Information Technology

Later that day odd things begin to happen. Your phone isn’t working exactly as expected and you start receiving a deluge of what appears like harmless spam.
Getty Images
Let me set the scene for you: You’re on the go and you need to stop and get a coffee. You enter the coffee shop and the aroma is the first thing to entice you. Next, you see all the lovely people sitting around making deals, writing the great American novel, chatting, and just generally enjoying themselves. You then notice a sign that states, “Free Wi-Fi.” Score!

ZDNet Recommends

You pull out your phone, open the network connection app and notice the wireless connection doesn’t have a password.Even better.You connect to the wireless network and order your quad long shot grande in a venti cup half caff double cupped no sleeve salted caramel mocha latte with 2 pumps of vanilla substitute 2 pumps of white chocolate mocha for mocha and substitute 2 pumps of hazelnut for toffee nut half whole milk and half breve with no whipped cream extra hot extra foam extra caramel drizzle extra salt add a scoop of vanilla bean powder with light ice well stirred.While the barista brews your ridiculously complicated order, you sit down and start using all that free Wi-Fi. You send email, you communicate to team members on Slack, send SMS messages to friends and family, check-in on Facebook, and tweet the single most profound statement Twitter has ever beheld.Life is good.You get your drink and continue on as though nothing can touch you.Eventually, you leave and think nothing of your experience (other than how delicious the coffee was and how on point your Twitter game is). Later that day (or maybe the next day) odd things begin to happen. Your phone isn’t working exactly as expected and you start receiving a deluge of what appears like harmless spam.Okay, fine…all in a day’s existence, right? But then you get a warning from your bank.And you start seeing reactions to things you didn’t post or send.You check in on your bank account to find your balance is at zero.Panic sets in.What happened? You’ve always been so careful with your bank account credentials and you never share that kind of information with anyone.This can’t be real, can it?

It can and it most likely all started with you connecting to a simple password-less wireless network.The truth is, you are not safe. Your information isn’t safe, your identity isn’t safe, your mobile devices aren’t safe. Because of this, you have to take every precaution you can, which means never (ever, ever) connecting to an insecure network.Why are insecure networks so bad?The simple truth is when you connect to insecure Wi-Fi, you open your device to anyone who is also connected to that same wireless network. But why is that so bad? So what if other people can see my device on the network?Let me put this in simplest terms.Not every application you use on your mobile device encrypts your data. That means you could be submitting usernames, passwords, and even text messages in plain text. What does that mean? Simple: When you use an app that works with encryption, any data you send or receive is encrypted in such a way that it’s very difficult to read. So instead of sending the plain text “password” (which you should never use), it’ll send something like this instead:hQGMA0mnhEQQ+utUAQwAixnPWw4LcXk1Njq0zHc8RRYnlN1424RASIT+s0d9DAHe
wIwzrLemIKo0Z97aZ97g0FdmlbWbPELt4Er7O0L/4ERvaWRhW3hf7WsipX0/PAVD
Kz99IN/TT6srb6T08f6wpVCn4kuKl60Dl2630QvFxe4HtmbgzqnzqdUZ53sFknX4
TlRJw8K8lZ+/o5nW88JG+3MfKq/gd5eHIxDWLUZg5MDORhPy6FckeuF4ejWjKfzM
WCkNP+IEq7trZ6/SH724HES8nHxIiaH9CaI1D7cHckR0cvF40Xo+rCIP9Qu6Ahax
yOHqKmDhjfjV11H4MVZrhjn2zFI5jBahmUvZc0+JvtHuI/Bd26buo50Xg3co01em
kog0P9GK/4TNMtIuxupiSMryNM0l18FjWzso6ojf662nF4nDpiUQmJVCcpRhSNHO
twXM1tvmNSjN0OTf6hiU3tD4iE1N5FhTSkeq7Rz9DunraO7aILNArpt8ndbOssV5
gt5eWnsGMUR/7EK6htvA0kQBgHjl0o98rjTcvTF+pZtQSr3omSQTiafRXDxHBbT7
xbMWyNxWQ91PEDWuTtaMbqlDkxbUmqlFFJ6XgvyzqjsRqaTuCQ==
=psm9
That, my friends, is encryption. And unless your applications are all using it, you’re sending plain text over a network that anyone can access. Once connected, a bad actor could use a sniffer to intercept your plain-text data packets and read them. And the tools used to capture those packages are readily available to anyone.You might think this is just a warning that can be ignored at will. To that point, you would be right. This is a warning but it’s one you should heed. When you connect to insecure wireless networks, it’s only a matter of time before someone intercepts your data and you fall prey to any number of nefarious doings. 

ZDNet Recommends

The best mobile VPNs

Here’s how to find an effective Virtual Private Network service for both iOS-powered iPhones and Android smartphones.

Read More

Here are the reasons why you should never connect to an insecure wireless network:Anyone with the knowledge can steal your data.That’s really the only bullet point you need. And although I’d like to sugar-coat this for you, the truth of the matter is the longer you ignore this advice, the more at risk you are. What can you do?You might find yourself in a situation where you absolutely must connect to an insecure wireless network (maybe you’re out of data and have work to do). When you find yourself in such a situation, consider the possible options:Never send any passwords or sensitive information when connected to that insecure wireless network.Use a VPN (such as Tunnelbear) when connected to those insecure networks (as it will encrypt and anonymize your data).Use a more secure web browser (such as Brave or Firefox), so you can enable features like always use HTTPS and secure DNS.Enable secure DNS in your web browser of choice (so all of your searches are encrypted).Enable end-2-end encryption in the Android Messenger app (Settings > Chat features > Enable chat features) so all of your SMS messages are encrypted.

Disable sharing features as needed (so you’re not opening your device up for even more unwanted connections from bad actors).Invest in an unlimited data plan for your phone, so you never have to bother with connecting to an insecure network.Let’s break the above done. The absolute best path you can take is to invest in an unlimited data plan. Why? With an unlimited plan, you will never have a need to connect to an insecure wireless network (especially given how fast 5G speeds are). If, however, that’s not an option, I would highly suggest, at a minimum, you use a VPN every time you connect to an insecure network, work with a more secure browser and enable end-2-end encryption on your SMS apps. As you can see, other than only using your data plan, there’s no 1-step solution for this problem. And even when using your carrier data, you could up your security game by following the above advice.The same thing holds true when using a laptop and is especially true when using a Windows-based laptop. If the location you’re working in only offers an insecure network, your best bet is to tether your laptop to your mobile device and use the phone’s data plan for connectivity.I know the inclination is to roll your eyes at such warnings, but this is one you should take seriously. Do not connect to insecure wireless networks. Period. End. Of. Story. If you value your privacy and the security of your data, you will follow this advice to the letter. More

An example of DuckDuckGo for Mac’s tracker blocker in action
Duck Duck Go
DuckDuckGo, best known for its privacy-focused search engine, is bringing its equally privacy-focused web browser to desktops for the first time, starting with Macs. 

The company teased its desktop browser plans late last year, but this is the first time the company’s been able to get its hands on any version of the promised software. Like the company’s iOS and Android browsers, DuckDuckGo for Mac was built, from the ground up, to prioritize the user’s privacy at all times. This added security is powered by features like built-in access to the private DuckDuckGo search engine, pop-up cookie protection, a one-click option for clearing all browsing data, email protection, and automatically defaulting to the encrypted (HTTPS) version of all sites, and more. The new browser apparently uses macOS’ built-in website rendering engine (the same one used by Safari, DuckDuckGo noted) to provide fast load times. The company claims that these expedited loads are made even quicker by its default blocking of all ad trackers. Also: 5 best browsers for privacy: Secure web browsingDuckDuckGo for Mac is launching as a private beta, with its maker noting that some features are not yet fully implemented. Among those missing features is support for extensions. While it does plan to enable extensions at a later date, DuckDuckGo claims that the browser’s built-in password manager and ad-blocker already do the job of the two most commonly downloaded extension types without the need to install third-party solutions.It also noted that the built-in password manager is able to import your saved credentials from third-party extensions like 1Password or LastPass to make your transition easier. Also: Best password manager: Maintain all your loginsUsers interested in joining the waitlist to test out the private beta can do so by downloading one of the company’s mobile browser apps, going to its Settings menu, and tapping on DuckDuckGo for Desktop (in the “More from DuckDuckGo” section). There you’ll see an option to “Join the Private Waitlist.” Once you’re granted access, a notification from the mobile app will provide an invite code that can be used to download DuckDuckGo for Mac on your system of choice. The company noted that it is already working on a version of its browser for Windows-based PCs. However, it did not provide a timeframe for when that edition might be available.  More

Microsoft has released over 100 security fixes for software that resolve critical issues including two zero-days. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including numerous remote code execution (RCE) bugs, elevation of privilege (EoP) issues, denial-of-service, information leaks, and spoofing. In total, 10 vulnerabilities are classed as critical. Products impacted by April’s security update include the Windows OS, Microsoft Office, Dynamics, Edge, Hyper-V, File Server, Skype for Business, and Windows SMB.  Read on: The zero-day vulnerabilities resolved in this update are: CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service and is described as an EoP vulnerability. The bug has been issued a CVSS severity score of 7.0 and its attack complexity is considered ‘high’, as “successful exploitation of this vulnerability requires an attacker to win a race condition,” according to Microsoft.CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System Driver. Issued a CVSS score of 7.8, Microsoft says that attack complexity is low and the company has detected active exploitation, despite the flaw not being made public until now. Two other security issues, CVE-2022-26809 and CVE-2022-24491, are also of note. These vulnerabilities, impacting Remote Procedure Call Runtime and the Windows Network File System, have earned CVSS scores of 9.8 and can be exploited to trigger RCE.According to the Zero Day Initiative (ZDI), the patch volume level is similar to Q1 2021.Last month, Microsoft resolved 71 vulnerabilities in the March batch of security fixes. Among the bugs dealt with are CVE-2022-22006 and CVE-2022-24501, which are the only two critical bugs that were patched. In February, Microsoft patched 48 vulnerabilities, including one zero-day security flaw.In other Microsoft news, the tech giant is planning a change that could mean an end to Patch Tuesday as we know it. Dubbed Windows Autopatch, the automatic Windows and Office software update service will be rolled out to enterprise clients to make sure they have access to security fixes more quickly, rather than waiting for one monthly update — with the exception of emergency out-of-schedule releases. Windows Autopatch is set for release in July 2022. Read on: Microsoft: Windows Autopatch is coming soon. Here’s what you need to knowAlongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Google is taking legal action against someone who it claims has been using a network of fraudulent websites that claimed to sell basset hound puppies, along with “alluring photos and fake customer testimonials” in order to take advantage of people during the pandemic.

Google has filed a lawsuit against the man from Cameroon for allegedly operating a “puppy fraud scheme”.According to Google, Nche Noel Ntse who Google believes resides in Cameroon, allegedly ran several websites purporting to sell cute puppies but did not deliver them, according to the court filing obtained by The Verge. Google filed the lawsuit because it was an “effective tool for establishing a legal precedent, disrupting the tools used by scammers, and raising the consequences for bad actors,” said Albert Shin, a manager for Google’s cyberCrime investigation group, and Mike Trinh, a senior counsel.The chief legal complaint is that Ntse breached his contract with Google by violating its terms of service. He used Gmail and Google Voice to communicate with victims and register fraudulent websites with US-based hosting companies, and to request and receive payments, according to Google’s complaint. Google says Ntse’s alleged activities caused Google financial harm by interfering with Google’s relationships with its users, damaging its reputation, and forcing it to spend over $75,000 on investigations. “Defendant’s exploitative and malicious sham pet adoption schemes abuses Google products to prey on vulnerable victims during an unprecedented pandemic,” the complaint reads. Google pointed to data from the Better Business Bureau which said that pet scams now make up 35% of all online shopping scams reported to them, often targeted people at their most vulnerable as the pandemic led to a record spike in people wanting to own pets. Google argues that the complaint, filed in the San Jose Northern District Court of California, is the right venue because the defendant agreed to Google’s terms of service and used the California-based Dynadot hosting service for the puppy fraud website.AARP, a non-profit advocacy service for elderly people, tipped Google off to the puppy scam in September 2021. Victims sent the $700 in electronic gift cards after discussing a puppy purchase through the Gmail account and Google Voice number but got nothing in return.After the scam website was taken down, Google also found the same person using Google Ads to run campaigns promoting that domain and others. Google says it suspended ads linked to that Ads account. It said the sites and others that are still operational “pose an immediate risk of harm to Google and the public”. The company is seeking damages, legal costs and an injunction preventing the the man from using its services. To avoid falling for a puppy scam yourself, Google recommends:See the pet in person (or on a video call) before paying any money. “More often than not, scammers won’t comply with the request,” Google said.Use verified payment methods. Avoid wiring money or paying with gift cards or prepaid debit cards, Google notes.Reverse image search. Search to see if the item or product is a stock image or stolen photo. Search online for the seller. Ask for the company name, number and street address, and see what search results pop up.  More

Cyber attackers deployed a new form of malware in an attack which aimed to disrupt an energy facility in Ukraine. According to the Governmental Computer Emergency Response Team of Ukraine (CERT-UA), “urgent measures” were taken after malicious hackers launched malware attack designed to disconnect and decommission industrial infrastructure controlling high-voltage electrical substations. CERT-UA says that an attack intended to decommission infrastructure was set for the evening on Friday 8 April, but that this has been prevented.  Analysis by cybersecurity researchers at ESET, who aided CERT-UA in combating the attack, has linked the campaign to the hacking group Sandworm.  Cybersecurity agencies including the UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have previously attributed Sandworm and other Sandworm campaigns to the GRU, which is part of the Russian military.  SEE: White House warns: Do these 8 things now to boost your security ahead of potential Russian cyberattacksThe attack uses an updated version of Industroyer, a form of malware used in previous campaigns by Sandworm, which infamously caused power outages in Ukraine in 2015. Analysis of the footprint left behind by Industroyer2, which is designed for industrial environments, suggests that an attack against the power systems had been planned for weeks  It’s still uncertain how the targeted power facility was initially compromised, or how the intruders moved from the IT network to the Industrial Control System (ICS) network, but according to CERT-UA, the attackers first entered the network as a whole no later than February 2022. In addition to evidence of Industroyer on the network, the attackers also deployed a new version of CaddyWiper destructive malware. Researchers believe that this was planted with the intention of slowing down recovery processes of the energy company from regaining control of the ICS consoles following the planned attack.  CaddyWiper was also deployed on the machine infected with Industroyer2, in what was likely an attempt to cover up traces of an attack. “Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine,” said ESET researchers in a blog post. Cybersecurity researchers have previously identified several forms of malware used in cyber attacks against Ukranian organisations before and during Russia’s invasion of the Ukraine.  MORE ON CYBERSECURITY More

Hackers are pretending to poach bank staff in a wave of attacks against the African financial sector.

In recent weeks, the threat actors have been spotted using recruitment emails and messages to entice individuals considering moving from their current employment to rival financial companies.However, the emails don’t contain genuine job offers: instead, they contain malicious surprises. On Tuesday, the threat research team at HP Wolf Security said the campaign specifically targets individuals already working in the African banking sector. Phishing emails are disguised under the names of rival banks through typosquatting and ask the potential victim if they are interested in new job opportunities. The ‘recruiter’ also uses a reply-to typosquatted address to appear more legitimate. If an individual is reeled in, the attacker sends an HTML attachment, Fiche de dossiers.htm (translation: file sheet/card), a Base64 encoded ISO file. If the victim tries to open the file, the content is decoded and shown as a web downloader prompt, in a technique known as HTML Smuggling. “When the user opens the HTML attachment using a web browser, they are prompted to download the file, which is already stored on the local system,” the researchers said. “This way HTML smuggling bypasses security controls that block malicious website traffic, such as web proxies.” The ISO contains a VBS script, which, when double-clicked, triggers the creation of a registry key on the impacted system for persistence, the execution of PowerShell scripts, and the deployment of GuLoader. GuLoader is a loader for serving victims RemcosRAT malware. RemcosRAT is a commercially-available Remote Access Trojan (RAT) available on a cheap subscription basis to cybercriminals. The Windows malware can perform keylogging, take screenshots, conduct surveillance through PC cameras and microphones, steal operating system data and personal files, harvest browser activity, and download further malicious payloads. By targeting individuals already in the banking sector, it is possible that the cyberattackers are trying to obtain access to commercial bank networks, whether through corporate machines or personal devices when employees are working remotely. “The attacker might take advantage of the employee’s position in the bank since they would have access to their corporate email account,” the researchers noted. “[They might] move laterally with the goal of compromising domain controllers to deploy ransomware. They might also steal sensitive/protected data that could be used to extort the target.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More