• 🗒️✅ Your November Security Checklist
• 🏆🎖️ Test Your Security Skills
• 🙀 Hacks, Scams, Trouble + What to Do 😏
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Month 👎
• 🍎📱Security Updates from Apple 🍎

Do these three things to protect yourself, based on everything that happened this month. If you take nothing else from this newsletter, just do these:

1. Use a password manager so all your accounts are protected by unique strong passwords you don’t have to memorize.
2. Watch out for alarmist and possibly fabricated claims about hackers, especially around election interference.
3. When you get phone or text warnings about scams on your accounts, hang up and call back at the official number.

For a complete list of our top security recommendations, see our course on cybersecurity for tech enthusiasts.

What should you do in the following scenario?

Your bank calls your phone, claiming there has been suspicious activity on your account 🤔. They ask for your account number to verify your identity.

Click your choice below to see if you got the answer right!

1. Answer their questions as quickly and accurately as possible.
2. Thank them for the warning, hang up, and then call your card issuer at its official fraud support line.
3. Ask them to wait while you google the incoming call number to make sure it’s your bank, and if it is, then go ahead and answer their questions.

Hype or Hacker? How to Protect Yourself from Election Fraud

The US election system is resilient against direct hacking efforts, reports Jen Easterly, head of the US Cybersecurity and Infrastructure Security Agency (CISA), responsible for securing elections, in an interview with the AP. The system’s strength lies in the use of paper ballots by over 97% of voters that are audited and counted by humans, she says. Her assessment agrees with the consensus among cybersecurity professionals, like Google’s cybersecurity firm Mandiant , which stated in a report that there has never been a known case of a voting machine being compromised by hackers in the wild, and there has been little observed effort to compromise voting machine manufacturers. Those machines do not connect to the internet, so any effort to hack them would have to happen in advance of the election and would be evident immediately upon the auditing of associated paper ballots.

With hacking vote-counting machines off the table, entities with an interest in swaying the outcome instead focus on you and me, individual voters, whose opinions they may change through propaganda or the leak of stolen information. Here’s what to watch out for.

Warning! How to Know If That Fraud Alert Phone Call Is Real

Scammers can call you and have it appear as coming from any phone number they like. This technique, called spoofing, gets used in all kinds of mischief. The latest innovation in the scuzzy market of scammers is to call you pretending to be Google support, claiming your account has been compromised. The scammer may ask if you’re traveling, offer details about your account, and tell you your account has been compromised and someone has downloaded copies of your data. The calls are professional, polished, and sound like they might just be legitimately from Google, except for one thing: Google will never call you this way. Google also has some powerful security features that, if enabled for your account, should short-circuit this kind of attack. Read more, and what to do.

How to Know If the Internet Archive Breach Affects You & What to Do

The Internet Archive is yet another victim of a data breach. The Internet Archive is likely the world’s largest online library, preserving entire websites, media, software, and more. Like Wikipedia, this organization is completely nonprofit and offers its information for free. Which puts these attackers firmly in the kicking-of-puppies stage of their descent toward the heart of darkness.

On October 9th, the hacktivist group known as BlackMeta targeted the Internet Archive with a devastating distributed denial-of-service (DDoS) attack, which brought the entire site down. At the same time, the site suffered a data breach, which was unrelated to the DDoS attack, according to Bleeping Computer. The data that was stolen included “email addresses, screen names, password change timestamps, encrypted passwords, and other internal data.” As of October 21st, the Internet Archive is slowly coming back online. Read more and how to find out if you’re affected. Read more, and what to do.

Warning to Timeshare Owners: Beware of Offers to Buy

The FBI has issued numerous warnings about a scam involving fake offers to buy time-share properties, a racket ultimately run by a violent Mexican drug cartel. Krebs On Security has the full story.

Hackers Take Over Ecovacs Robot Vacuums, Shout Obscenities at Owners

A strong contender for our cybersecurity fail of the month. Owners of robot vacuums made by Chinese company Ecovacs got an unpleasant surprise when unknown hackers gained remote access to swaths of the devices and used the onboard speakers and cameras to hurl invective. ABC Australia has the full story, including past Ecovacs security flaws.

Ukrainian Hackers Eat Putin’s Lunch

On Russian president Vladimir Putin’s 72nd birthday, a team of Ukrainian hackers shut down the Russian state media service’s website (not that big a deal) and stopped the digital transmission of several television channels (a pretty big deal), then more Ukrainian hackers shut down Russia’s court system (an astonishingly big deal).

Twitter Unbanned in Brazil

A personal tiff between Elon Musk and the Brazilian high court briefly caused the social media platform X (Formerly Twitter) to be banned from operating in the country of Brazil (with high fines for any private citizen caught in violation of the ban). The billionaire has rolled over to all demands, and your Brazilian friends may return to using Musk’s platform. Or they may not, at their discretion. The New York Times has the story.

Can You Trust Wikipedia? Wiki-Foundation Stands Strong Against Flood of Low-Quality AI Content

A new initiative at Wikipedia aims to maintain the website’s high standards by emphasizing human moderation and editing. We wish them luck. Read more from 404 Media.

You May Be Among the One-Third of Americans Whose Information Was Leaked by MC2 Data

Reporters at Cybernews found that a company called MC2 Data, which runs background checks as a service and operates a number of different websites, had left one of their databases accessible to the net. Cybernews has the full story.

Trouble Unsubscribing? US Federal Trade Commission Announces New Rules to Help

The new rules require subscription services to always supply a way to unsubscribe that is just as easy and obvious as the way to subscribe, and will go into effect 180 days from the announcement. We very much welcome this.

Kia Cars Hackable en Masse

A bug in the web interface for internet-connected Kia cars allowed a team of independent researchers to remotely access the digital features of virtually any KIA car, including unlocking doors and starting engines. All they needed was the license plate number.

The thing about internet-connected stuff is if it’s on the internet, it can be accessed on the internet. So, when it comes to cars and front door locks, how badly do we really need an app for that? Maybe your car doesn’t need a web interface to begin with? Read the full story at Wired.

Everything you need to know about Apple’s latest software updates.

iOS 18 is Loaded With Features!

• The most recent iOS and iPadOS is 18.0.1
• The most recent macOS is 15.0.12
• The most recent tvOS is 18.0
• The most recent watchOS is 11.0.1
• The most recent visionOS is 2.0.1

The iOS 18.0.1 patch included fixes for a number of security issues, including one in the Passwords app that would have permitted the VoiceOver accessibility feature to read passwords out loud. Even if you are using VoiceOver to assist with your iPhone, you probably don’t want your passwords read out loud in public.

iOS 18.1, expected on October 28th, finally brings the first wave of AI features, called Apple Intelligence (or AI, see what they did there?) to the iPhone. Features include the writing “tools” to rewrite your words in different tones of voice, a Siri redesign, and AI-driven summaries of your notifications and emails, but don’t include the image generation tools, yet.