted calls, the phone companies should start offering the best call-blocking tools currently available and make sure that all of their customers get the protection they deserve. Before agreeing to form the strike force, the telecom industry often claimed it couldn't offer blocking services on a widespread basis because they couldn't possibly block all robocalls. Marvin says that no one expects perfection; just fewer calls. While no robocall solution will be 100% effective, says Marvin, it's clear that the phone companies could be doing so much more today to stop these nuisance calls. Even if the blockers worked for just 75% of robocalls, that could mean a significant reduction in Nuisance calls for many Americans. According to a recent Consumer Reports survey, around 7-in-10 customers at each of the major landline providers (AT&T, Verizon, CenturyLink) told CR they get at least six robocalls a week, while around 40% of these folks say they get upwards of 10 robocalls each week. Who wouldn't want a free, easy-to-use tool that could cut those numbers down at least a bit? Source: Consumerist

Thanks, Pete!

It wouldn't complete for me.

I'll give it a try and let you know, Tony.

A Verizon Wireless employee has pleaded guilty to violating federal law by selling customer phone records and location data to a private investigator, starting at a measly $50 a month. According to a plea agreement [PDF] filed last week in a federal court in Alabama, the defendant, Daniel Eugene Traeger, was employed as a network technician for Verizon. In 2009, a private investigator contacted Traeger, offering to pay him for customer information. Traeger allegedly accessed Verizon’s computer network to obtain call records and location data for the investigator, while being fully aware that he was not allowed to do so. In return, the P.I. paid him a monthly fee of $50. By 2013, prosecutors say that rate had been bumped up to $750/month. In total, the defendant earned more than $10,000 from selling this information. Traeger could face up to five years in prison for violating a federal law prohibiting unauthorized access of a protected computer. However, as the AP notes, prosecutors are asking the court to consider a shorter sentence because Traeger has cooperated. Source: Consumerist

As The Register reports, Yahoo is being sued after disclosing that hackers stole at least 500 million user records two years ago: Two Yahoo! users in San Diego, California, filed on Friday a class-action claim against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act. The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives. You can check out a PDF version of the class action complaint here. No doubt this won't be the last legal action against Yahoo following its confirmation that it suffered such a damaging attack. Questions will no doubt be asked as to whether Yahoo could have done more to protect itself in the first place, why it didn't notice it had suffered a data breach sooner, and what has made the company conclude that its attackers were "state-sponsored". Meanwhile Yahoo users who believe they have been wronged will have to put together a convincing case that they have suffered a financial loss a direct result of the hack. This could take a while... Source: Graham Cluley

Normally upgrading the operating system on your iPhone doesn't just bring you a few new funky features, you also get to benefit from some security enhancements and fixes too. However, with iOS 10 it seems things might have taken something of a backward step - in at least the case of the security of any local iTunes backups you might be making. That's according to Russian firm ElcomSoft which makes software to help users gain access to password-protected data: When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older. This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before. 2500 times faster? My guess is that is not the kind of speed boost you were hoping to get when you upgraded to iOS 10. The silver lining on the cloud is that ElcomSoft's discovery affects the local iTunes backups you might make of your iPhone or iPad. That means that any hacker wanting to exploit the weakness would have to target the computer you have made the backup onto, rather than something more chilling like trying to access the phone itself remotely. Nonetheless, considering that Apple has been making such an impressive stand recently on security, fighting attempts to force it to weaken the security of its mobile devices, it's disappointing to see this apparent backward step. Source: Graham Cluley

Microsoft is revealing today that 400 million active machines are now running Windows 10. The latest update on usage comes just three months after the software maker revealed 350 million devices were running Windows 10 back in June. While Microsoft claims the adoption rate of Windows 10 is 115 percent faster than Windows 7, the company originally claimed it would have 1 billion devices running Windows 10 by 2018. Microsoft revised its timeline in July noting that "it will take longer than FY18 for us to reach our goal of 1 billion monthly active devices." Windows 10 usage growth slows as free upgrade expires Microsoft's latest stats show why it will take longer to hit 1 billion devices running Windows 10. Before the free Windows 10 upgrade offer ended in July, nearly 30 million additional machines were running Windows 10 each month. That growth has stalled to around 16.6 million each month during the past three months, at a time when the upgrade offer expired and PC sales are typically slower. It's not clear how well growth will progress for the rest of the year, but Microsoft is still focused on reaching its goal of 1 billion Windows 10 devices. That goal is clearly going to take a little longer than Microsoft initially expected, and the company won't likely hit its target until 2019 or 2020 unless there's a significant boost to sales of devices running Windows 10. Microsoft had been placing some of its hopes on Windows Phone to help push its Windows 10 target, but the company has realigned its phone efforts and Windows Phone has dipped below 1 percent market share as a result. Microsoft hasn't said when it expects to hit its 1 billion devices target for Windows 10. Via: ZDNet

I agree with Dougie. It also has issues running along side some of the better known security suites. There's a good read about it at Bleeping Computer. Trusteer Rapport

I was thinking the same thing, Bill.

Yesterday, Yahoo confirmed a data breach affecting 500 million accounts, including logins, names, logins, birthdays, and security questions. The good news is that the passwords were encrypted with a strong hash algorithm, so they’re relatively protected for now. The bad news is, the breach happened in late 2014, so all that data has been kicking around for nearly two years. It’s too early to say exactly which users are in the dump, but the number is so large that if you are a Yahoo user — or even just a human being on Earth — the odds are pretty good that you’re in there somewhere. In case you are, here are a few quick things you can do to make sure nothing from the breach ends up coming back to you. Change your password and your security questions Yahoo’s already started doing this, and the strong hash on the passwords means it will take a lot of time and computing power before any criminals can actually get the passwords i,n unencrypted form. Still, better safe than sorry. Change every password and security question linked to Yahoo, Flickr or Tumblr — it's easy to do, and it will make a huge difference if the hackers have any surprises in store. Use a password manager If criminals ever do break through that password hash, the damage will go far beyond Yahoo itself. The most popular attack in these situations is something called a credential stuffing attack — running the Yahoo login / password pairs against other sites to see if anyone used the same password for both services. Experts say that, on average, 2 percent of passwords in a given dump will match with a given site. In this case, that means 10 million people, or roughly the population of Portugal. The easy answer (which you’ve probably heard before) is "don’t reuse passwords," which is true, but easier said than done. The better answer is to use a password manager like 1Password, LastPass, or Dashlane, which will generate strong, unique passwords for each service. Each one has its own strengths and weaknesses — but even the weakest is better than keeping your old passwords and potentially losing control of your accounts. Use two-factor authentication Of course, those passwords will matter a lot less if you’re using two-factor authentication on all your accounts. Do it! Google Authenticator is great, and I am a big fan of my Yubico key. SMS isn’t perfect, but it’s pretty good, too. Just use something! Kill your security questions This one is probably the hardest — but if you want to completely cut off the fallout from the Yahoo dump, it’s necessary. Part of the information taken from Yahoo was security questions: questions like "What was the make of your first car?" or "What was the mascot of your high school sports team?" Yahoo can stop using those questions, but the information doesn’t stop being true, and there will be plenty of other services using the same questions. This is how hackers went after tax returns in 2015 — and there’s every reason to think they’ll try the same attacks next year. So, how can you protect yourself? The only real answer is to break the security question system entirely. Every time you’re presented with a security question field, give a unique and untrue answer — effectively, a backup password. Write it down, lock it away, and never give the same one twice. When the time comes to reset your password, you’ll be the only one who knows the answer. Of course, that’s an extreme solution and not everyone has the stomach for it, so if you want to stick to the first three points here, I totally get it. Just do what you can, and try not to get hacked out there! Source: The Verge

Amid recent reports of Verizon Wireless customers getting dinged on their bills for going over their monthly data allotments, some of these subscribers say they are going over their data limits because Verizon stopped sending them overage alerts. The Cleveland Plain Dealer has been highlighting the stories of Verizon customers who say they stopped receiving text alerts from the carrier warning them that they were was approaching their monthly limits. One woman says her bill is normally $130 a month, but this months bill came to $838 including $700 in overage fees. She called Verizon and the company said it had been sending her text alerts, alerts she swore she never received until the one that said her payment was late. Another subscriber who faces a $1,700 bill tells the Plain Dealer that she'd previously relied on the automated overage warnings to keep her from going over her limit, but claims she stopped receiving them. A woman in Iowa says her family somehow managed to go through a months worth of data in just a few days, but the only alerts they get are when its too late. Another Verizon customer says he's been smacked with fees because Verizon stopped alerting him about possible overages before he hits 90% of his monthly allocation. I no longer get the 75% notification he told the Plain Dealer. I relied very heavily on the warnings because then I could manage my usage. That's because Verizon does not automatically alert users at 75%. A rep for the company tells Consumerist that users can opt in to receiving alerts at this threshold, but the automatic alert doesn't kick in until you reach 90% of your monthly allotment. All Verizon customers receive a text alert on their device when they've used 90% of their plan data in a month and then again when they've hit 100% (which indicates they've gone over),� the rep told Consumerist. In addition, customers can also better manage their data use by opting in to a 50% alert and a 75% alert. He also pointed out that the New Verizon Plan has a Safety Mode for all data bucket sizes, a free feature that kicks in once a customer hits their data limits. If its enabled, it means you won't get an overage, your data speeds will just slow to 128 kbps once you've exceeded your plan limit. We checked in with the other three major carriers to clarify their policies on data overage alerts as well, and it seems that Verizon is the only one that requires users to opt in at lower threshholds: T-Mobile: The company confirmed that there are no data alerts because T-Mobile got rid of overage fees entirely for all post-paid customers in 2014. AT&T: AT&T automatically sends a courtesy text message and email alert when you reach 75%, 90%, and 100% of the data included in your plan, a company spokesperson told Consumerist. Sprint: Sprint customers receive notifications at 75%, 90%, and 100% of data bucket usage, a company spokeswoman confirmed to Consumerist. There's also the option of the Better Choice Plan, where customers can choose to get unlimited data at 2G speeds after 100% data usage/after exhausting their monthly allotment. Source: Consumerist

My Yahoo account was hacked several years ago. It was a real PITA. Ever since that happened I have been using my MSN account as my main email.

As was rumored this morning, so it has come to pass. Yahoo has confirmed a massive data breach — and it’s far, far bigger than anyone guessed at first. The breach affects “at least 500 million” users, Yahoo confirmed today. Yes, that’s more than half a billion, with a B, people. The data, Yahoo writes, was stolen in late 2014. The company suspects a “state-sponsored” actor did it — meaning some government paid someone to get this data, and it wasn’t just the act of rogue, bored hackers. Compromised information may include: Names E-mail addresses Telephone numbers Dates of birth Hashed passwords Encrypted and unencrypted security questions and answers Yahoo says the investigation — still ongoing — has not turned up any evidence that ant payment card data or bank information was included. The investigation also appears to indicate that the hacker is no longer still infiltrating the network, so the hack is “over,” such as it is. Yahoo says it is notifying any potentially affected user (which, let’s be real, with more than 500 million people affected is “most of them”) and asking them to change their passwords. It is also invalidating the purloined security questions and, as you might guess, working closely with law enforcement. Yahoo also asks users to consider using the Yahoo Account Key authentication tool in the future, so as not to have passwords that can be stolen. And as always, change basically any password anywhere that you might have held in common with your Yahoo one, and be careful with any unsolicited messages you may receive. Source: Consumerist