warning

Buying a Used iPhone?

        Alerting us, David Passell says, "With people always on the lookout for 'bargains' here is something to be aware of when buying a used iPhone from eBay or other not-Apple sources. Buyers of second-hand iPhones can now more easily check that the previous owner still doesn't have control over the device."  Read about it http://www.zdnet.com/apple-releases-activation-lock-status-checker-for-used-ios-devices-7000034285/ 

Pay by Credit Card?

        The eagle eye of Jim Hamm found this and he says, "By October 2015 all of our magnetic-stripe credit cards should be replaced by EMV-enabled cards, also referred to as "chip and PIN" cards. Here is an article with details about how these new cards work, and some possible vulnerabilities. One aspect of the new cards is that banks are now shifting the onus to us -- the customer -- for any fraudulent use of  a credit card. Now, most banks limit our responsibility to $50.

        "Another aspect the author mentions about the use of these new credit cards is the following statement, which I find...what's the right word -- amazing, disheartening?"
        "Preventing card fraud is a good thing, in theory. But researchers at the UK’s Cambridge University warn that EMV has not reduced fraud in countries that have implemented it. Instead, they say, banks have used EMV to shift liability for fraud losses onto consumers."

Beware of Phishing

        After hearing from David Passell posted on 9-3, we all are on alert for the bad stuff.  A few days later here comes an email to "editor" of this blog, asking for the password to be reset.  Avoiding the obvious, it was time to phone directly to Apple for help from a living person.  Finally, a person to talk with!  The man agreed that since the return address on the email was from "orders@tunes.co.uk" it was BAD.  He directed me to forward that email to reportphishing@icloud.com  and so that's that.  

Is This Phishing?

        "Doesn't this look threatening?" questions David Passell.  He passes along a copy of an email which says it's from no-reply@icloud.app.com asking for him to update his account records.  He wonders if it's legitimate or not.  He says he doesn't buy anything on an Apple Account, at least he hasn't for a long time.  He emphasizes "I will not click on the update to my account Link.  If I were worried I would go straight to my Apple account with my id and PW."  
        Did anyone else get this kind of an email? 

Security Flaw in USB Flash Drives

       Quoting from the link below:  " . . . any USB device (flash drive, external hard drive, smartphone, digital camera, mouse, keyboard, etc.) that has been plugged into an untrusted computer should be treated with suspicion -- much like a used hypodermic needle. Further, erasing, formatting, or using anti-virus tools will not remove malicious code from the firmware of USB devices. And there is no known method at this time to scan USB devices to see if they are clean."
       Read about this serious problem here.  Thanks to Jim Hamm for his eagle eye, spotting this vital information. 

Attack Circumvents All Known Security Measures

        Dated July 31, 2014, this article needs our attention. Ward Stanke says, "It looks pretty scary."  http://www.macrumors.com/2014/07/31/usb-security-threat/  Read about the flaw that evades all known security measures used by a computer.  This matter is to be discussed at a conference next week in Las Vegas.  The Black Hat USA 2014 website is here: https://www.blackhat.com/us-14/ 

Some Specific Malware Emails

        "Of course you already know not to click suspicious emails so you don't end up with a virus or some other malware. Following are some examples that Greg, a blogger I follow, wrote and shows some of the suspicious emails he and his wife have been recently receiving. As he says, just be careful."  And thanks to Jim Hamm for this new alert. 

        Just a warning . . .I’ve been getting a lot of dangerous emails and I wanted to be sure that everyone was on the lookout for them.  They masquerade as Wal-Mart Gift Cards, Chili’s Coupons, or Red Lobster, etc. or even Free iPhones.  Because the fact that there’s usually something funny about the wording or phrasing of the message, the biggest giveaway is the email address shown at the upper left.   In this case, it’s ‘info@pigduke.com’.     Do you really think that Wal-Mart is going to have an email address with ‘pigduke’ in it?  (Click to enlarge these screen shots, then click the PMUG newsletter tab to revert back.) 
Walmart Trojan
Here’s the exact same email, but from ‘info@nesssos.com.'
Walmart Trojan2
And here’s what looks like a Delivery Notice from the US Post Office. Do you really thing the US Postal Service would be using a United Kingdom email address?
USPS Trojan
What do you think is going to happen if you try to print that shipping label? And why would you need to print a shipping label to PICK UP a package, anyway?   And note that apparently you can go to ANY Post Office to pick up your package.   So check those email addresses, and Let’s Be Careful Out There.

Warning From CableONE

        Another phishing scam has surfaced.  David Passell sends a copy of an email from CableONE, instructing customers to "please disregard any mail you receive that contains the following message, as it is a phishing scam:  'Your account is due and needs to be upgraded immediately.  Please review billing details and upgrade or we will disconnect you from services.'"   It goes on to detail a false link that is NOT a CableONE webpage.  Here is more info from Cable ONE  Cable ONE Support Site

Apple's Not Affected. But What About --- ?

        The breaking news on Monday, April 7 was a huge wakeup call.  Jim Hamm's gives some help here about places affected by Heartbleed vulnerability. 
         Apple was not affected, and you do not need to change your password. 
         Last Pass lets you enter the name of the site you want to check. 
         Mashable  published this  list and gives comments on each of these entities:  

Social networks: Facebook, Instagram LinkedIn, Pinterest, Tumblr, Twitter.  
Other companies:  Apple, Amazon, Google,  Microsoft, Yahoo.
Email: AOL. Gmail, Hotmail/Outlook, Yahoo Mail.
Stores and Commerce:  Amazon, Amazon Web Services, eBay. Etsy, GoDaddy, Groupon, Nordstrom,  PayPal, Target, Walmart.
Videos, Photos, Games & Entertainment: Flickr, Hulu, Minecraft, Netflix, SoundCloud, YouTube.
Financial: American Express,  Bank of America, Barclays, Capital One, Chase, Citigroup, E*Trade, Fidelity, PNC, Schwab, Scottrade, TD Ameritrade, TD Bank, T Rowe Price, U.S. Bank, Vanguard, Wells Fargo.
Government and Taxes: 1040.com, FileYourTaxes.com,  H & R Block, Healthcare.gov, Intuit (TurboTax),  IRS, TaxACT, USAA
Other:  Box, Dropbox, Evernote, GitHub, IFTTT, OKCupid, Spark Networks (JDate, Christian Mingle), SpiderOak, Wikipedia (if you have an account), Wordpress, Wunderlist.

Password Managers: 1Password, Dashlane, LastPass

Apple's Fix for "Heartbleed"

         "I was curious about 'Heartbleed' hearing a lot about it," David Passell acknowledged.  He found some important info. "It apparently can infect Mavericks users and IOS 6.users. Since I am still in the "stone age" with Snow Leopard I am apparently not subject to it."  Read zdnet
        Sure enough, the article emphasizes that the fix is in Apple's 10.9.2 update for Mavericks. Vulnerability is not present in versions of OS X prior to OS X 10.9 Mavericks or iOS prior to iOS6.  

Vulnerable! Keep Informed

        Keep informed!  Jim Hamm passes this along, "This alert of a vulnerability in OpenSSl was published earlier. If you missed reading about it, here is another alert. Undoubtedly there will be more of these types of alerts as the hackers get more creative."
        And if you use a smartphone you'll want to scroll down to Arstechnica's March 29 entry, warning about selling or buying a used phone to turn off Find My Phone, and also telling about avoiding trouble with "good IMEI/ESN" or "bad IMEI/ESN."  Others comment about these problems in later postings. 
        See Macintouch.  See Arstechnica. 

Warning: Gmail Scam

        This warning comes from John Carter.  Read carefully, and consider this: "There is another message going around regarding Gmail accounts that could be a scam.  Below are the details. DO NOT CLICK ON ANY LINK IN THE MESSAGE. If you are really concerned that your email is being attacked, go directly to your Gmail account online and change your password there.
        "The curious thing about the attached message is that it was sent on March 28 at 9:53 PM and the incident is reported as happening at 1:53 AM the following morning. Even if the message was sent from California, there is only a three hour difference between New Jersey and California."
          Click to enlarge.  Here's what the suspicious email says: