The headlines are everywhere. New scams and data breaches pop up overnight. Organized crooks want to steal your personal information so they can go on a spending spree.
It’s more important than ever to manage your privacy and keep your information secure. The challenge is knowing what to do.
In a survey we conducted recently, 43 percent of Americans said they felt powerless about online security.1 But they shouldn’t. The easiest, most basic security tips can still prevent the majority of online scams and thefts.
Here are a few of the top tips:
Don’t be like a wildebeest on the savannah, hoping that the lion eats another member of the herd. When it comes to cyber scams, always think, “This could happen to me.” You will pay more attention and be a harder target.
Be fully aware of “social engineering.” That’s a fancy term for somebody tricking you on a phone call or email – for example, pretending to be from a certain company. Treat strangers like strangers. Share personal information only if you initiate the contact (such as calling the phone number on your bill) – not if someone reaches out to you.
Only open email and text messages from people you know, and always have your guard up for odd-looking links. You are more vulnerable when you’re tired or not paying attention.
Keep your computers and mobile devices current with the latest operating system updates and security software. Really. Do it.
Passwords! Sorry, they are still with us. When you get a new connected device of any kind, don’t leave it on a default password like 0000. Don’t use your dog’s name – or use the same password for every account you have. The latest federal study suggests the best password is probably the longest you can tolerate. It suggests a string of random, short words. (Throwing in numbers, capital letters, etc., is no longer part of the recommendation. Just make it long and random.)
Connected technology is awesome. Smart devices have changed the way we work and play. Safe habits won’t prevent every problem – but they sure help.
Take some simple steps, and get in the habit of keeping your shield up. You’ll go a long way toward protecting your privacy.
This year's first bad news for OnePlus users—a large number of OnePlus customers are reporting of fraudulent credit card transactions after buying products from the Chinese smartphone manufacturer's official online store.
The claim initially surfaced on the OnePlus support forum over the weekend from a customer who said that two of his credit cards used on the company's official website was suspected of fraudulent activities.
"The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website," the customer wrote.
Later a good number of users posted similar complaints on OnePlus, Twitter and Reddit forums, saying they also became a victim of credit card fraud.
Many of the customers claimed that their credit cards had been compromised after they bought a new phone or some accessories directly from the OnePlus official website, indicating that the leak might have been through the company itself.
Cybersecurity firm Fidus also published a blog post detailing the alleged issue with the OnePlus website's on-site payment system. The firm suspected that the servers of the OnePlus website might have been compromised.
According to Fidus, OnePlus is currently conducting the transactions itself on-site, which means that all billing information along with all credit card details entered by its customers flow through the OnePlus official website and can be intercepted by attackers.
"Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted," Fidus wrote.
Fidus went on to clarify that their findings did not in any way confirm that the OnePlus website was breached; instead, they suggested the attacks might have come from the Magento eCommerce platform—which is used by OnePlus and is "a common platform in which credit card hacking takes place."
OnePlus has quickly responded to the issue on its forum, confirming that it does not store any credit card information on its website and all payment transactions are carried out through its PCI-DSS-compliant payment processing partner.
Only credit card-related information of users who have enabled the "save this card for future transactions"feature is stored on OnePlus' official servers, but even they are secured with a token mechanism.
"Our website is HTTPS encrypted, so it's very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit," a company's staffer using the name 'Mingyu' wrote.
The Chinese smartphone maker also confirms that purchases involving third-party services like PayPal are not affected.
OnePlus does not reveal much information on the incident but confirms that its official website is not affected by any Magento vulnerability.
The company confirms that oneplus.net was indeed built on the Magento eCommerce, but said since 2014, it has entirely been re-built using custom code, adding that "credit card payments were never implemented in Magento's payment module at all."
There are almost 100 claims of fraudulent credit card transactions on the OnePlus support forums. OnePlus announces a formal investigation into the matter, and advises affected users to contact their bank to reverse the payment.
The New Year has just begun, but General Motors is already looking toward 2019, when it will take the next step for its self-driving cars. It plans to release the Cruise AV, a self-driving car without a steering wheel, pedals or any of the standard driver controls.
The news comes from a GM announcement about its safety petition to the US Department of Transportation for permission to put the Cruise AV on roads as early as next year.
GM acquired Cruise Automation in 2016, and since then Cruise has worked on its technology. Driverless vehicles powered by Cruise are already on the roads in California, Arizona and Michigan for testing, and these car may soon be in New York City.
The big difference between the existing Cruise vehicles and the upcoming Cruise AV is that this new version, the fourth generation, will be the first production-ready model purpose-built to drive itself.
GM envisions the Cruise AV reducing traffic accidents, giving back the time riders spend stuck in traffic, offering greater mobility for elderly or physically impaired passengers and making the hunt for parking a thing of the past.
Assuming the DOT approves GM's safety petition, we could all be driving alongside robots next year.
Once you’ve bought Bitcoins (BTC) or other cryptocurrencies via an exchange (like Bitstamp), if you plan to spend your cryptocurrency right away, you can do so directly from the exchange. If you prefer to hang on to your digital assets, you'll need a secure wallet to which you can transfer your virtual coins.
In this guide, we'll explore five of the very best cryptocurrency applications available today for storing your digital wealth. Each of these programs allow you to generate private keys, which you can store safely, rather than trusting an online exchange which can be hacked or go out of business.
All of these clients are known as 'hot' wallets in that by default they're connected to the internet at all times. If you are moving large amounts of Bitcoin, consider creating a 'cold' offline wallet to store your assets.
Bitcoin Core is the original BTC client and is available for Windows, Mac and Linux. Core is a 'full node' Bitcoin client, meaning that on first-run it will download the current version of the blockchain (currently around 160GB) by connecting to other nodes. It will then continue to download and process data about Bitcoin transactions.
One advantage of this is that it's much more difficult to link a specific BTC payment address to your identity as Core downloads data about all Bitcoin transactions everywhere. This also protects you against certain types of fraud such as someone trying to spend the same BTC twice, or fooling you into believing you’ve received funds you haven't actually got.
Core comes preconfigured to run through the Tor anonymizing network. This makes it very difficult for anyone to link sending or receiving BTC to your home IP address, ensuring your privacy. All this requires huge amounts of bandwidth – Core must be connected to the internet every day to stay in sync with the network.
On first launch, Core will create a wallet file (wallet.dat) containing your private keys. By default anyone can access it, but you can encrypt the wallet with a password if you wish.
A popular ‘thin’ wallet client worthy of your attention
Lightweight and easy to set up
Recover your BTC using a wallet seed
Relies on servers to verify transactions
Electrum has been around since 2011 and works with Windows, Mac and Linux. It's one of the most popular 'thin' wallet clients, in that instead of downloading the entire Bitcoin blockchain, it connects securely to other servers to verify your BTC balance and process payments. This means you can set it up in minutes and it takes up very little space on your hard drive.
Electrum uses a 'hierarchical deterministic wallet', in that when you first launch the program it generates a random 'seed' of 12 dictionary words, from which it derives the keys necessary to spend and receive BTC. Electrum displays the seed as you create your wallet and requires you to write it down. This means that if you lose access to this version of Electrum, you can easily reinstall it on another machine and use the seed to restore your BTC.
Unlike the Bitcoin Core client, Electrum offers you the option to encrypt your wallet file during setup, although you can choose to leave it unencrypted if you wish. You can also use Electrum in 'cold storage' mode to create a 'watching only' wallet. This allows you to receive Bitcoin payments and see your balance, but not spend the coins, which may be useful if you're buying BTC as a long-term investment.
As a 'thin’ client, Electrum relies on other servers for payment information, making it more vulnerable to certain types of hacking than 'full nodes' such as Bitcoin Core.
Store multiple cryptocurrencies with an easy-to-use interface
Very simple interface
Supports multiple cryptocurrencies
Potentially vulnerable
Jaxx was first developed in 2014 and serves not only as a Bitcoin wallet but an app which can store multiple cryptocurrencies such as Litecoin, Dash, Ethereum and Bitcoin Cash. Ripple is not currently supported but the Jaxx team have hinted they may support this feature in the future.
When first run, Jaxx displays a 12 word 'master seed' similar to Electrum which you can write down and use to restore your wallets if you lose access to the original program.
The interface is deceptively simple in that you can quickly and easily switch between wallet balances. Jaxx has also integrated Shapeshift support. This functions as a built-in currency exchange, allowing you to quickly exchange crypto balances, for instance to convert DASH to BTC. You can view your updated balances as soon as processing is complete.
Jaxx is available as a Chrome extension as well as for Windows, Mac and Linux. There's even a mobile app, so it's likely you can view all crypto balances from a single device.
The software is closed source, however, so cannot be reviewed by the community in order to hunt for security bugs. Note that one such bug was discovered in June 2017 which allows someone with access to your machine to extract your master seed and steal your coins. Until this is fixed we recommend using Jaxx only for storing and exchanging small amounts.
Ripple is one of the top five cryptocurrencies in terms of capitalization and although it was designed to facilitate transactions between banks, many individuals also use it for speculation and to make payments.
Unlike more popular currencies like Bitcoin, the official desktop client is no longer maintained by the original creators. Fortunately the community has continued to maintain it in the form of Rippex.
Aside from being seemingly the only desktop client available for Ripple, Rippex is very easy to set up. On first-run it generates a 'secret key' which you can write down to restore your wallet in case anything happens to it. The client also requires you to encrypt your wallet file with a password, making your money harder to steal.
In order to activate your wallet you have to pay a fee of 20 XRP (around $43 at current exchange rates, which is about £32). Once you've done this, you can set up a 'cold' offline wallet if you prefer to store your secret keys offline for safety reasons.
If you want to store your XRP outside an exchange but don't want to pay the fee for Rippex, you can also generate a paper wallet instead from http://ripplepaperwallet.com. The website will load the necessary code into your web browser – be sure to disconnect from the internet before creating the wallet.
Multi-currency wallet offers customization with different skins
Store and exchange multiple currencies
Stunning visual interface
Not open source
Exodus is a multi-currency wallet and can hold various types of coins and assets. The setup process is very simple. Like Jaxx, you create a 12 word 'master seed' which you can write down and use to restore your wallet if you're no longer able to access the original. (Incidentally, if you've previously created a master seed using Jaxx, Exodus can restore these too). Once setup is complete, Exodus will also prompt you to choose a password to protect your wallet.
Your digital assets are shown in a user-friendly pie chart. Unlike the other wallets we've discussed here, you can also choose different 'skins' to make your client easier on the eye. Use the localization settings to change the default currency (USD) to your home currency if necessary.
The wallet software also supports exchanging crypto-assets and currencies using Shapeshift, and even lists the percentages of assets you hold as part of your 'portfolio'. Sadly Dogecoin is no longer supported.
Exodus is also not 100% open source. The company claims on its website that doing so would give away trade secrets and make it easier for hackers to create bootleg versions of its wallets. In light of this, if you use Exodus you'll have to trust that there are no undisclosed security bugs or backdoors built into the software.
The cyber security expert and former NSA hacker Patrick Wardle made the headline once again, this time the researcher has spotted a new strain of malware dubbed MaMi designed to hijack DNS settings on macOS devices.
Wardle first obtained a sample of the MaMi malware after a user reported on the Malwarebytes forums that the Mac of its teacher was infected by a malware that set DNS servers to 82.163.143.135 and 82.163.142.137.
At the time of its discovery, it was undetected by all engines on VirusTotal. The OSX/MaMi isn’t particularly advanced, but the researcher remarked that it does alter infected systems in rather nasty and persistent ways.
“Since there are already several (IMHO unrelated) malware specimens that perform DNS hijackering (that are named ‘DNSChanger’, etc), I decided to call is OSX/MaMi due to a core class the malware named: ‘SBMaMiSettings’ ” wrote Wardle.
“Ok, that’s a wrap. OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads). “
The malicious code acts as a DNS hijacker, but it also implements other features for taking screenshots, simulating mouse events, downloading and uploading files, and executing commands.
The researcher discovered the malware on several websites, unfortunately, it was not able to determine the distribution channel. It is likely the MaMi malware has been delivered via email, fake security alerts and pop-ups on websites, or social engineering attacks.
Wardle noticed that the malware does not appear to execute any of implement feature, likely because it requires some attacker-supplied input or other preconditions that were not simulated in the virtualized test lab used by the expert.
Once MaMi has infected a mac system, it invokes the security tool and uses it to install a new certificate (dcdata.bin) it’s downloaded from the internet.
“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads).” explained Wardle.
How to discover is a macOS system is infected with the MaMi malware?
Users can check DNS settings, the malicious code set DNS servers to 82.163.143.135 and 82.163.142.137.
