Security roundup (3/1/2015)

It’s been quite an active few weeks in the realm of security and privacy. Here are the top stories and what they mean for you. I’m trying to keep these short and sweet, and then point you to other sources for more information.

• IRS phone scams. It’s tax time, and the bad guys are out in full force. The money to be made can be massive. First of all, there’s a phone scam where people call you pretending to be an IRS agent and tell you that you owe back taxes. You must pay immediately by wire transfer or credit card – if you refuse, they threaten arrest or deportation. See this IRS web site for more info on how to spot this scam, but the bottom line is that the IRS will never ask you for a wire transfer or credit/debit card.
• Fraudulent tax returns. The folks at Intuit (the makers of TurboTax) are saying there’s been a massive spike in fake tax returns being filed, particularly at the state level. This is basically identify theft – these crooks have enough info on you to file a tax return on your behalf. But it appears that the way they’re getting this info is to hack your TurboTax Online account by using hacked passwords found from other sites. So if you filed your taxes using the web version of TurboTax, and you used the same password on some other web site that was hacked, then you’re at risk. Log in to TurboTax and change your password to something strong and unique. If they offer two-factor authentication, sign up for it. Check for a return filed this year that you didn’t file. Look at the direct deposit information and make sure it hasn’t been changed. You can find more info in this NY Times article and this more technical article on Krebs Security.
• Beware stowaway crapware. How can you make money on “free” software? Answer: lace it with crap software (“crapware”) that pays money. Download sites like Download.com provide a handy one-stop-shop for finding and downloading free applications, but in order to “monetize” this business model, they turn to lacing this software with lots of other junk software that you didn’t ask for. How bad is it? Pretty bad. Check this fascinating article from HowToGeek. Always try to get your free software directly from the source. If you’re on a Mac, try to use the Mac App Store as much as you can.
• Malware you can’t see or remove. There were two bombshell stories in the past few weeks in the realm of government mass surveillance. First up: superhuman malware. Kaspersky Labs uncovered a vicious new bit of malware that corrupts your hard drive directly. Hard drives are not just dumb buckets of bits – they’re highly sophisticated mini computers complete with a mini operating system. While this has become a necessity due to the high complexity of modern drives, it has allowed the NSA and/or GCHQ to install malware that your operating system can’t see and you can’t remove, even if you try to erase the entire drive… because all you’re really doing is asking the drive to do something, and it’s lying to you when it says that it did what you asked. Read the technical details here. The only good news is that this software is likely not already installed with every computer, it appears to be highly targeted.
• The Great SIM Heist. (bombshell #2) Mobile phones weren’t really built for privacy – this capability was added after the fact. Unfortunately, it was built around symmetric keys – that is, both sides have to use the same key. That means that in addition to the secret key burned into the SIM card (which is the Subscriber Identity Module built into almost all modern cell phones), the cell network needs to also have a copy of that key. Turns out that most SIM cards are made by one company – and that company was hacked, probably by the NSA or GCHQ. Whoever has those keys can now decrypt all cell phone communication, including past conversations that were recorded in encrypted form. This is just appalling and astounding. Read more here and here.
• “The Man” in the Middle. Computer maker Lenovo was caught red handed breaking SSL encryption with the purpose of inserting advertising on your computer. Lenov did this using a third party tool called Superfish that basically allowed them to insert themselves into the middle of all your supposedly private, encrypted web connections so that they could insert advertisements. This by itself would be bad enough – but the implementation of this adware was so bad, they exposed their users to hacking from just about anyone else. And just to make matters worse, the underlying tool that performs this hack from a company called Komodia is embedded in other software. Read more about the Lenovo part here, and how to remove Superfish software here.