SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 135: Share This Show

Posted on April 25, 2019

Do you remember back when you were younger, and you had to have that uncomfortable conversation with Mom or Dad about the facts of life? Well, you’re older and wiser now, and it’s time for things to come full circle: it’s time for you to bring the uncomfortable facts of life to your parents. Don’t worry, though; it’s not what you think! On this week’s edition of The Checklist, we’re bringing you a show that we’d like you to share with your mother and father, your aunts and uncles, even your grandparents. We’re trying to dispel myths, share helpful tips, and keep the older generations tech-savvy and digitally safe. This week, we’d like to tell them:

  • Ellen DeGeneres Isn’t Trying to Give You Something on Facebook
  • Why You Don’t Want to Leave Your Wi-Fi Unprotected
  • A Bit of Useful Information About Passwords

It’s the digital facts of life this week — so let’s dive right in and get started. 

Ellen DeGeneres Isn’t Trying to Give You Something on Facebook

It’s time to say “Mom, Dad… Ellen DeGeneres doesn’t want to give you anything because of a Facebook post.” Of course, if you have a lot of Facebook friends, you may have seen some of them repost a version of this scam, too — so it’s clear that just about anyone can still fall for one of these. Malwarebytes recently outlined a scam that seems to be trapping more than its fair share of users. 

According to the researchers, a group of scammers has set up a number of fake profiles on the social networking giant to impersonate TV talk show host Ellen DeGeneres. Ultimately, the goal is to fleece people out of their money, but the scammers need to sell a legitimate-sounding story to their marks first. That’s why they chose a friendly, relatively neutral figure such as Ellen DeGeneres — her broad appeal makes it easy to catch people’s attention if they think content is coming at them from an official page. 

The posts aren’t using anything high tech to fool people, just plain old inviting language. The posts simply tell users that they could enjoy the opportunity to win a new car, a fabulous vacation, cash prizes, and much more. The posts even include stolen clips of Ellen talking about a charity drive, adding another layer of credibility to the scam. Of course, the reality is simple — no matter what you do, you’ll end up with nothing at the end of it. That’s even when you follow the scammers’ directions, which instructs you to “Love” react to the post, share the content, and then leave a comment on the post saying “done.” 

So, you get nothing — but the scammers aren’t walking away empty handed. Their posts go farther and farther, while the real scams try to play out in the comments sections of the posts. There, users will encounter comments by the fake Ellen page, directing users to “download my movie” to finalize their registration for the contest. Some of the supposed Ellen DeGeneres films available for download include Hellboy, Shazam, and John Wick 3… none of which, as you may have guessed, actually feature Ellen. What you’ll end up downloading is far more likely to be malware than anything else. 

The danger of malware is why it’s so important to look at things critically and to examine the red flags that pop up along the way. First and foremost, of course, is the fact that those movies don’t feature Ellen — and in fact, she’s only ever been in six films anyway. More to the point, users must ask themselves why a prominent media figure would send them to download any films from a sketchy-looking website — and why downloading a movie in the first place would act as a contest registration. The many typos and examples of poor English throughout “Ellen’s” posts should be a giveaway as well. 

Ultimately, the goal here is to bamboozle users into signing up for a movie “subscription” service that acts as a convenient way for the scammers to charge your card and make off with the cash. What contest is going to ask you for your credit card information? “No purchase necessary,” right? 

There are a few versions of this scam floating around on the web, with many of them following the same style of script. As a result, it’s especially important for users to remain vigilant about these concerns. So, what are some good words of advice to keep in mind for avoiding these scams?

First: the old rule of thumb, if it’s too good to be true, it probably is; in this case, there is a lot that is too good to be true, and many things that should set off warning bells in your head. Next: don’t get caught up in the hype. The idea that you might be able to win a car is exciting, but take a step back and take a moment to see if the offer even passes the smell test. Ask yourself if the celeb would really do something like this, and check the URL bar to see if you are where you want to be. Watch out for those spelling errors and bad grammar, too. Don’t download anything, and don’t give away your credit card information, either!

Okay, that’s all great — but what if it’s too late and you’ve already mistakenly fallen for one of these scams? What should you do?

If you didn’t give anything away — no contact details or payment information — and you didn’t download anything, you’re probably fine. If all you did was like or share the post, there’s nothing problematic that can stem from that. Just be aware and avoid making the same mistake in the future. If you did download something, immediately run a powerful scan to detect and remove malware and viruses as your system may potentially be compromised. If you gave payment info away, keep an eye on your charges — or just cancel that card and have it reissued with a new number. 

One final word of advice: want to participate in real contests? Watch the TV shows. You’ll be able to find out about them there, because we promise: your favorite celebs aren’t giving anything away online.

Why You Don’t Want to Leave Your Wi-Fi Unprotected

“Sharing is caring” — that’s one of the first lessons many of us can remember our parents teaching us as children. Unfortunately, some people will take advantage of that, as a story in TechCrunch this week tells us. A popular app (for Android devices, we note) intended to help find Wi-Fi hotspots so people could avoid using their cellular data connection gave users more than they bargained for, as it turns out. According to the story, the app allowed users to upload Wi-Fi passwords to a central database. 

When users searched for hotspots in their local area, networks with available passwords to use would pop up in the list. The idea sounds okay in theory — one might expect this app to be used to locate the Wi-Fi password for the coffee shop up the street, or to find out your hotel’s access code. However, in practice, this is not a safe thing to do. Ultimately, the app exposed passwords for more than 2 million networks — because of course, people were uploading private network passwords, too. 

Keep in mind that when you get on a network, you aren’t just getting Internet access. All the computers and devices connected to that network are in there, too — and savvy users can figure out how to start interacting with those devices – your devices!

However, it gets worse: the developers of the app apparently did nothing to secure this giant database of passwords, so it was left entirely exposed — meaning anyone with the right know-how could download the entire database and have access to millions of Wi-Fi passwords in one fell swoop. According to TechCrunch, the database had more than just the passwords, too: it also had network names and the “precise geolocation” of that network, too. Researchers who reviewed the data uncovered many home networks, with the geolocation data often leading into the middle of residential neighborhoods.

There are a lot of reasons not to share your Wi-Fi passwords so freely, or to leave your network unprotected altogether. Alongside being able to potentially access and mess with your data, someone malicious in your network could do something as nefarious as changing the DNS settings in your router — in other words, they could ensure that when you visited certain websites, you landed on a fake domain they control, and not the legitimate website. They could also just use their own DNS servers to see where you go on the web to spy on you – and you’d be none the wiser. 

What if you still want to embrace the “sharing is caring” spirit, but you don’t want to open your doors to the bad guys? The good news is that most modern wireless routers do allow you to set up a “guest” network that allows for an Internet connection but is entirely separate from your actual home network. It’s a good idea to still password protect your guest network, though, to prevent public access from leading to illegal activity. Changing your password on this network a few times of year is a smart move, too — just in case your guests are sharing with others like the app from this story. 

A Bit of Useful Information About Passwords

Our last story today is something we’ve been over (and over) before, but it still bears repeating — because password problems just keep happening! TechCrunch brings us another story, this time reporting on the results of a study conducted by the National Cyber Security Centre, an arm of the British government. In their study of passwords, they found that some of the worst and most insecure passwords popular in the past year included names, famous soccer players, and plenty of fictional characters.

One password still stands head and shoulders above the rest, though, when it comes to both its commonality and its insecurity: the classic 123456. According to the study by the NCSC, more than 30 million Britons use “123456” as their password. This information comes from an in-depth study of hacked password databases courtesy of security researcher Troy Hunt. Hunt is best known as the operator of “Have I Been Pwned,” a website that allows you to quickly see if your information popped up in recent data breaches.

As the head of the NCSC points out in the article, protecting highly sensitive data and accounts with a password that someone could easily guess is a terrible idea. So, with the idea of this episode being that we’d like you to “share this show,” here’s what your family members should know and keep in mind when it comes to passwords.

  1. Use a password manager. If you do this, you are 90% of the way to being a whole lot safer. A manager is like a private address book for your passwords. It keeps tracks of all your usernames and passwords for all the sites you use, and most even feature built-in password generators, so you don’t need to think of anything yourself. Reputable services cost a little money, but the price is well worth the value you receive in better security.
  2. Always use a strong password. If you aren’t using a generator, keep this rule in mind: if you’re looking at it and you can pronounce the password, it’s not a strong password. You need to be using symbols, numbers, characters — nothing that you’ll find in the dictionary.
  3. Never reuse any passwords across multiple sites. If someone gets the password for your Facebook account and it turns out to also be the password for your bank account, well, they’re off to the races!
  4. Enable two-factor authentication. Many sites already have this. 2FA is a second step for when you log in to websites, usually involving a code texted to your cell phone, that lets a website verify that it’s really you trying to use your username and password combo to log in. If a service doesn’t offer two-factor, ask!

Join our mailing list for the latest security news and deals