May 27
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, wiki, windows, wireless
I have this cousin, and you probably have someone like this in your family too—the one that is always sending forwards even though you asked them to stop 10 years ago, and even though you’ve told them that forwarded messages can present safety risks online.
Besides the fact that netiquette has been well established and widely understood for years, and these relatives (or friends) are being impolite by spamming you, the more important fact is the messages also present a security risk, for individuals as well as organizations.
After the most recent forwarded link, I mentioned to my cousin that I hoped she had good security software. Her response: “My friend sent this to me. It’s a valid clip/link and virus free.”
And I just had to shake my head at the security fallacies in those brief statements. I hate to be the smart-ass of the family who tries to lecture or educate the less tech-savvy, but I also don’t want to see my relatives fall victim to dumb social engineering scams. Now, this particular link probably was virus-free and safe enough, but when someone continually sends links and forwards, I start to worry they don’t know how to stay safe online.
So, what’s a conscientious security professional or blogger to do?
Clearly my relatives don’t read my blog, so I’m mentioning it here! I’d love to hear your approaches and comments on this topic. For now, I’m going to try breaking down the myths that seem to persist, and see if I can think of a way to quietly explain the issue.
1. “My friend sent this to me.”
Of course you trust your friend, but that doesn’t make it safe to always trust the links they send out. First, the link could contain a virus or malware that your friend doesn’t know about either. Say your friend’s coming down with a cold, but doesn’t know it yet. You both share a drink at a café—two days later, you both get sick because your friend passed the cold on to you. Same idea.
In computers, it’s even more dangerous, because you may never know you’re sick. Spyware, for example, is designed to watch what you do and send information to the hackers about your online behavior, or even about your passwords. Malware can install itself on your computer without your even knowing. Many people get infected with software that forms a network with other computers, called a botnet. When the hacker contacts all those computers, they can be activated and do whatever he wants—like send messages from your computer to your friends.
These hackers don’t want your or friends to know you’ve been hacked. Your computer might just slow down a few hours a day…because it’s being used secretly by someone else. They can change your security settings, see your passwords, or even corrupt your files and shut down your computer without your permission.
If your password information is stolen, hackers can access your accounts and send forwarded links and emails to your friends without your even knowing. Those messages can contain more malware that installs on your friends’ computers, or spreads through your accounts.
Of course we trust our friends. But that doesn’t mean that our friends won’t have problems online, or that they won’t get infected.
2. “It’s a valid clip/link.”
Images, documents, and all sorts of valid files are used to send viruses and malware to users. The most popular are pdfs and Microsoft Office documents lately, but picture and video files can also be suspect—and for many years it was images most of all that were most dangerous. The link might contain something useful, entertaining, or even work-related. Just because the link works and does what you expect it to, doesn’t mean that it’s safe. It could also contain other problematic files– while you’re being entertained or even learning a fun factoid, something bad might be happening in the background…
3. “And it’s virus-free.”
Again, just because it works and your friend sent it, you can’t assume it’s virus free.
First, did you scan it for viruses? If your scanner says it’s virus-free, how well do you trust your scanner? Many well known and popular anti-virus programs, even if they’re mostly reliable, can’t pick up every infection. Additionally, viruses aren’t the only problems you have to worry about online.
Everyone—hey, even mac users—should get themselves a good anti-virus/malware program and check regularly for updates. But it’s also good to keep in mind that even the best program won’t always protect you. The best defense is being careful about what you click, and what the source is.
More here:
Three Persistent Security Myths
May 25
Spyware database, education, events, google, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, windows, wireless
Remember when the iconic phrase for the internet was, “You’ve got mail!”? Today, it may as well be, “You’ve got friends!”
Last week I blogged about the anti-virus software available for the Mac, and the possibility that viruses and malware aren’t just for PCs anymore. Part of the problems for mac users, though, is that the risks on the Internet are often based on Internet or application vulnerabilities rather than OS-based vulnerabilities. Social engineering is going to be a risk, no matter what OS you use, and it may be on the rise because social networking is on the rise. Who do you trust? Your friends.
But on the net of course, it’s a lot harder to know who your friends are, and even if it’s really your friends on the other end of the line. Some of the Facebook stories lately show people using FB in new ways–some of them for good:
For example, the guy who bought targeted ads to try to land a Microsoft job after graduation
Or, law enforcement tracking down fugitives who left the country with a ton of cash, by looking at their FB status updates
Then there are more insidious and evil uses for facebook–
A generic phishing scam recently logged by PhishTank.org suggesting that Safari users are targeted
Scammers pretending to be your friends to get money from you.
Facebook is definitely on the rise, and the news media is representing it through all these stories of different uses and scams on the site.
Read the original post:
May 18
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Some clever, benevolent hacker ought to do all U.S. citizens a favor and hack into the I.R.S. system, to fix their outdated accounts—just like one DSL customer did to his Internet hosting company.
The customer had paid for some changes to his account and service, got frustrated waiting for the company to deliver the service, and so he hacked in and just did the job on his own. Maybe the web company should think about offering the guy a job—to beef up security and fix others’ customer service issues.
It’s not unusual for small hosting companies to have trouble meeting their customers’ security and service needs, unfortunately. What’s more unfortunate is that the IRS apparently has about as many problems. Recently it came to light that they’ve been sending stimulus checks to dead folks—even workers that have been dead up to 35 years.
Is any concerned taxpayer willing to volunteer to hack in and clean up their system? Unlikely. It’s unclear whether the IRS would thank the hacker for the help (as the hosting company did for its customer), arrest them for an act of terrorism, or just fail to notice. My guess is the latter—if they didn’t realize those people had been dead for so long, how would they even notice if the accounts were deleted altogether?
The story doesn’t speak well for the government’s organization skills. No wonder we’re in such a financial pickle—well, you know, besides the billions donated to the war, and all the other reasons…
Read the original here:
Citizens Needed to Fix Broken IRS System
May 11
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Ars had an article today giving a fascinating statistic: 20% of all U.S. households rely exclusively on cell phones and have no land lines.
The main groups that make up that 20% are youth aged 18-29, one third of which are cell-phone-only, and adults that share housing, of which 60% use only cell phones. Additionally 25% of all Hispanics are also wireless-only.
Their data is good, but their conclusions overlook the obvious. Ars says the groups that make up the 20% are “lower income.” That may be true, and the reasoning is solid: tech-savvy youth are adopting the trend, Hispanics are traditonally lower income, and the logic holds that it doesn’t make a lot of sense to pay for a landline if you can use a cell phone.
But for some reason, I’m guessing the writer of the article is a 40-something, U.S.-native, home owner long removed from the process of moving and sharing housing. Because economics and tech-savvy aren’t the only reasons why renters and youth rely on cell phones. I think mobility and privacy are actually the deciding factors, at least from my experience–being one of those 29-year-old renters who exclusively uses a cell.
If you’re sharing housing, having your own phone means you don’t have to rely on roommates to give you messages, and your roommates don’t hear your personal messages. And even if you don’t share housing, but you’re young or renting, you’re more likely to be moving from apartment to apartment every few years. It’s not always your choice–a landlord can just decide to kick you out so their friends can move in to your apartment. It’s happened to me.
If you buy into a landline, then you have to go through the hassle of calling the phone company, resetting the wires, and telling all your friends about your new phone number when you move. If you have a cell phone, it’s no hassle and no change– whether you move down the block or across the country, your friends still have your number and you still have theirs.
It was nice of Ars to notice the socioeconomic issue in this case, that renters, Hispanics, and youth are traditionally lower income. But if you ask many cell-only homes, many might say that a new landline would not be high on their list of their priorities if they did have money. Instead, the fact is that these groups are more mobile, move more often, and share living spaces with a greater number of people–so, they have different needs out of a phone service.
Case in point — in the last 6 years, since I’ve been out of college, I’ve moved 6 times, but not regularly once a year. Sometimes 10 months, sometimes 6, sometimes 18. I finally got a cell phone when I had to move from Santa Cruz to the South SF Bay area for work, and I needed a cell phone to call prospective housemates and landlords from Craigslist. Since then, I only had a landline once, when it was already installed in my new apartment because my housemate had set up DSL. Neither of us ever used the phone and it couldn’t make long distance calls. Since I got a cell phone, I’ve had the same phone number and it hasn’t been a hassle.
In fact, you’ll find that a growing number of youth and renters like me are not low-income groups. Affording to buy a condo or home has become cost-prohibitive, whether or not you make a decent wage, and jobs are not as secure as they once were. In this recession, people are valuing mobility because they may have to move to find work. Many young people and adults bounce from jobs to jobs every few years. However, loan agents often won’t take people unless they can show they have worked for the same employer for the last few years–whether or not they have made a steady, sufficient wage at a steady stream of jobs, as many young people have. In the age of pink slips and home foreclosures, fewer and fewer people can afford homes, and more and more people will value and demand mobility.
And, more and more people of all stripes will probably come to see that their land lines are obsolete.
Why Renters and Young Adults Go Cell-Phone-Only: Mobility and Privacy
May 04
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, wiki, windows, wireless
I’ve been debating this point in my head a while now. If you have two computer programs that do the same basic thing, but don’t properly exchange files–instead, they corrupt each others’ files–is that a form of IT insecurity?
Obviously it’s not the same issue as being exploited or hacked, but it can have similar results–a company loses money and time tracking down the errors and rebuilding the documents, and can lose critical information. For me this came up when my Macbook Pro crashed, graphics card dead, and needed to be rebuilt this past week.
I had all my work backed up, but since the computer itself was in the shop, I was working for a week on an old backup PC. It’s a 512MB laptop with a basic install of Win XP, and essentially no applications. Scaled down so that it’s cost effective, easy to store, replaceable, but works for me in a pinch–such as when my main machine is in the shop. However, in my daily work I use Microsoft Office in its advanced capabilities–style sheets, templates, formatting, commenting and reviewing, track changes. Since I work remotely, much of my editing and work communication happens in the space of the comments in the Word documents I develop. Without a good word processor that can read .docs, I’m lost.
So I downloaded Open Office and rejoiced a little to find that it seemed to load all my work properly, and had most features to handle style sheets. I did a few brief edits, sent them to my editor, and she reported back the All Clear: the formatting, when converted back to Office, looks fine. Great, so I continued working. Yet a few documents and more complex changes later, I got word that in fact, the documents had been corrupted. Open Office added extra styles, messed up my current styles, and wasn’t quite handling the comments and track changes right.
Curses! So, for a few days I did some work that’s been on the back burner, which didn’t need care in formatting. And now, my computer’s back with a new shiny motherboard, and I’m revisiting the edits I had started in office.
My formatting is indeed corrupted, with the following problems:
- Spacing around headers and in tables is wrong
- Fonts are off
- A bunch of extra styles are added in the list
I suppose for the casual user these are irrelevant problems. Most writing is going to be thrown into a graphics application or coded for the web before publication anyway. But in this case, it’s a disaster! I’m spending my week revisiting the documents and trying to remember where I was, before my work got interrupted.
So, I don’t know how the security professionals feel. After all, no one hacked my files–I’m sure the developers of Open Office meant well. But from the user perspective, this is just one more computer security issue threatening a worker’s time and efforts.
Next time maybe I’ll just suck it up and spring for a little netbook or an extra Office license.
View post:
May 01
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
F-Secure had an interesting run down today on the security options available over at Facebook. They also critique Facebook’s security questions, which are generic items like “Mother’s maiden name,” “3rd-Grade Teacher,” “First pet.” These are items that your friends and family are likely to know about you, so they don’t necessarily guarantee your security. As F-Secure puts it, “Security challenge questions based on social information is probably not the best of ideas on a social networking site. “
The questions really are kind of ironic. I had to think a while to remember my third grade teacher’s name, but I do have one or two people on my flist I went to school with. They may remember better than me!
I also have direct experience that security questions can prove ineffective. In fact I remember being guilty myself–as a drama-ridden teenage girl, I hacked an ex-boyfriend’s email account, because I knew his password and security question answer. It was his place of birth, and most clever of me, I remembered exactly the way he always mis-spelled it. Hacking his account and then confronting him was not my best moment in life. Luckily I learned my lesson and will never do something like that again. My story only shows that it’s possible, and illustrates F-Secure’s concern.
The problem with developing genuinely secure questions is that all of those types of questions are usually, by nature, personal and social. They must be targeted to the user, and based on the user’s demographics and interests. When they work, it’s because the answer is a private thing, or a personal thing that no one else knows. For adults, in many cases, those types of questions work simply because the user’s adult friends weren’t around in elementary or high school when we had our first pets, third grade teacher, first car, etc..
Developing tougher, more targeted questions can also present a challenge. Recently, I had the opposite problem of the Facebook dilemma. Instead of the questions being too easy and well known, they were simply irrelevant. I opened some account where all the questions revolved around marriage, kids, mortgages. The writers assumed their users were older, and made the logical leap that they were married and had children or mortgages. But I’m under 30, unmarried, without children, and haven’t been able to afford my own home. I’m not alone, either–many of my peers are waiting much longer before getting married, having kids, and buying homes. So, I found the questions simply irrelevant, and had to puzzle out a while how to get around the obstacle of the security questions.
Of course, the questions are supposed to present an obstacle to hackers, not the account holder, so they have to be something easy to remember, applicable, and relevant, even before they enforce security. Sites that use security questions need to be aware of these problems, and walk a fine line between making the questions too easy, and having them be inappropriate for their users.
One solution would be for sites to offer more choices. Then, it’s up to the user to make sure to choose a question that he or she can remember the answer to, but others are unlikely to guess. Even if in general, the questions are easy or well-known, the user should be able to select a question or two that others won’t know.
Here is the original post:
Problems with Security Questions
Apr 22
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
My latest hobby for procrastination is browsing Craigslist ads, looking for new furniture and trying to get rid of old stuff. I’ve been doing spring cleaning and trying to sell off an old stereo, VCR, a Dell laptop, and other miscellaneous things. (Let me know if you need anything)
Along the way I’ve also gotten a few odd emails by folks asking to do a wire transfer or Moneygram–a classic Nigerian scam. Usually I either tell them I know it’s a scam, or just delete the emails without thinking much about it. So I was amused to read about another Craigslister actually responding and messing with the scammers.
Todd Lappin of Telstar Logistics–a little bit famous for creating a fake brand in order to avoid parking fees–happened to be selling a loveseat on CL when he received a convoluted, poorly written note asking to use a moneygram and explaining the transaction would be completed with the emailer’s secretary. Another classic Nigerian scam, which he recognized right away.
Todd’s not your ordinary guy, so instead of deleting the email, he responded to the friendly Nigerian scammer, played along, and got the guy to send him the check. Now he’s posted and exposed the scam on the Net for all to see, over at laughingsquid. The scammer will be expecting him to try cashing it and send back the difference between the check amount (nearly $3k) and the price of the loveseat ($200).
If he went along, the check would bounce and the scammers would be making off with the difference. And he might still be stuck with an ugly yellow loveseat. (Okay it’s actually not a bad loveseat, just the same horrible color my childhood bedroom was painted).
Why anyone still falls for these scams on CL is odd, since there are warnings plasted all over the site, and it’s common and easy to recognize. I suppose they wouldn’t be still trying if they didn’t get bites and people still ignorant enough to go for it. So it’s good to see people messing with and exposing the tricks.
Interestingly, Todd says the check he receives looks entirely authentic and may be from a genuine bank account. So he’s gone to the trouble of blurring the account number in the check image he posted. It’s good to see someone’s looking out for others’ security online.
The rest is here:
Playing Along with Nigerian Scammers
Apr 20
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
I spent a small chunk of time this morning reading through the slides posted online from a Malware course that was taught at the University of Helsinki earlier this year. The lecture slides are in PDF and available for anyone to browse.
The introduction starts off at a fairly basic level deconstructing many of the terms used to describe different attacks and shows examples of criminals’ posts on bulletin boards and prices for various attacks. Interesting stuff, even for a non-programmer like me. You could use them to educate staff or friends who are not computer professionals.
Then those of you who do security and programming may even find more useful stuff in there to work on… take a look.
Read more:
Malware course online from FSecure/University of Helsinki
Apr 13
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, wiki, windows, wireless
What is the first thing that you think of when you see “Acai Berry”? I think “scam” or “spam” or “hackers.” Same thing with a handful of other products–viagra, cialis, you know them and can name them yourselves. So why are hackers successful with these products?
Cisco sent me a press release today for a scam on Facebook advertising Acai berry drinks. Supposedly it’s a pretty slick scam from a marketing perspective, because scammers are using advanced and genuine marketing tools in their campaign. The list includes a “free” trial that really nets the scammers $30 per transaction, the use of “better than corporate” marketing, and the use of accounts and URLs from legitimate marketing companies Livefaceonweb.com and LivePerson.net. After the person pays for the free trial, the scammers have their credit card data too, and can commit any number of fraudulent transactions.
The mix of scammy and legitimate methods may help lend some authenticity to the transaction. But I’m not convinced the whole thing is so slick after all. Even legitimate marketing campaigns aren’t so successful on Facebook, evidenced by the fact that the site with a 120million + user base is still unprofitable after years of relative success. Next, the accounts may be with legitimate marketing companies, but does that actual lend any air of authenticity? I don’t recognize the domain names and probably very few people do. (and if you know online marketing enough to know the sites, you’re probably savvy to the scams too, right?).
Even all those doubts aside, the fact remains that acai berry drinks should just be a huge tip off. Never mind the message that “you’ll be paying for the free thing, now give us your credit card numbers.” That should also be a tip off. Any web user should recognize those tricks and should know better.
I suppose that’s why Facebook is such a great target. People from all walks of life, and all ages and tech skills, congregate their and share their private thoughts. Even my 68-yr-old dad is on Facebook these days–he has a minimalist profile in order to connect with other family members. People with very little experience or web savvy, who are also feeling safer because they’re on a site they know and trust, are more likely to fall for the tricks. I bet my dad is too smart, though.
Read more:
Why It Should Be Easy to Avoid 3/4 of All Online Scams
Apr 09
Spyware database, education, events, google, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, windows, wireless
I’ve taken only a bare minimum of self-defense and martial arts training in my life, but I know that as a short and petite woman, my best chance in a fight would be to use an assailant’s force against him.
And so it is with computer systems, it seems. The more software capabilities and files we allow on networks, and the more capable computers become, the more that hackers and scammers will have to work with, or to work against us with. Just one more variant of the “build a better mousetrap” adage.
That’s what popped into my head earlier when I read this story about spies hacking into the U.S. electrical grid and leaving behind malware that could disrupt service. That kind of attack could be invaluable in a war or large-scale hack situation, affecting millions of people.
Of course, without networked and computerized utility systems, such an attack wouldn’t even be possible. The same technology that makes industry more effective, efficient, and easier to use, also makes it that much more vulnerable. In the end, I have to wonder if such a system is exchanging one set of problems for another set, which they may be less able to deal with.
An interesting finding in the article is that utilities are constantly under attack, and often vulnerable, but that human resources databases are far more secure. I guess that makes sense in a way, since data loss and ID theft are such common concerns in media overall. Much of the public’s awareness of security is via media targeted to the individual consumer. On the job, it’s possible that tight budgets or a lack of time and expertise contribute to the lack of an effective security system, especially in such a large-scale and specialized operation. Every company needs a Human Resources division…but the infrastructure to operate a smart grid is much more specialized, therefore harder to protect.
Still, there may be good news for cyber security soldiers on the horizon. The
Obama administration is taking steps to review and research the national state of cybersecurity and take measures to improve it. It’s no doubt they have a massive job on their hands.
Go here to see the original:
Older Entries
RSS
