Global entertainment ticketing service Ticketmaster has admitted that the company has suffered a security breach, warning customers that their personal and payment information may have been accessed by an unknown third-party.

The company has blamed a third-party support customer service chat application for the data breach that believed to affect tens of thousands of its customers. The customer support chat application, made by Inbenta Technologies—a third-party artificial intelligence tech supplier—used to help major websites interact with their customers.

In its statement, Ticketmaster said it discovered malicious software on the customer support application hosted on its UK website that allowed attackers to extract the personal and payment information from its customers buying tickets.
Ticketmaster said that it has emailed all affected customers, and is offering 12 months of free identity monitoring service for those who have been impacted.

Affected customers are also advised to keep a close eye on their bank account transactions for signs of any suspicious activity, and immediately notify their banks if found any.

Users are also advised to be cautious if they receive any suspicious or unrecognized phone call, text message, or email from anyone saying you must pay taxes or a debt immediately—even if they provide your personal information.

Orlando will not be renewing its contract with Amazon.

The city’s police department had been one of two in an Amazon pilot program to incorporate its facial recognition software, Rekognition, into law enforcement. But the program has come under fire from civil liberties groups and even some Amazon investors over concerns that the technology could be used for mass surveillance.

In a letter to Orlando’s mayor and city council on Monday, the legal director of the American Civil Liberties Union of Florida urged the police department to end its use of the technology.

In a joint statement, the city and the Police Department said the contract “remains expired” but left open the possibility of reinstating it or trying other types of software: “The City of Orlando is always looking for new solutions to further our ability to keep our residents and visitors safe. Partnering with innovative companies to test new technology—while also ensuring we uphold privacy laws and in no way violate the rights of others—is critical to us as we work to further keep our community safe.”

Amazon Rekognition is also being tested in Washington County, Oregon. The technology remains in use. In an email to The New York Times the Sheriff’s Office said, “The Sheriff’s Office has not, and will not, utilize this technology for mass or real-time surveillance. That use is prohibited by both Oregon state law and our own policy.”

We all get our share of spam. Some more than others. But how do we differentiate between simple commercial spam and the types of emails that want to get us in trouble?

The unsolicited commercial spam email is generally easy to recognize, report, and discard, but what about more dangerous types of spam? How can you determine if an email contains a malicious link or attachment, or is trying to scam you out of money or your personal information?

Five red flags for spotting malicious emails

Before we jump into determining what to do with a malicious email, there are a few general tricks users should learn to spot red flags for malicious activity. They are as follows:

1. The sender address isn’t correct.

Check if this address matches the name of the sender and whether the domain of the company is correct. To see this, you have to make sure your email client displays the sender’s email address and not just their display name. Sometimes you need to train hawk eyes at the address, since spammers have some convincing tricks up their sleeve. For example:

2. The sender doesn’t seem to know the addressee.

Is the recipient name spelled out in the email, and are you being addressed as you would expect from the sender? Does the signature match how this sender would usually sign their mails to you? Your bank usually does not address you in generic ways like “Dear customer.” If the email is legit and clearly intended for you, then they will use your full name.

3. Embedded links have weird URLs.

Always hover first over the links in the email. Do not click immediately. Does the destination URL match the destination site you would expect? (Once again, train those eagle eyes.) Will it download a file? Are they using a link shortening service? When in doubt, if you have a shortcut to the site of the company sending you the email, use that method instead of clicking the link in the email.

4. The language, spelling, and grammar are “off.”

Is the email full of spelling errors, or does it look like someone used an online translation service to translate the mail to your language?

5. The content is bizarre or unbelievable.

If it is too good to be true, it probably isn’t true. People with lost relatives that leave you huge estates or suitcases full of dollars in some far-away country are not as common as these scammers would have us believe. You can recognize when email spam is trying to phish for money by its promises to deliver great gain in return for a small investment. For historical reasons, we call this type of spam “Nigerian prince” or “419” spam.

The summer travel season is upon us, and that means many people will connect to public Wi-Fi hotspots at airports, hotels, cafes, restaurants, bus stops and more. Unfortunately, public networks have become honeypots for hackers who use them to infiltrate connected devices.

A compromised network can allow a hacker to intercept, read and modify the internet traffic that passes through it. They can then leverage this for a number of purposes, ranging from stealing passwords to downloading malware onto victims’ phones and laptops.

Be Cautious on Public Wi-Fi

Open Wi-fi hotspots are difficult to secure because anyone can connect to them without any sort of authentication. This gives cybercriminals two avenues of attack:

• Hack an existing Wi-Fi network. The hacker gains access to a router that broadcasts an open network. If the router was not properly secured, it likely has some holes in its security that could allow a someone to access the router firmware console. Many router owners never change the default username and password used to access the console administrator’s account. From the console, the hacker can take complete control of the network.
• Create a fake Wi-Fi network. In this case, the hacker creates a Wi-Fi hotspot from their smartphone or other device and gives it a deceiving name, such as “Starbucks Wi-Fi.” Any unsuspecting person who believes they are connecting to internet provided by Starbucks actually sends all of their data straight to the bad guy.

Even if a Wi-Fi network requires a password that you must obtain from staff on premises, it doesn’t mean the network is secure. A hacker could just as easily obtain the password to join the network or create a fake Wi-Fi hotspot with an identical name and password. Nearly two of every five Wi-Fi hotspots in the U.S. is inadequately secured. Essentially, the only network you should trust is one you set up yourself.

How to Protect Yourself

Now that you know the threat that public networks can pose, you can take steps to protect yourself.

Always Check for HTTPS

Website URLs that contain “https://” at the beginning, often accompanied by a green padlock, encrypt all the data sent back and forth between a web browser and the website. They use SSL encryption to scramble the contents of your data before it leaves your device, making it impossible for a hacker on the Wi-Fi network to decipher.

Use a Virtual Private Network (VPN)

A VPN is a service that encrypts all of a device’s internet traffic and routes it through an intermediary server in a location of the user’s choosing. A VPN grants numerous benefits to users and is particularly useful to people who have to use public Wi-FI while traveling for work or fun.

The encryption part of a VPN is similar to what you get when you visit an HTTPS site. Anyone who happens to intercept internet traffic between the smartphone or laptop and the VPN server won’t be able to decipher its contents, including Wi-Fi hackers.

Nor can a hacker determine where that traffic is headed; they can only see encrypted data headed to a VPN server, but not the actual website.

Both of these perks are applied to all websites and applications on the VPN-connected device. VPNs that include DNS leak protection should also guard against aforementioned DNS spoofing attacks.

VPNs come in many shapes and sizes, but the most reputable are paid subscription services. Each provider typically makes its own apps for smartphones and computers, which you can download and install upon signing up. Once that’s done, just pick a location and connect. After the connection is established you can use the internet as you normally would.

Finally, know that mobile data connections are generally more secure than public Wi-Fi. If you have a smartphone with working data where you travel, use that to take care of any sensitive online tasks. If you need to use a laptop, you can turn on your phone’s mobile Wi-Fi hotspot to create a more secure connection to the internet. Just make sure to secure it with a strong password!

HTTPS websites are also verified by a certificate authority. When your browser sees this certificate, it ensures the user that they are communicating with the real website and not an imposter, such as a phishing site.

Most websites use HTTPS these days, but not all. Sometimes websites have both HTTPS and non-HTTPS versions available.

HTTPS websites encrypt the contents of internet traffic sent to and from a site, but they don’t conceal the address of the website itself, so a hacker could still see what websites you access.

Hackers working for the Chinese government compromised a US Navy contractor and stole a massive cache of highly sensitive data, including details about a planned supersonic anti-ship missile, American officials said Friday.

The hack, reported by the Washington Post, took place in January and February and resulted in more than 614 gigabytes of data being stolen. The contractor that was breached was not disclosed but reportedly worked with the Naval Undersea Warfare Center, a research and development group that works on submarines and underwater weapons.

Of particular interest in the treasure trove of stolen documents—all of which government officials said were unclassified, were details about a project known as Sea Dragon. First proposed in 2012, the Post said Sea Dragon is part of a Pentagon initiative to adapt existing US military technologies for new applications. The Defense Department described Sea Dragon as a weapon with “disruptive offensive capability” that will integrate “an existing weapon system with an existing Navy platform.”

While public details regarding the project are few and far between, the Pentagon has reportedly requested or used more than $300 million for the Sea Dragon project since 2015. Underwater testing is planned to start this September.

Plans for a supersonic anti-ship missile were also stolen (it’s not clear if those plans are the same or related to the Sea Dragon project). The missile was intended to be introduced for use on US submarines by 2020. 

The stolen files also contained the following:

Signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.

The breach highlights the ongoing trouble the federal government has had not just defending against breaches but also getting contractors to stop playing fast and loose with sensitive data.