Skip to content

Nick L

Equifax – the Disaster Continues

So I called Equifax this am after logging into the Trust-ID site and seeing that after two weeks, the account was still stuck in Enrollment Processing. Awful. I was connected to poorly trained agents in the Philippines. They could not understand the issue. When I asked to speak to a supervisor I was simply put on hold. I called back and the same issue. Next I tried to speak to an agent in the US. I was told to redial the number. Oh great, routed back to Philippines. When I finally tried for a fourth time and demanded to speak to someone in the US, I was on hold for 10 minutes (after being promised 2 minutes) and I finally gave up.

Clearly by outsourcing this they are still more concerned about making money than helping customers protect their private information

Equifax needs to be completely wound down. It is dysfunctional from the top down.

Microsoft silently fixes security holes in Windows 10 – Leaves Win 7, 8 out in the cold

Quote

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020

Read: We want you all on Windows 10 Spyware Platform so can farm all your information and target you with adverts.

Facebook and Google promoted false news about Las Vegas

“Social media: The internet version of the supermarket tabloid. Written by the mindless for the mindless.” Unfortunately it is picked up by mainstream media and is swallowed and regurgitated by a good percentage of the 65% of Americans who get their “news” from social media. The article also points up to a failure in machine learning (AI) algorithms in use by the Facebook, Google and their ilk.

Quote

Facebook and Google promoted false news stories claiming that the shooter who killed more than 50 people in Las Vegas was a Democrat who opposed Donald Trump. The misidentification spread rapidly from dark corners of the internet to mainstream platforms just hours after hundreds were injured at a festival near the Mandalay Bay casino, the latest example of fake news polluting social media amid a breaking news story.

The flow of misinformation on Monday illustrated a particularly grim trend that has increasingly dominated viral online propaganda during US mass shootings – hyper-partisan trolls battling to blame the tragedy on opposing political ideologies. …

Despite the fact that the claims were unproven and coming from non-credible sources, Facebook’s “Safety Check” page, which is supposed to help people connect with loved ones during the crisis, ended up briefly promoting a story that said the shooter had “Trump-hating” views, along with links to a number of other hoaxes and scams, according to screenshots. At the same time, Google users who searched Geary Danley’s name were at one point directed to the 4chan thread filled with false claims.
..
False content can quickly move from social media to legitimate news sources, she added: “People are putting out crap information on purpose … It’s really easy to get shit into the news cycle by being on Twitter.”

A YouTube user also pushed an unsubstantiated rumor that the suspect was a Hillary Clinton supporter.

On a Facebook Alternative

Over the weekend I was at a family event. There were a lot of folk snapping pictures and I (once again) asked that no one post and pictures to social media, especially not on Facebook. (Followers of this blog, if any, will know my opinion on Facebook). In the ensuing discussion, I floated an idea of a non-profit Facebook like site that was not supported by advertising, was invite only as a default, did not track/sell/mine user data, had real unfiltered non propaganda injected news feeds, and several other items that are opposite Facebook’s (and other similiar social media sites) modus operandi. It did not get too far. The business “minds” did not like the non profit public/private contribution funding model. The Facebook drones just dismissed it as a rant.

My idea is not to eradicate Facebook and their ilk, but provide an alternative and educate by establishing a platform that has both the social media aspects that people enjoy, e.g., ease of staying connected and sharing social info, coupled with news feeds that are not filtered and not based on a readers likes/dislikes and not injected by propaganda outlets of dubious sources.

I think articles and online training on critical thinking and how to evaluate the medias manipulation of emotion and other tricks would be an additional good feature. Such training works as IREX Learn to Discern Program which …”helps citizens detect and decode misinformation and propaganda.” are a good model.

At the moment 45% of Americans get their news from Facebook. News from all social media categories is even higher (source Pew Research Center News Use Across Social Media Platforms 2017.  With the Facebook allowing targeted news feeds, targeted fake advertising, direct propaganda feeds, all based on user data mining, these statistics should stand as a loud wake-up call.

Facebook and their ilk are in business to make money. Civic responsibility is simply not in their financial interest. They offer services for free to attract their prey. The only way to counter them to is offer alternative “attractions” that are free from the Venus flytrap profit motivators of these companies.

Downloaded CCleaner lately? Oooops..malware laden

Quote

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users….Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” researchers explained. “On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.”

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.

There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.

Equifax TrustID – Only Old Insecure IE8 Works!

So this afternoon I was told by email I had an account with Equifax TrustedID when I went to check on the status of the report lock. My password did not work. I tried to use the password reset. The page worked but when you enter all the information and hit the continue button, it does not go anywhere. I called the support telephone and that rings busy. Gave up on that.

Clearly more buggy code.

I finally got it to work using an old Windows Explorer 8 Browser on an old XP machine instead of Firefox. I even tried ieExplorer 11 and that did not work. But old insecure ie8 works fine with no out of date browser warnings.

Next – Then using the same Firefox Browser, I was able to login. And guess what, despite signing up, my report was still unlocked! When I tried to lock it, no dice, lock button not working. No go on ie11, but old insecure ie8 worked just fine.

What royal cock up Equifax. Totally incompetent!

(off topic: I also notice that uBlock Origin identified 147 trackers on Equifax.com. And they look out for my privacy and security. Bullshit!)

Another malware outbreak in Google’s Play Store

Regular readers (are their any?) will note that I often rail against Google not policing their Good Play Store. Users think that since it has Google’s name on it, it is safe. Not in the least bit. In addition to the fact that the majority of apps have built in spyware, there are even more serious malware laden apps as the following article delineates.

Quote

50 apps get pulled as ExpensiveWall malware runs riot in the store

Google has had to pull 50 malware-laden apps from its Play Store after researchers found that virus writers had once again managed to fool the Chocolate Factory’s code checking system.

The malware was dubbed ExpensiveWall by Check Point security researchers because it was found in the Lovely Wallpaper app. It carries a payload that registers victims for paid online services and sends premium SMS messages from a user’s phone and leaves them to pick up the bill. It was found in 50 apps on the Play Store and downloaded by between 1 million and 4.2 million users.

Once downloaded, the malware asks for permission to access the internet and send and receive SMS messages. It then pings its command and control server with information on the infected handset, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI numbers.

The servers then send the malware a URL, which it opens in an embedded WebView window. It then downloads the attack JavaScript code and begins to clock up bills for the victim. The researchers think the malware came from a software development kit called GTK.

“Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store,” the researchers note. “However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.”

It appears that Google missed warnings about the malware infection. The user comments section of at least one of the infected apps was filled with outraged users noting that it was carrying a malicious payload and it appears that the apps were being promoted on Instagram.

Cases of malware infecting Google’s Play Store are becoming depressingly common. Just last month it was banking malware and a botnet controller, in July commercial spyware made it in, advertising spamming code popped up in May (preceded by similar cases in March and April), and there was a ransomware outbreak in January.

By contrast, Apple’s App Store appears to do a much better job at checking code, and malware is a rarity in Cupertino’s app bazaar. While some developers complain that it can take a long time to get code cleared by Apple, at least the firm is protecting its customers by doing a thorough job, although Apple’s small market share also means malware writers tend not to use iOS for their apps.

By contrast, Google’s Bouncer automated code-checking software appears to be very easily fooled. Google advised users to only download apps from its Store, since many third-party marketplaces are riddled with dodgy apps, but that advice is getting increasingly untenable.

It’s clear something’s going to have to change down at the Chocolate Factory to rectify this. A big outbreak of seriously damaging malware could wreak havoc, given Android’s current market share, and permanently link the reputation of the operating system with malware, in the same way as Windows in the 90s and noughties. ®

Why Equifax & others will Fail at Self Policing

The simple answer is they will not do anything to hurt their own business. They sell your information and rake in too money doing so. A credit freeze prevents that. I finally found a good article to share on this by Brice Schneider.

Quote

This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer — everyone who wants to sell you something, even governments.

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you — almost all of them companies you’ve never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You’re secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don’t have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations — just in case I ever decide to join.

The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

This market failure isn’t unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

If you don’t like how careless Equifax was with your data, don’t waste your breath complaining to Equifax. Complain to your government.