April 2, 2018
150 million MyFitnessPal accounts compromised – here’s what to do
By Mark Stockley
Under Armour’s hugely popular fitness tracker, MyFitnessPal, has been hacked. If you’re one of the 150 million or so users of the app or website don’t panic, but do change your password.
If you use Facebook to log in to MyFitnessPal you do not need to change your Facebook password.
If you use your MyFitnessPal password on any other websites, change your password on those websites – choose a different, strong password for each one (consider using a password manager if that sounds too difficult).
Under Armour says it’s notifying users of MyFitnessPal about the breach. It’s possible that criminals will try to take advantage of this by sending malicious tweets or emails that look like they’ve come from Under Armour.
You can protect yourself by be being proactive: read Under Armour’s notice of data breach and check its account security FAQs.
Don’t click on links in emails that seem to have come from Under Armour or MyFitnessPal. The company has made a clear statement that it will not send emails about this that contain links or attachments:
Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal
If you need to visit MyFitnessPal use a browser bookmark if you have one, open your browser and type the address: https://www.myfitnesspal.com/ if you don’t, or just use the app on your phone.
Read more at https://nakedsecurity.sophos.com/2018/03/30/150-million-myfitnesspal-accounts-compromised-heres-what-to-do/
Boeing hit by WannaCry, reminding everyone the threat is still there
By John E Dunn
When senior Boeing engineer Mike VanderWel reportedly sent an “all hands on deck” internal memo yesterday warning that the dreaded WannaCry malware was on the loose inside the company’s networks, alarm quickly spread.
According to excerpts leaked to the media, his anxiety is palpable:
[The malware] is metastasizing rapidly out of North Charleston and I just heard 777 [production] may have gone down. We are on a call with just about every VP in Boeing.
To many in the company and beyond, this must have sounded worryingly reminiscent of the way WannaCry attacks unfolded across numerous large organizations during its first appearance last May.
Now, as then, WannaCry carries with it a feeling of helplessness, as if what is happening is unstoppable and therefore disruption is inevitable.
Read more at https://nakedsecurity.sophos.com/2018/03/29/boeing-hit-by-wannacry-reminding-everyone-the-threat-is-still-there/
Facebook revamps security, privacy settings following huge data scandal
By Lisa Vaas
Following the Cambridge Analytica (CA) privacy train wreck that has been the past two weeks, Facebook says it’s going to reach into the 20 or so dusty corners where it’s tucked away privacy and security settings and pull them into a centralized spot for users to more easily find and edit whatever data it’s got on them.
The changes are due to arrive over the coming weeks.
It gave details in a blog post on Wednesday.
Facebook VP of policy and chief privacy officer Erin Egan credited the CA revelations for showing the company that they’ve got work to do:
Last week showed how much more work we need to do to enforce our policies and help people understand how Facebook works and the choices they have over their data. We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed.
Last week, CEO Mark Zuckerberg announced a crackdown on abuse of Facebook’s platform, strengthened policies, and pledged an easier way for people to revoke apps’ ability to use their data.
The core of the data analytics personal data-gobbling scandal is, of course, how very, very easy it’s been for apps to get at that data. … And how precious little Facebook has done to police those apps. … And the near-nil steps Facebook took to verify that the data of 50 million Facebook users inappropriately shared with data analytics firm CA had in fact been deleted (it hadn’t).
Egan said in Wednesday’s post that the revamp of privacy and security controls has been in the works “for some time,” but “the events of the past several days underscore their importance.”
We’ve heard loud and clear that privacy settings and other important tools are too hard to find, and that we must do more to keep people informed.
The changes, not surprisingly, put the onus on users to delve into what data Facebook has on them. The changes don’t speak to the lack of vetting Facebook has put app developers through.
Read more at https://nakedsecurity.sophos.com/2018/03/29/facebook-revamps-security-privacy-settings-following-huge-data-scandal/
Football team pays $2.5 million to criminals in transfer fee scam
By Paul Ducklin
Football is a big-ticket news item all around the world, whichever flavor of the game you prefer.
Unsurprisingly, there are huge amounts of money at the top level in all codes of football – American, Australian, two different tyes of rugby, and the most widely-played variant, Association Football, variously known as the “world game”, the “beautiful game”, or soccer.
A lot of money, at least in European soccer, goes on transfer fees, paid when players switch between teams – sometimes between teams in the same league, but often in moves from country to country.
For example, Dutch player Stefan de Vrij moved from top-flight Dutch club Feyenoord to Italian football giants Lazio a few years ago.
We’re not sure what the total transfer fee was, but apparently the payments were done in installments, with the final payment, due in 2018, a cool €2,000,000 ($2.5 million).
Here’s the scary thing.
According to astonished football journalists the world over, Lazio apparently paid out that final $2.5m sum…
…to the wrong bank account, after being convinced to switch account numbers by an email scammer.
As one football writer quipped:
There’s nothing more wonderful in the world than the spam folder […] – Lord knows how much utter nonsense lives there – but perhaps Lazio need better filters on their inbox…”
I chuckled at that remark, but the truth is almost certainly much more complex than just one piece of unfiltered spam.
Read more at https://nakedsecurity.sophos.com/2018/03/29/football-team-pays-2-5-million-to-criminals-in-transfer-fee-scam/
Hackers hit 911 systems, emergency dispatch affected
By Lisa Vaas
On Sunday, Baltimore’s emergency service dispatchers were forced off automated dispatching and onto getting the job done manually because of a hacked server.
According to the Baltimore Sun, the breach was confirmed by Mayor Catherine Pugh’s office, the FBI (which is helping with the investigation), Baltimore Police Commissioner Darryl De Sousa, and CIO Frank Johnson from the Mayor’s Office of Information Technology.
James Bentley, a spokesman for Pugh, told the newspaper that the attack, which came around 8:30 am on Sunday morning, affected messaging functions within the computer-aided dispatch (CAD) system.
The CAD system supports the 911 emergency service and the 311 mayor’s hotline. Johnson called it a “limited breach.” Services that back up the two numbers “were temporarily transitioned to manual mode,” he said, and continued to operate without disruption.
The Baltimore Sun quoted Johnson:
This effectively means that instead of details of incoming callers seeking emergency support being relayed to dispatchers electronically, they were relayed by call center support staff manually.
After isolating the affected server and taking it offline, city workers did a “thorough investigation of all network systems,” Johnson said, and had the problem fixed and the server back online as of 2 am Monday.
Police Commissioner De Sousa said that police response time to crime reports didn’t slow down due to the attack.
There were no suspects as of Tuesday, and the motive for the hack was unknown. Nor is it known if this was the first such attack on Baltimore’s 911 system.
There are all sorts of motives that have been at the heart of similar attacks, though. As the Baltimore Sun reports, and as was confirmed by an association that represents 911 professionals across the country, there’s not much by way of personal or financial data on these systems.
The systems can, however, store some medical information and can give attackers access to cities’ important mapping systems. Taking them down also affects cities’ ability to quickly respond to disasters.
Read more at https://nakedsecurity.sophos.com/2018/03/29/hackers-hit-911-system-emergency-dispatch-affected/
Firefox add-on limits Facebook’s tracking of you
By Maria Varmazis
Long gone are the days when Facebook was just a way to keep in touch with friends and family. Many of us don’t think twice about signing up or logging in to an app or retailer’s website through our Facebook account, and using Facebook to leave comments is so ubiquitous that it just seems like a normal part of the internet experience.
Long after we’ve closed that Facebook tab, our Facebook accounts continue to follow and monitor us everywhere we go online, all in the pursuit of mining us for marketing data and serving us targeted advertisements.
Most of us remember that it wasn’t always this way. Privacy advocates have long warned about overreach in how Facebook tracks user data, and there are certainly ways to curtail what Facebook knows about your internet activity (that is, if you must use Facebook at all) – clearing cookies frequently, disabling JavaScript, using ad and tracker blocker plugins and so on.
All of these methods chip away at the creeping moss of Facebook surveillance, a term that would have seemed absolutely laughable just a few years ago. But with the revelations about Facebook data misuse by Cambridge Analytica, more users are taking a hard look at what exactly they’ve tacitly consented to by using Facebook, and how much they really want to allow it to peek into more and more facets of their lives.
To make it easier for people to keep the Facebook experience precisely where one might expect it to be – within the browser tab where it is running, and no where else — Mozilla has released a new extension called the Facebook container extension for its Firefox browser. In Mozilla’s own words, the extension “prevents Facebook from tracking you around the web.” Essentially, it keeps all Facebook activity within the browser tab where you are actively looking at Facebook, and it slaps Facebook’s hand if it tries to do anything outside of that tab.
So much of what we’ve become used to as internet-ubiquitous in the past few years – commenting on a page with a Facebook account, logging in to a service with Facebook credentials, liking a page or a comment outside of Facebook – will no longer work (or will mostly not work) within Firefox if you have this extension installed.
As this runs in the browser, it doesn’t change Facebook’s behavior at the core. So if you use Facebook on a different browser or on another instance of Firefox that doesn’t have the extension, these protections won’t apply. And this certainly wouldn’t affect how the in-phone Facebook app potentially tracks you or collects data on your activity.
(If you’re really concerned about the data Facebook is collecting on you but can’t quite get on the #DeleteFacebook train, using this browser extension and deleting the app from your phone is a good compromise.)
Read more at https://nakedsecurity.sophos.com/2018/03/29/firefox-add-on-limits-facebooks-tracking-of-you/