eBay waited over 30 days before they fixed password stealing flaw

eBay waited over 30 days before they fixed password stealing flaw

eBay waited over 30 days before they fixed password stealing flaw

 

eBay has been criticised for taking over a month to fix a security flaw that could have left millions of user’s passwords at risk.

The security flaw was discovered on 11th December by a security researcher known only as MLT. He contacted eBay the same day he found the flaw, but revealed a month later eBay had only just fixed the flaw.

MLT said eBay “only rushed to patch the security flaw after the media contacted them”. In a blog post MLT described the security flaw as “fairly basic”. He demonstrated just how hackers could have set up a fake login page with ‘ebay.com’ in the URL, this would then trick users in to revealing their usernames and passwords.

The hackers could then lure victims to these pages by sending out a phishing email that contained links to a bogus login page. Once the hackers have stolen the usernames and passwords they could then send scam emails to millions of other users or even bid on stuff.

eBay has blamed a “miscommunication” with MLT for the delay in fixing the security flaw.
An eBay spokesman has been quoted saying “we’re aware of this particular issue, which involves fraudsters attempting to phish customers using a malicious code in very limited case’s, this type of scheme is extremely rear on our platform”.

There is no sign that the hacker’s have exploited the security flaw and stolen any passwords, but it’s an indication of just how many vulnerabilities’ lie undiscovered within the websites we all use daily.

This is not the first time eBay has reacted slowly to report a security flaw, back in 2015, an Estonian Researcher Jaanus kääp said eBay had not fixed security venerability he found and emailed them about 4 times in 12 months.

Share Button

Oracle forced to confess Java is unsafe!

Oracle forced to confess Java is unsafe!

Java

The company that makes Java has been publicly shamed and forced to admit the plug-in can leave users at risk of getting malware.

The US Federal Trade Commission (FTC have ordered the California based company Oracle to display a warning about the security flaws in Java in their website.

The company has to make sure the warning stays on their site for the next two years, they also had to post a message on Twitter and Facebook linking to it.

By the company agreeing to these terms they won’t have to pay a fine for the flaws in their software.

The FTC accused Oracle of braking consumer-protection by lying about the flaws and the security of there plug-in.

Regulators have said between 2010- when Orical bought Java – and august 2014, the updates have affected only the newest version installed on PCs.

The FTC have said the updates did not remove older versions of Java, which were then left unpatched on PCs, and contained security flaws that hackers could then exploit.

The FTC said have said Oracle have “deceived” their users by not telling them older versions of Java were not being removed and what makes it worse is the company knew there was a problem back in 2011. Oracle have formally denied any wrong doing, but the ruling is a significate one because of how widely used Java is. Java is installed on an estimated 850 million computers.

Javas safety has long been a concern, back in 2013 the U.S. Department of Homeland Security warned everyone to disable or uninstall Java due to serious security flaws in the software.

Orical must publish a warning telling people if they are updating Java they can remove the old version using its ‘Uninstall Tool’.

For more information and to read the ruling of the FTC go to their blog post, titled: ‘What’s worse than stale coffee” Stale Java

Share Button

New Windows 10 Upgrade message is as bad as some malware’

New Windows 10 Upgrade message is as bad as some malware’

Windows 10 Upgrade Screen Shot

Microsoft have been slammed by some technology experts in the latest attempt to persuade Windows 7 & 8 user’s to upgrade to Windows 10. Some critics have gone as far as comparing Microsoft’s tactics to those used by cybercriminals.

This outrage was triggered by the new upgrade message that has started to appear on Windows 7 & 8 PCs that suggests users have no choice but to upgrade. Under the heading ‘Upgrade to Windows 10’ there are two buttons giving users only two options ‘Upgrade Now’ or ‘Upgrade Tonight’.

At first glance, users might think they have no option but to upgrade by the end of the day. However, you can simply ignore the message and close it by clicking on the cross in the top right corner. Microsoft knows not many users will realise they can simply ignore and dismiss the message by simply clicking on the cross, so they will be forced to upgrade even if they don’t want to.

An angry user in Reddits’s Windows 10 forum has likened it to a ‘salesmen’s tactic’. He wrote “Assume the deal is closed and offer them the car in red or blue’.

Microsoft has also used another salesman-like ploy in some of there messages saying that ‘Upgrading to Windows 10 will be free for a limited time’ but the message fails to state just when the offer will end, even though Microsoft has announced that this will be 28 July 2016.

By doing this Microsoft hope it will coax many users into upgrading straight away, and they will not realise they still have over 6 months to decide.

Microsoft is ‘lying to its users’

Critics have said the message should contain a ‘no thanks’ or ‘not now’ button. One tech blogger has said ‘Microsoft’s marketing is ‘more reminiscent of malware than a leading technology company’, Gordon Kelly, accused Microsoft of “selling its users a lie” on Forbs.com.

This is not the first time Microsoft has used this sort of tactic and am quite sure it will not be the last. An earlier message asked users to ‘Upgrade no’ or ‘Start download, upgrade later’.

Microsoft has defended its aggressive marking of Windows 10. In a statement to the Inquire website, Microsoft said: “the average user….. wants to make sure they have got the most secure and always up-to date version of Windows, and the feedback we get is that people want that to be as simple and seamless as possible”.

But this is unlikely to convince the rising number of Windows 7 & 8.1 users who are becoming increasingly angry by Microsoft attempts to force them to upgrade.

Comment

‘Upgrade now’ or ‘Upgrade tonight’: what kind of choice is that? Yes, there is a small cross you can click to close the message, but Microsoft is not stupid. They know thousands of PC users, are conditioned to click the ‘Upgrade now’ button. Microsoft marketing department may have approved of this upgrade trap, but is could have done lasting damage to the reputation of their new operating system. Many won’t stick with Windows 10 if they feel they have been tricked into upgrading.

Share Button

Switched You Phone Off? Hackers Can Still Spy On You

Switched You Phone Off? Hackers Can Still Spy On You

Andriod

Security experts have detected a type of Android malware that is tricking people in to thinking they have turned off their phone.

When you press the ‘Power off’ button the malware will show you a fake box designed to look like the real Android ‘Power off’ Menu.

The phone then shows a black screen, and looks like it has been switched off. You won’t see any notifications or get any alert sounds.

However the phone is still switched on. The malware has actually inserted a line of code into the Android’s shutting down process that lets the hackers remotely access the devices, theoretically allowing them to do what ever they wanted to your device.

They could for example, make calls and send text messages to a premium-rate number, which could cost you a small fortune. In effect, your phone becomes a device the hackers can use to spy on you.

The malware which has yet to be named was discovered by security researchers at AVG. In a blog post they said it originated in an unofficial Android app store in China, infecting devices when users downloaded the malicious apps. AVG said the malware has already infected 10,000 devices worldwide, all of them running Android KitKat (4.4) or earlier, but they did not reveal which apps contain the malware.

The best way to stay safe is make sure you only install apps from the Google Play Store.

AVG said that its free ‘Antivirus for Android’ app will find and remove the malware. Other security experts have said the only way to be completely sure your phone is off it to remove the battery but this is not always possible on the new smart phones.

Unlike the criminals behind ransomware, these devious hackers don’t want you to know your device is infected, because the longer you remain oblivious, the more money they can steal off you. It is relatively easy to stay safe, Rather than just removing your battery at the end of every night, which is not always possible, simply restrict your app downloads to the Goole Play Store. Hackers are now finding it a lot harder to smuggle malicious apps past Googles Security.

Share Button

Police Warn Holiday Makers About Fake Travel Website.

Police Warn Holiday Makers About Fake Travel Website.

Action Fraud (Holiday)

Holiday makers are being warned about the dangers of online fraud when booking a trip this summer.

It comes as a new report reveals that 1,500 cases of Holiday fraud have been reported to the Police in 2014. The people behind the scams have stolen around £2.2m from travellers they have duped, the average loss was around £889.

Many tourists only found out they had been scammed when they arrived at there accommodation and discovered no booking was ever made.

The findings come from the City of London Police, who have joined forces with Get Safe Online which is a government supported organisation and the UK travel association ABTA to highlight some of the scams tourists could fall victim to in the coming months.

The have published a free PDF which offers advice on spotting holiday scams.

The most common type of scam involves the fraudsters setting up a fake website and adverts so they can trick you into believing you are dealing with a genuine holiday company.

Most people who fall victim to the fraud pay in ways that make it almost impossible to get their money back, like bank transfer.

People booking caravan holidays in the UK are also being targeted by the fraudsters posting a fake advert on Facebook, Gumtree and Craigslist.

Another way the scammers can lure victims is by offering a ‘free’ holiday at a seminar, where they are then sold a fake timeshare.

If you believe you have been a victim, or if you are worried about a booking that you have made, call Action Fraud on 0300 123 2040 or use it’s fraud-reporting tool

 

Share Button