All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks. Dell says it is prepping a fix for the issue, but experts say the threat may ultimately need to be stomped out by the major Web browser makers.

At issue is a root certificate installed on newer Dell computers that also includes the private cryptographic key for that certificate. Clever attackers can use this key from Dell to sign phony browser security certificates for any HTTPS-protected site.

Translation: A malicious hacker could exploit this flaw on open, public networks (think WiFi hotspots, coffee shops, airports) to impersonate any Web site to a Dell user, and to quietly intercept, read and modify all of a vulnerable Dell system’s Web traffic.

According to Joe Nord, the computer security researcher credited with discovering the problem, the trouble stems from a certificate Dell installed named “eDellRoot.”

Dell says the eDellRoot certificate was installed on all new desktop and laptops shipped from August 2015 to the present day. According to the company, the certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting technical issues with their computers.

“We began loading the current version on our consumer and commercial devices in August to make servicing PC issues faster and easier for customers,” Dell spokesperson David Frink said. “When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service.”

“Unfortunately, the certificate introduced an unintended security vulnerability,” the company said in a written statement. “To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support.”

In the meantime, Dell says it is removing the certificate from all Dell systems going forward.

“Note, commercial customers who image their own systems will not be affected by this issue,” the company’s statement concluded. “Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.”

It’s unclear why nobody at Dell saw this as a potential problem, especially since Dell’s competitor Lenovo suffered a very similar security nightmare earlier this year when it shipped an online ad tracking component called Superfish with all new computers.

Researchers later discovered that Superfish exposed users to having their Web traffic intercepted by anyone else who happened to be on that user’s local network. Lenovo later issued a fix and said it would no longer ship computers with the vulnerable component.

Dell’s Frink said the company would not divulge how many computers it has shipped in the vulnerable state. But according to industry watcher IDC, the third-largest computer maker will ship a little more than 10 million computers worldwide in the third quarter of 2015.

Zakir Durumeric, a Ph.D. student and research fellow in computer science and engineering at the University of Michigan, helped build a tool on his site — https://zmap.io/dell — which should tell Dell users if they’re running a vulnerable system.

Durumeric said the major browser makers will most likely address this flaw in future updates soon.

“My guess is this has to be addressed by the browser makers, and that we’ll seem them blocking” the eDellRoot certificate. “My advice to end users is to make sure their browsers are up-to-date.”

Further reading:

An in-depth discussion of this issue on Reddit.

Dan Goodin‘s coverage over at Ars Technica.

Dell’s blog advisory.

Update, 1:15 a.m. ET: Added link to Dell’s instructions for removing the problem.

Amazon has added multi-factor authentication to help customers better secure their accounts from hackers. With this new feature enabled, thieves would have to know your username, password, and have access to your mobile device or impersonate you to your mobile provider in order to hijack your Amazon account. The security feature allows users to receive a one-time code via text message, automated phone call, or third-party app — such as Google Authenticator.

Multi-factor authentication, also often called “two-step” or “two factor” authentication, is a great way to improve the security of your various online accounts (where available). With multi-factor logins enabled, even if thieves somehow steal your account username and password they’ll still need access to the second factor — your mobile phone — to successfully hijack your account.

Users can instruct Amazon to “remember” each device, which disables future prompts for the second factor on that device going forward. If Amazon later detects a login attempt from a device it does not recognize as associated with that account, it will prompt for the code from the second factor — text message, voice call, or app (whichever you choose).

I’m not sure I succeeded the first time I tried to set up multi-factor authentication on Amazon. I signed in, clicked “Your Account,” and then under “Account Settings” clicked “Change Account Settings.” That page allowed me to add a mobile number by typing in a code that was sent to my mobile. But when I hit “Done” and went back to Amazon’s home page, I decided to revisit the page only to discover that there are two more steps needed to finish setting up multi-factor authentication.

In step two, Amazon asks for a backup phone number where users can receive text messages or voice calls, in case you don’t have access to the mobile device added in Step 1. The backup method also can be Google’s Authenticator App.

Step three just explains how it all works and allows users to skip future one-time codes on personal devices.

If you shop at Amazon, take a few minutes today to turn on multi-factor authentication for your account. While you’re at it, check out twofactorauth.org to see if multi-factor is available for other any online services you may use. Also, consider whether you’re able to beef up the security of the backup email accounts you use for your recovery address.

One final note: Receiving one-time codes by a third-party mobile app that does not require a working connection to the Internet — such as Google Authenticator — allows for fewer chances that your one-time codes could be diverted by attackers: Thieves can still call in to your Internet service provider or mobile provider, pretend to be you, and have your calls and/or texts forwarded to another number that they control.

From NBC News come revelations that ISIS has its very own web-savvy, 24-hour Jihadi Help Desk manned by a half-dozen senior operatives to assist foot soldiers in spreading their message far and wide. My first reaction to this story was disbelief, then envy (hey, where the heck is my 24/7 support?). But soon enough I forgot about all that, my mind racing with other possibilities.

Imagine the epic trolling opportunities available to a bored or disgruntled Jihadi Help Desk operator. For this persona, we need to reach way back into the annals of Internet history to the Bastard Operator from Hell (BOFH) — a megalomaniacal system administrator who constantly toyed with the very co-workers he was paid to support. What might a conversation between a jihadi and the Bastard Jihadi Operator from Hell (BJOFH) sound like?

[RECORDED MESSAGE]: Thank you for contacting the ISIS Jihadi Help Desk. We are currently experiencing higher than normal call volume. Please wait and your inquiry will be answered in the order that it was received. This call may be monitored for customer service and Jihadi training purposes.

JIHADI: [audible sigh].

[MANY ISIS ANTHEMS RIFFING OFF OF BILLBOARD 100 HITS LATER…]

BJOFH: ISIS Jihadi Helpdesk, Mohammed speaking, how may I help you?

JIHADI: Finally! I thought someone would never answer! I’ve been sitting here sweating bullets and listening to the same infidel hold music over and over.

BJOFH: My sincerest apologies, sir. Someone hit “reply-all” on an operational email, and that really lit up our switchboard this morning. Also, most of the encrypted email services we use are under attack by some other terrorist group and are offline at the moment.

JIHADI: Too bad for them. Seriously, you guys call this 24/7 support?? I’ve been parked on this couch for hours waiting for some son-of-a-dog to answer!

BJOFH: [Pause. Deep breath.]…Well, you’ve got me now, sir. What can I do to…er…for you?

JIHADI: Right. So I’ve got a hardware problem. This itchy vest I have on..it keeps beeping, really loud. It’s getting super annoying, and I’ve got to have some quiet prayer…you know….me-time…pretty soon now, understand?

BJOFH: Yes, I see. Well, good news, brother! I think I can help you. Tell me…is there a mobile phone attached to the vest?

JIHADI: [inaudible…fumbling with receiver]….uh..yeah there is..Huh…feels like there’s one sewn into the left inside pocket.

BJOFH: So, I’m going to try something on my end. Sit tight, and I’ll  be right back.

JIHADI: [pause] Uh…okay. But don’t be gone so long this time!

BJOFH: [one minute later]…Thanks for holding. Yeah, looks like I’m going to have to go ahead and troubleshoot this issue a bit more. Can you do me a favor and call me from the vest phone?

JIHADI: Uh..wait, through the jacket, you mean?

BJOFH: Yes, sir. My desk line here is 1-866-GO-JIHAD.

JIHADI: Okay. But it’s kinda hard to reach the keypad. So many wires….

BJOFH: Totally fine, sir. Take your time. You should still be able to feel the phone’s keypad through the pocket fabric.

JIHADI: Okay yeah, I think I got it. So how do I send the call?

BJOFH:  If your vest is the model I think it is, the “Send Message” button should be the big one in the middle above the keypad.

JIHADI: [Fumbling with the phone] Okay, is it ringing?

BJOFH: [Line rings in background] Yep, got it, thanks. Okay, now I’m going to call you back.

JIHADI: Okay.

BJOFH: Great. Do me a favor and just wait until the phone rings at least once before answering, okay?

JIHADI: Fine, whatever. Just…today, maybe?

BJOFH: You bet. Go JIHAD!

JIHADI: Wait a second! how do I answer…[fumbling with the receiver]

[Vest phone rings. Line goes dead].

All satire aside, the jihadis take their security and privacy seriously, shouldn’t you? Wired.com has helpfully published a translated 34-page Opsec Guide (PDF), a document originally printed in Arabic and intended to introduce newbies to basic operational security measures, techniques and technologies. It’s not the easiest tutorial to read, but it does reference a great many resources worth investigating further.

Update, 5:12 p.m. ET: An earlier version of this article incorrectly attributed the source of the Opsec article referenced in the last paragraph.

Starwood Hotels & Resorts Worldwide today warned that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale cash registers at some of the company’s hotels in North America. The disclosure makes Starwood just the latest in a recent string of hotel chains to acknowledge credit card breach investigations, and comes days after the company announced its acquisition by Marriott International.

Starwood published a list (PDF) of more than 50 of its hotel properties — mostly Sheraton and Westin locations across the United States and Canada — that were impacted by the breach. According to that list, the breach started as early as November 2014 in some locations, ending sometime in April or May for all affected hotels.

As with other ongoing hotel breaches, the malware that hit Starwood properties affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties.

“We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted,” Starwood President Sergio Rivera wrote in a letter to affected customers. “The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”

Starwood joins several other major hotel brands in announcing a malware-driven credit card data breach. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.

On Sept. 25, this author first reported that the Hilton Hotel chain is investigating reports of a pattern of card fraud traced back to some of its properties. Bank sources said the fraud pattern they’re seeing all traces back to restaurants and gift shops at various Hilton locations. The company hasn’t commented further beyond its initial statement in September that it was looking into the matter.

In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging acknowledged that — for the second time in 12 months — card processing systems at several of its locations were breached by hackers. Each time, the breach was traced back to point of sale systems at food and beverage outlets inside the White Lodging properties.

Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.

A bill introduced in the U.S. House of Representatives on Wednesday targets “swatting,” an increasingly common and costly hoax in which perpetrators spoof a communication to authorities about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.

The Interstate Swatting Hoax Act of 2015, introduced by Rep. Katherine Clark (D-Mass.) and Rep. Patrick Meehan (R-PA), targets what proponents call a loophole in current law. “While federal law prohibits using the telecommunications system to falsely report a bomb threat hoax or terrorist attack, falsely reporting other emergency situations is not currently prohibited,” reads a statement by the House co-sponsors.

To address this shortcoming, the bill “would close this loophole by prohibiting the use of the internet telecommunications system to knowingly transmit false information with the intent to cause an emergency law enforcement response.”

“In recent years, swatting has become a widely used tool for online harassers to attack journalists, academics, domestic violence survivors, and celebrities,” the lawmakers wrote. “Perpetrators locate victims’ private information online and use technology to conceal their identity as they contact emergency responders.”

As the target and victim of multiple swatting hoaxes, I support efforts to crack down on this dangerous crime, which wastes public resources, unnecessarily endangers lives, and diverts first responders away from real emergencies.

However, the bill doesn’t and can’t address a big part of the swatting problem: A huge percentage of those involved in swatting are under the age of 18, and the federal justice system simply isn’t built to handle juvenile offenders. As a result, most cases of youths detained for swatting are handled by state and local authorities. Thus, unless more states pass anti-swatting laws, many of these crimes likely will continue to go unpunished.

California, for example, has a law on the books that requires convicted swatters to repay any costs associated with the incident, which can range as high as $10,000. Under the California law, which took effect Jan. 1, 2014, convicted swatters can face up to a year in jail.