December 26, 2018

More phishing attacks on Yahoo and Gmail SMS 2FA

By John E Dunn

The second report in a week has analysed phishing attacks that are attempting – and probably succeeding – in bypassing older forms of two-factor authentication (2FA).

The latest is from campaign group Amnesty International, which said it had detected two campaigns sending bogus account alerts targeting around 1,000 human rights defenders in and around the Middle East and Africa.

The organization has its theories about who is behind the attacks but what will matter most to Naked Security readers are the methods being employed to defeat authentication.

Only days ago, researchers at Certfa reported on what they believed were targeted attacks against influential people with US connections which were able to beat 2FA.

Those targeted Gmail and Yahoo accounts secured using either SMS-based 2FA (where a one-time code is sent to a user’s mobile device), or generated by an authenticator app, also using an OTP-based protocol.

Likewise, the attacks detected by Amnesty also targeted Google and Yahoo’s 2FA, although this probably reflects their popularity rather than any specific weakness in implementation.


Microsoft gets users test driving Patch Tuesday’s non-security updates

By Danny Bradbury

Microsoft will install non-security patches on Windows machines in advance of Patch Tuesday, if users select a new and not particularly descriptive option in Windows Update, it was revealed last week.

The company explained the new ‘Check for Updates’ box in Windows 10 in a recent blog post, but left some concerned that users unfamiliar with what it does might stumble into stealth beta program.

Not all Microsoft updates are created equal. In fact, the company identifies three kinds in the blog post. The most commonly-known update is the B release, which is the cumulative update that the company ships on the second Tuesday of each month (known as Patch Tuesday). This patch contains both new and existing security fixes, alongside previously-released non-security patches.

There are also another two types of optional update released in the third and fourth weeks of the month, known as C and D releases. “These are validated, production-quality optional releases, primarily for commercial customers and advanced users ‘seeking’ updates,” says Microsoft, adding that it makes them optional to avoid making customers reboot their Windows operating systems more than once a month.

Microsoft puts quotes around the word ‘seeking’ because customers that opt to install these patches early are often called seekers.


Fortnite hackers making a fortune from reselling stolen accounts

By Danny Bradbury

Teenage hackers have been making a fortune from selling stolen accounts for the popular online game Fortnite, it emerged this week.

Players have been reporting stolen accounts for a while, but this week the extent of the “Fortnite cracking” problem was revealed. The BBC interviewed one Slovenian teenager who said he had made £16,000 (around $20,000) in the last seven months.

The attackers access the accounts using a technique called credential stuffing. They search lists of exposed usernames/email addresses and passwords obtained from the hacks of other online services that are posted online. They then try using these credentials to log into Fortnite’s site. When one of these credentials works, it’s because the legitimate Fortnight gamer reused their password from another service.

A successful account thief doesn’t know what they’ll get. It could be a valueless newbie’s account or something with more valuable electronic items.

Created by Epic Games, Fortnite is a gaming phenomenon, with earnings estimated in the hundreds of millions of dollars. It comes in various versions but the most popular is Battle Royale, which pits 100 players against each other in a gradually decreasing circle of play. The last player standing wins.


Nagging text messages can help you to quit smoking

By Lisa Vaas

Nagging text messages help smokers to quit, Chinese researchers have found.

In a clinical trial carried out across various cities and provinces in China, they pulled in 1,369 people (mostly men) who agreed to join a smoking-cessation program. Then, they divided them into three groups: subjects who received five text messages/day, those who only received one to three texts a week, and a control group who didn’t receive any texts at all.

The study lasted 12 weeks, plus 12 weeks of follow-up. Very few smokers managed to quit, but the groups who got the texts did much better, regardless of how frequently they got messaged.

The results: biochemically verified continuous smoking abstinence after 24 weeks was 6.5% for those who were frequently messaged, 6.0% for those who got less frequent messages, and 1.9% for the control group that didn’t get messaged.

In an article published in the medical journal PLOS on Tuesday, the researchers said that the results demonstrate that text intervention – the program was called “Happy Quit – can work, albeit in a low proportion of smokers, and should be used in China’s large-scale intervention efforts.


Apple spams users with unwanted ‘Carpool Karaoke’ push notifications

By Lisa Vaas

Apple apparently didn’t learn much from Bono-gate – when it foisted a U2 album onto users’ devices without so much as a by-your-leave – because it’s gone and done it again.

This time, it’s been spamming users with promotions for its Carpool Karaoke show, among other push notifications, in spite of its TV app never expressly asking for permission to push promotional notifications, and even though its App Store guidelines forbid developers from sending unsolicited promos.

Some users are not pleased. One threatened to jump the iOS ship.

Another user pointed out that Apple is apparently violating its own developer guidelines: specifically, Section 4.5.3 of its App Store Guidelines, which tells developers not to “spam, phish, or send unsolicited messages to customers.”



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation