How to buy (and set up) a safe and secure baby monitor

By Maria Varmazis

With the ever-growing list of things to acquire when your little one is on the way, finding a good baby monitor can give new parents quite a headache. And when you want to make sure your baby monitor is safe to use – on top of having all the bells and whistles you need – well, it’s hard to know where to even start.

Fear not, finding a secure baby monitor is very doable. I went down this rabbit hole myself in the last year when my daughter was a newborn, so you can learn from my own investigations here.

There are two big camps for baby monitors – ones that connect to the internet and ones that don’t. We’ll dive into the pros and cons of each, as well as the major security considerations.

Wireless (internet-free!) baby monitors

Baby monitors that don’t use the internet don’t have the neat IoT-y bells and whistles. You can’t check in on how your kids are doing with the babysitter on the sly while you’re out on date night.

Non-internet-enabled monitors are basically fancied up walkie-talkies or cordless phones – once you’re out of physical range of the camera, usually about the end of your front yard, you can’t see what’s going on via the monitor. Cheaper versions can also be prone to receiving interference from other radio-emitting devices in your house, which nowadays is basically everything from your phone to your microwave.

Read more at https://nakedsecurity.sophos.com/2018/10/16/how-to-buy-and-set-up-a-safe-and-secure-baby-monitor/

Facebook opens up about data breach details

By Paul Ducklin

What is this Facebook breach?

The breach was announced by Facebook itself on 28 September 2018.

It worked something like this…

Facebook has a View As feature that lets you preview your profile as other people would see it.

This is supposed to be a security feature that helps you check whether you’re oversharing information you meant to keep private.

But crooks figured out to how exploit a bug (actually, a combination of three different bugs) so that when they logged in as user X and did View As user Y, they essentially became user Y.

If user Y was logged into Facebook at the time, even if they weren’t actually active on the site, the crooks could recover the Facebook access token for user Y, potentially giving them access to lots of data about that user.

Read more at https://nakedsecurity.sophos.com/2018/10/15/facebook-opens-up-about-data-breach-details/

Beware sextortionists spoofing your own email address

By Lisa Vaas

Oh, no! A hacker (says he) planted a Trojan, (claims he) took over your computer’s camera and microphone, (purportedly) filmed you watching porn, (theoretically) has the password to your email account, and is threatening to forward the scandalous video to all your email and social media contacts unless you fork over Bitcoin!

“It must be true,” many people have unfortunately thought about this new twist on an established sextortion scam. After all, he’s (apparently) sending email from your very own email address!

Good news: thankfully, it’s not true. The sextorting phisher has not, in fact, demonstrated that he’s hacked your email. All he’s done is demonstrate that anyone can send an email claiming to be from anyone else.

That’s nothing new; it’s just the way email is designed, though plenty of phishers use this fact to send spoofed email that looks like it comes from a trusted party (like you!).

We’ve seen sextortion emails that have included an intended victim’s password – that the attackers actually found in a data breach dump – in order to make their claims to have taken over somebody’s computer seem legitimate. Those passwords are typically outdated. But with the latest spin, they’re also pretending to have access to their victim’s email account, by simply spoofing the sender of the scam email to make it look like the same email as that of the victim.

Read more at https://nakedsecurity.sophos.com/2018/10/15/beware-sextortionists-spoofing-your-own-email-address/

Literary-minded phishers are trying to pilfer publishers’ manuscripts

By Lisa Vaas

A scammer has been trying to steal manuscripts by spoofing their email address to make it look like messages are coming from literary agent Catherine Eccles, owner of the international scouting agency Eccles Fisher.

The scammer is targeting literary agencies, asking for manuscripts, authors’ details and other confidential material, as the industry publication the Bookseller reported on Thursday.

The attack on Eccles Fisher is just part of a broader, global spate of phishing attacks that’s prompted Penguin Random House (PRH) North America to issue an urgent warning to all staff just as the five-day Frankfurt Book Fair began, the Bookseller then reported on Friday.

PRH sent the warning to staff on Wednesday, when the book fair began. The email warned that…

We have recently seen an increase in attempts to steal our manuscripts. This has occurred in multiple locations across the globe. The individuals attempting to access these manuscripts have a sophisticated understanding of our business. We need to protect ourselves from these threats.

At least some of the emails look like they’re coming from a genuine Eccles account, including with the owner’s signature. But as is typical of spoofed email, the reply-to email address is going to a different domain with a slightly altered address, the Bookseller reports.

Read more at https://nakedsecurity.sophos.com/2018/10/15/literary-minded-phishers-are-trying-to-pilfer-publishers-manuscripts/