The Worst Passwords of the last year

Everyone who uses a PC or Mac gets told not to use easy to guess passwords like “123456” or “password” . As it turns out – people obviously aren’t that bothered as they still use them.

Password management application provider SplashData on Tuesday released a list of the 100 Worst Passwords of 2017, compiled from more than 5 million passwords leaked during the year. For a fourth consecutive year, “123456” and “password” took the top two spots on the list.The list included plenty of other usual suspects like “qwerty” (No. 4), “football” (No. 9), “iloveyou” (No. 10) and “admin” (No. 11), along with some new additions, including “starwars,” which ranked as the 16th worst password of 2017.

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” SplashData CEO Morgan Slain said in a statement. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”

Other new additions to the list this year included “letmein” (No. 7), “monkey” (No. 13), “123123” (No. 17), “hello” (No. 21), “freedom” (No. 22), “whatever” (No. 23) and “trustno1” (No. 25). SplashData warned that using any of the passwords on the top 100 list “would put users at grave risk for identity theft.”

The company recommends using passphrases instead of simple passwords, mirroring advice earlier this year from the National Institute of Standards and Technology. Passphrases should include at least 12 characters and a mix of characters, including upper and lower cases, SplashData recommended. Users should also be sure to set a unique password for each website, and consider using a password manager.

Without further ado, here’s SplashData’s list of the top 25 worst passwords of 2017. To see the full 100, click here.

1 – 123456
2 – password
3 – 12345678
4 – qwerty
5 – 12345
6 – 123456789
7 – letmein
8 – 1234567
9 – football
10 – iloveyou
11 – admin
12 – welcome
13 – monkey
14 – login
15 – abc123
16 – starwars
17 – 123123
18 – dragon
19 – passw0rd
20 – master
21 – hello
22 – freedom
23 – whatever
24 – qazwsx
25 – trustno1

Beware new WhatsApp Scam

A scam text message has been doing the rounds stating that WhatsApp is about to start charging people to use the service. It is not true.

The text message invites people to click on a link and pay 99p for a lifetime subscription to the service because their current subscription has come to an end.

However, it is a scam and anyone who receives it should delete it immediately, do not click in the link and certainly don’t hand over your bank details.

If you have clicked the link then you’re probably wise to run antivirus software.

When it was launched, WhatsApp did charge 99p after the first year but that was later scrapped.

It was not immediately clear where the scammers had got people’s telephone numbers from.

Don’t fall for the re-hashed Facebook scam

A lot of people are sharing this on their Facebook status

“Deadline tomorrow !!! Everything you’ve ever posted becomes public from tomorrow. Even messages that have been deleted or the photos not allowed. It costs nothing for a simple copy and paste, better safe than sorry. Channel 13 News talked about the change in Facebook’s privacy policy. I do not give Facebook or any entities associated with Facebook permission to use my pictures, information, messages or posts, both past and future. With this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents. The content of this profile is private and confidential information. The violation of privacy can be punished by law (UCC 1-308- 1 1 308-103 and the Rome Statute). NOTE: Facebook is now a public entity. All members must post a note like this. If you prefer, you can copy and paste this version. If you do not publish a statement at least once it will be tactically allowing the use of your photos, as well as the information contained in the profile status updates. DO NOT SHARE. Copy and paste.”

Don’t be fooled …its a hoax… if you are concerned, follow the guide below on how to protect your Facebook privacy:

  1. See what your profile looks like to a stranger
    From your Facebook homepage, click your name on the blue bar on the top of the page. Click the three dots next to “View Activity Log” and then select “View As…” By default you’ll be able to see what your profile looks like to members, and can click through to sections such as photos to see what they can see. You can also select a certain friend to see what your profile looks like to them.
  2. Make all your posts private
    If you find that to your horror, hundreds of statuses and photos are public, there’s a quick way to make everything visible to just your friends. Click the drop down arrow on the right hand side of the blue bar, go to Settings and then Privacy, and then select “limit past posts”. It’s a move that’s not easily undone, so you’ll be asked to confirm that you want your posts made more private.
  3. Make yourself difficult to be found on Google and with phone numbers
    Facebook accounts can be found in all sorts of ways: They can be searched for, or if someone has your email address or phone number, they can find you – even if they don’t know your name. On the “Privacy” section of Settings you can choose to be invisible to search engines by answering “no” to “Do you want search engines outside of Facebook to link to your profile?” You can also select whether friends, friends of friends or everyone can find you with your email and phone number.
  4. Adjust what apps are showing your Facebook friends
    Many of the most popular apps now connect to your Facebook profile, meaning that your activity on those apps might be posted on your Facebook profile. But to do this, the apps have to get permission, which is where you can step in. In Settings, go to the Apps section and click “Select All” to see what permissions apps have. You may want some of these to be able to post on your behalf – Instagram for example – but you may not want your dating apps to do so, for example. Click an app to adjust privacy settings.
  5. Approve tags before they appear
    When people write on your wall or tag you in a status or photo, you might not want some people to see it. Facebook allows you to review any posts with you tagged in them before they appear on your timeline, although you’d have to report a status or photo for it to disappear. To turn approval on, go to “Timeline and Tagging” in your settings and turn “Review posts friends tag you in before they appear on your timeline” on.

Hotmail & MSN Users subject to another phishing attack

2013 has only just begun and already there is the age old phishing attack on MSN & Hotmail accounts. Even though you would assume everyone knows about these now , people still get sucked in. In the latest example, an email which claims to come from the “Windows Live Team” and warns Hotmail/MSN users that their account is at risk of immediate closure after different computers logged into it, and multiple attempts were made to guess the password:   The email looks like this :  

VERIFY THIS EMAIL ADDRESS TO AVOID IMMEDIATE CLOSURE   We have recently confirmed that different computers have logged onto your Hotmail and Msn account and multiple password errors have been entered. We are hereby suspending your account; as it has been used for fraudulent purposes.. Now we need you to reconfirm your account information to us. Click your reply tab, fill in the columns below and send it back to us or your email account will be suspended permanently.   The email, which has the subject line “CONFIRMATION ALERT RESET (2013)”

and comes from an unofficial-looking @msn.com email address, urges the user to reply via email with their full name, username, password, date of birth, and country in order to confirm their identity. In case the message seems a little abrupt, the would-be thieves who constructed this email provided some helpful tips at the end of the email about managing email accounts.   Of course, Microsoft would never ask you to confirm your identity in this fashion – especially not by sending your password in an (unencrypted) email. But less security-savvy computer users might be duped into believing it is true, and respond with all the information the cybercriminals want, before having a chance to think twice.   It’s a highly unsophisticated attack – but if it works against just a small number of people that the spammers send it out to, what does that matter? Don’t be a cybercrime statistic, make sure that you, your friends and your family are wise to such tricks and don’t share your login information with anybody.

LinkedIn – 6.5million passwords leaked – change yours now

 

Almost 6.5 million LinkedIn passwords have been posted on the internet in a massive security breach to the business social network. Sophos report that , a file containing 6,458,020 unsalted passwords is being targeted by internet hackers, with the IT security and data protection specialists recommending LinkedIn users changed their password immediately.
 
“It would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step,” said Graham Cluley, senior technology consultant at Sophos. “Of course, make sure that the password you use is unique, in other words, not used on any other websites and that it is hard to crack. If you were using the same passwords on other websites make sure to change them too. And never again use the same password on multiple websites.”
 
LinkedIn has issued the following statement, confirming the password breach:
 
“We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
 
1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
 
2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
 
3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
 
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
 
We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously. If you haven’t read it already it is worth checking out my earlier blog post today about updating your password and other account security best practices.”

Facebook Dislike button is a fake – BEWARE

 

Facebook users who have clicked on the link claiming to “Enable Dislike Button” , could have experienced problems. Messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls.

Like the many scams which have come before it, the scammers have managed to duck under the Facebook security wire and replace the standard “Share” option with a link called “Enable Dislike Button”. Despite the fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, it is still likely to fool some users into believing that it is genuine.

Clicking on the link, however, not only forwards the fake message to all of your Facebook friends by posting it to your profile, but also run obscured Javascript on your computer.

There is no official dislike button provided by Facebook and there isn’t ever likely to be. But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unaware.

Apple Denies Tracing iPhone & iPad Movements

 

Oops… Sony Network hacked… personal data stolen…

Electronics giant Sony has admitted millions of PlayStation network gamers may have had their personal details stolen. A hacker broke into the PlayStation video game online network and stole names, addresses and possibly credit card data belonging to 77 million people. It is believed to be one of the biggest-ever internet security breaches of its kind. Sony learned of the breach on April 19 and immediately shut down the PlayStation network, but kept quiet about it for a whole week.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:
* Name
* Address (city, state, zip code)
* Country
* Email address
* Date of birth
* PlayStation Network/Qriocity password and login
* Handle/PSN online ID

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

The shutdown of the PlayStation network prevented owners of the video game console from buying and downloading games as well as playing with rivals over the internet. The breach is a major setback for Sony. Although video game hardware and software sales have declined globally, the PlayStation franchise has been a steady seller and is one of its key products. The company said there was no evidence credit card numbers were stolen but warned users it could not rule out the possibility. “Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” it said. The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

Sony, which is part of Sony Corp, said it hoped to restore some of the PlayStation network’s services within a week. The network launched in autumn 2006 and offers games, music and movies to people with PlayStation consoles. It has 77 million registered users.

Beware Japanese disaster scam emails

It appears some people have no morals or conscience. There are a number of scam emails doing the rounds , purporting to be from the British Red Cross appealing for donations to the Japanese disaster fund. The email directs you to a website called MoneyBookers and requires you to make your donation through a Yahoo email address. Don’t be fooled. If you want to make a donation go direct to the Red Cross website.

This from the British Red Cross website :

Fraudulent disaster appeal emails and websites

Please note: Unfortunately there are currently some fraudulent emails circulating claiming to be raising money for the Japan Tsunami Appeal, please be aware we will never ask for people to donate through companies such as Western Union or Money Bookers. We have not sent any emails soliciting donations for the Japan Tsunami Appeal.

Whenever there is a disaster, such as the Japan earthquake and tsunami and the New Zealand or Haiti earthquakes, there will be those who seek to take advantage of people wanting to donate for the relief effort. Many scams involve emails that claim to be on behalf of the Red Cross and there are numerous variations:

  • They may direct you to a fake website where you are asked for credit card details.
  • They may offer you a position collecting money on their behalf for a percentage, retaining the money you send or using you to launder money from criminal activities.
  • They may ask you to donate cash through money transfer companies such as Western Union.

If you receive an unsolicited email alleging to be on behalf of the Red Cross or collecting for the Red Cross, do not respond to it or provide any personal details, but delete it immediately and do not forward or otherwise circulate it.

Please ensure that you only make donations on the official British Red Cross site www.redcross.org.uk

Any emails requesting donations to us through any mechanism other than secure donation via redcross.org.uk or 0845 054 7200 are fraudulent.

All British Red Cross marketing email addresses end @mail.redcross.org.uk and we do not use general email providers, such as BT Internet or Googlemail, to solicit donations.

If you are suspicious of an email you have received, please contact the British Red Cross supporter care team:   
0844 87 100 87
supportercare@redcross.org.uk

Facebook : sharing home address & phone number with developers

Do you publish your home address online? Facebook has caused no small amount of concern by quietly opening the address and phone number fields to developers. A post on Saturday  by Jeff Bowen in Facebook’s developer support team explained that users’ addresses and mobile phone numbers are being made available on the development platform through a number of APIs.

Users would have to accept a new app and allow it access to personal information. Contact details of friends would not be accessible unless they too accepted the app.

But the primary concern, as neatly summarised by Graham Cluley on the Sophos blog, is that rogue app developers could efficiently harvest this very valuable information by developing apps that scrape this contact information and use it for spam or cold-calling.

“Facebook is already plagued by rogue applications that post spam links to users’ walls, and point users to survey scams that earn them commission – and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service,” he wrote last night. “You have to ask yourself – is Facebook putting the safety of its 500+ million users as a top priority with this move?”
 

appi

Facebook’s latest API allows developers access to users’ address and mobile number.

This is clearly the downside of Facebook’s open apps policy, though it’s extremely unlikely Facebook would reverse that and head down the Apple road of approving apps – which has a whole set of different problems. Cluley suggests developers should only be granted access to this information if it proven to be a valid use, or that users should be asked to approve sharing this data.

Latest :
Facebook reminds us that there’s a difference between rogue applications and apps with a genuine reason for accessing your address or phone number. A spokesperson gave the example of an airline’s e-commerce app that could be more useful if it could notify users about last minute flight changes.
“On Facebook you have absolute control over what information you share, who you share it with and when you want to remove it. Developers can now request permission to access a person’s address and mobile phone number to make applications built on Facebook more useful and efficient. You need to explicitly choose to share your data before any app or website can access it and no private information is shared without your permission. As an additional step for this new feature, you’re not able to share your friends’ address or mobile information

To change your shared settings , goto your Account  | Privacy Settings , choose ‘customise settings’ and amend the tab accordingly

privacy