Subscribe in a readerCollecting Passwords
This statement from Bruce Schneier is interesting,
How to harvest passwords: Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.
It points out how easy it is for someone to collect passwords. A couple of human weaknesses are at play here:
- People tend to trust programs they come across on the internet (and websites and services) . More-so if it looks new and shiny.
- People tend to use the same password on multiple sites.
The internet’s a very dynamic environment, and with the rise of Web 2.0 we have lots of interesting new sites appearing daily. Most of them ask us to register, to provide a username and a password.
And behind every interesting new site are people (the programmers). Most of the time their intentions are honourable, providing an application online (and often for free). But what if a website’s intentions are more devious? What happens when you register an account and type in a (new) password? Usually it gets encrypted and stored in a database. It would be a simple task for the programmer to change the code and get it to store your password in some other way. And if people continue to use one or two password for all sites this information becomes a little more valuable.
In other words it would be easy for the programmer of any new and interesting web site to collect user names, email addresses, and your favourite passwords.
So always be cautious of where you type your password, it can be a valuable thing.
Don’t always trust websites. There are a few exceptions - Google for example does an excellent job with their users’ security.
And whenever possible don’t reuse important passwords on websites you don’t trust.
Keep critical software up to date
Some programs you use are critical to the safe use of your computer, and it’s important to keep these patched.
In this article critical software is the collection of programs (both visible and those that run in the background) that transport information from a web server to your screen. It’s the chain of data flow that you use the most often when using the internet.
You have your operating system (e.g. Windows, MacOS, Linux), a web browser, and a stack of drivers that basically make the internet work for you. This is a simplified model, most people’s computers will be unique and full of all sorts of programs.
Because information is flowing along this chain of programs, data being handed off from the operating system to the web browser, every link in the chain is critical. And like the old mantra, the price of security is eternal vigilance. In this case we’re looking at the eternal task of patching your software.
Patches are released by software vendors, whether it’s a free open source program or from a commercial software company. Patches are written because the programmers are always fixing bugs, in particular they’re always fixing security vulnerabilities as they are discovered. It’s a way of strengthening each of the links in your data chain.
The point of this article is that you should always update the following:
- Patch your operating system (Windows, Mac OS, Linux, etc). Yes there’s a risk in being the first to install a patch, it might break something. Large companies have long complicated procedures to test patches before installing them. Small companies and home users need to take the risk and apply the patch blindly, trusting the vendor. It’s a choice between having the most secure computer possible or waiting to see if a patch is released by mistake. My advice is to take the secure option and make regular backups of all your data (backups would be a good topic for a future article). Most operating systems these days have automated patching systems in place making this simple and often a transparent process.
- Patch your web browser. All web browsers need to be patched - Microsoft Internet Explorer (IE), FireFox, Opera, Safari, etc. Apply patches as soon as they’re released. Today a web browser is the most vulnerable program on a computer, it gets used to run code that other people write. Code that comes from all corners of the world and is almost always not certified in any way and there’s almost no way of trusting the code. Your web browser will execute it blindly, trusting that it’s safe and you trust that all other programs on your computer (including the operating system) will handle the attacks in a graceful way. Web browsers will be attacked, this is almost a certainty these days. So you need to very latest version that hopefully has had every known vulnerability fixed.
- Patch your antivirus software. This is often automatic, and it’s often a paid service. Antivirus companies spend a lot of time and money keeping their tools up to date and it’s in your best interest to use their technology. Consider it a good investment, it could cost you thousands of dollars if your system is compromised.
- Sometimes routers will have to be patched as well. This is a little more advanced and you should only do it if you’re comfortable working with your router.
- Personal firewalls should also be patched. If your antivirus software includes a [personal] firewall then it’ll be patched automatically, otherwise it’s a separate process.
All software that uses the internet in any way, including the various video and music players, needs to be kept up to date. Web browsers and operating systems are the most critical and should be patched the most often. The time and effort you spend is the price you pay for having a safe computer.
When A Government Office Loses Disks.
As well as the usual advice on staying safe online it’s often useful to hear about security incidents that have made the media. And this time I’d like to point out what happens when a government loses disks containing personal data on 25 million individuals.
The two disks that were lost contained names, addresses, insurance numbers and bank account details of 25 million people. This is personal data that could be used to commit fraud or identity theft. This hasn’t been the case so far but it could still happen. Nobody seems to know where the disks are now.
How can this happen? The people handing the transport of the disks didn’t follow proper procedures. They’re human and they made mistakes. The disks were not encrypted before being shipped. The courier company lost them and have no records of where the disks might be. Then the police were involved only about 3 weeks after the incident occurred.
These kinds of accidents can and do happen every now and then. Your personal details can easily end up where you least expect it. One solution would be to make the agencies pay heavy fines for such security breaches, making it worth their time to ensure all procedures are followed.
The other lesson to be learnt here is that when you fill out a form these days you just have to assume it could one day end up in the wrong place. These days some of your personal details are no longer private. It’s just something that’s been happening slowing over the past couple of decades.
Some detailed articles can be found here.
The Popularity of Videos
Online videos are popular these days and as with anything popular scams are everywhere. The following two items take advantage of this popularity.
1. A movie called ” Lust, Caution” has been attracting some attention lately. Some websites have been setup (in China) that promise the ability to download a bootleg copy of the movie. What the websites don’t point out is that the download is infected with a virus that steals your passwords.
So don’t try illegally obtaining copyrighted movies, and especially not this one.
2. YouTube Scams - An email has been doing the rounds containing an ad for a video supposedly hosted on YouTube. The email goes on to explain how the video is about two lovers, includes comments and reviews.
If someone was to click on the link in this email (a link that at first sight appears to point to YouTube) they’ll be taken to a fake website made to look a little like YouTube. Then a message comes up saying that a new Flash player is required. Don’t install this player, it’s a virus. Pay close attention to links (URL’s) in emails.
Laos Airlines Website
It used to be that your computer could become infected if you went to a pornographic or warez website (warez sites are where people can illegally obtain software cracks). While this is still true, “normal” websites can also be vulnerable these days.
The Laos Airlines website was hacked and some code was added at the bottom - malicious code that isn’t visible to the average person. If you were to visit their website (whether to look up travel information or to book a flight) your web browser will also try to load a web page (being hosted in China) that then will try to install malware onto your computer.
The airline itself was a victim, and now that it’s been discovered and made public they’ll no doubt fix it. It’s certainly no reason not to travel to Laos or to use their airline. And the fact that the malicious code was hosted in China is an indicator that a lot of (black hat)hackers are setting up shop over there (until recently Russia was their country of choice to hide their malicious activities).
A couple of tips to avoid being a victim of crimes like this:
- Use alternative web browsers whenever possible. Use FireFox or Opera instead of Internet Explorer.
- Use a good antivirus program that monitors web browsing, and that constantly updates itself (these are usually not free, and it’s well worth paying their fee to keep you safe).
And keep reading as much as possible about online security. Education can only help you.
A QuickTime Flaw
Here’s a new vulnerability in Apple’s QuickTime program, discovered just recently (and published today). A computer can become vulnerable if the following events happen:
- You have Quicktime version 7.x installed (any version beginning with 7.)
- Your computer uses Windows XP or Windows Vista
- You use FireFox for web browsing (IE 6, 7, and Safari are safe from this vulnerability for the now)
- QuickTime is your default media player
- You visit a site hosting a malicious video file that takes advantage of this exploit.
Chances are you don’t meet all of the above criteria, but since there are so many computers on the internet now there would still be a large number of people who do.
The damage from this could be anything for now. Since the exploit has been published malicious hackers all over the world are probably busy writing viruses and trojans to take advantage of it.
So when Apple releases an update be sure to install it. And if you use a good antivirus package it won’t be long until they release a new update (this is why it’s important to keep your antivirus program updated).
Details have been published here.
Malicious Emails Targeting Financial Customers
There has been a rise in malicious emails (emails carrying malicious attachments) that are aimed at individuals. These emails are customised for the recipients with details such as their name and official title.
Two recent occurrences appear to be from the US Department of Justice, and from the Better Business Bureau. They have been sent to customers of financial institutions, indicating that email addresses were stolen and the information used to make the emails appear more convincing.
What makes these appear obviously malicious is that the first (from the US Department of Justice) carries an attachment with a file extension of .scr. These type of files are Windows screen savers, something that should immediately appear out of the ordinary. If you open the attachment it will install a trojan allowing malicious hackers to later take control of your computer.
The second one (from the Better Business Bureau) contains an infected PDF file. This is unfortunate because traditionally PDF files were considered safe from viruses, but lately it’s been proven that even PDF files can carry viruses and trojans. ( A PDF file is an attached document). Keep in mind that these emails have been tampered with to make them appear to be from the relevant senders. In fact they aren’t.
The best defence against these types of targeted attacks is to use a good antivirus program on your computer with the following features:
- It must scan emails
- It must be updated daily
It can be very difficult to pick out these malicious emails unless you have something scanning them for you.
These type of targeted email attacks have been increasing in frequency. Up to 10 new (unique) attacks have been discovered every day. This is a rather large number. Be very careful with suspicious looking emails.
Know Your Enemy
26 year old John Kenneth Schiefer from Los Angeles is facing 60 years in prison and a US$1.75m fine for infecting 250,000 computers with the intention of stealing information. This is exactly the kind of person I’ve been writing here about in the hope everyone can avoid being a victim. It would be useful to know how serious and widespread these crimes are, and how serious it all is.
He ran what’s known as a botnet. This is when malware (viruses, trojans, etc) is installed on a large number of victim’s computers and controlled from one central location. 250,000 infected computers makes a large botnet. That’s a lot of victims, real people who didn’t know someone else was remotely using their computer and stealing their money.
In this case he allegedly stole money from people’s Paypal accounts. It’s not a problem with Paypal’s system, the problem lies in people using compromised computers.
One lesson to be learnt is that you should never shop or bank online on a computer you don’t trust. And a large part of that trust in a computer comes from using an up to date internet security package (an antivirus program).
Another import lesson for everyone is that these criminals are real, and their operations are large and widespread.
Read some articles on his case here.
Virtual Theft
The emergence of a new kind of crime is an interesting thing. We’ve had virtual worlds for quite a few years and as their popularity grows so too do crimes such as fraud, or in this case theft.
There’s a game called Habbo Hotel, it’s an online game where people have online characters. Like a few other online games they can pay real money to decorate their characters and the rooms they occupy. Effectively they buy virtual items to enhance their game.
So when some teenagers are accused of stealing username and passwords of other players, logging in with these accounts and transferring items to their own accounts, it becomes theft. The current buzzword is Virtual Theft. A 17 year old Dutch teenager has been arrested over this allegation, and five other 15 year olds are being questioned. What makes the “theft” significant is that the value of the virtual items is around US$5000.
A spokesman for Sulake, Habbo Hotel’s operator, said:
“It is a theft because the furniture is paid for with real money. But the only way to be a thief in Habbo is to get people’s usernames and passwords and then log in and take the furniture.”
The full article is here. It’s important to note that this isn’t an isolated case. Virtual worlds (in the form of online games) have been a growing trend and like most things that can happen in the real world most forms of crime can carry across to virtual worlds.
Virtual Visa Cards
This concept isn’t new, it’s just becoming more easily available. It’s like a prepaid credit card, and the idea is that if it gets lost or stolen there’s only so much credit that can be stolen. It’s not linked to any of your usual bank or credit cards. It could also be considered a disposable credit card. (And the term debit would be more accurate than credit).
In Australia there’s now a new credit card that works in this way called V-Card. It carries the Visa logo and can be used just like any other Visa credit card, only that you can put any value you want into it before you start spending.
Since the whole idea is to avoid online fraud you probably wouldn’t want to buy one online. They’re going to be available at real shops (Mobil/Quix for now), you then activate it online and they send you the security details by email or SMS to make you feel more secure. There’s a $5.50 setup fee on top of the credit.
It’s a good idea for many people, especially those who have avoided online shopping till now. It could also be useful when travelling overseas (so many travellers return with stories of how their credit card details were stolen).
Details here.
The Need For Strong Passwords
Passwords have been an everyday part of life with computers, and they won’t be replaced any time soon. It’s a form of authentication, granting you access to a system or service.
When security is based on passwords two pieces of information are required:
1. A username
2. A password
Often it’s not difficult to guess a username. Some computers keep this information easily available to anyone who cares to look, and other times it’s just a matter of guessing.
Passwords are more difficult. The “strength” of a password is critical to keeping out unauthorised people. “Strength” is a measure of how easily it can be guessed. And if you’re wondering who really sits there trying to guess passwords you’re in for a surprise.
Passwords can be made stronger by using a combination of the following tips:
- Make your password long. Tip: join 2 or 3 words together
- Have at least one letter in uppercase
- Don’t put a 1 at the end of your password (it doesn’t help at all)
- Use a made-up word if you can think of one, or spell a real word incorrectly
- Try not to use the same password on every website (more on this another day)
If you under the impression that no one will bother trying to guess your password then you’re definitely need to continue reading. Hackers don’t sit there trying to guess passwords (what could be more boring than that?). They write programs that do all the hard work of guessing programs. Then they maliciously install this program on other people’s computers (sometimes tens of thousands of hacked computers) to do lots of hard work for them. They just sit back and wait for the results to come in.
Protecting systems with passwords is a tough battle for the good guys (like you and me). As the progress of technology marches on we have faster computers which means hacking passwords becomes easier.
Now the really interesting part. There’s been some development on all this password guessing technology - where it used to take one computer months to crack a Windows Vista password, by utilising the untapped power of a modern computer’s graphics processor it’s now possible to do the same work with the same computer in 3 - 5 days. That’s 25 times faster just from some clever programming (see this article for the details on how).
So in the real world we have programs running on tens of thousands of computers, guessing billions of password combinations relentlessly, with the expectation that soon they’ll find all the easy ones.
So be smart about passwords. Make it very difficult to guess. And remember that there really are people out there trying to hack into your accounts so always be careful.
Maxtor External Drives With A Free Virus
Some Maxtor external drives have been found to contain a virus. These are brand new units straight from the factory. The unit with this problem is a Maxtor Basics Personal Storage 3200, shipping between August 2007 and November. If you’ve recently purchased one of these you need to call Seagate’s technical support and quote the serial number on the drive.
2 New Skype Related Warnings
There are two new warnings related to Skype today. In each case it’s not Skype that’s the problem, it’s just related to their service.
1. Some people have received a warning saying “Security Center has detected malware on your computer“. If you click on the links provided you’ll get a message telling you malware was found on your computer. It then asks you to pay money for an alleged program to clean it. If you see this, ignore it. It didn’t really scan your computer for viruses, and the money they ask for won’t really go towards anything good.
2. Some Skype users have received a message about finding a lost girl. Again this is a hoax and if you click on the links provided a web site will attempt to install a virus on your computer. Ignore it.
More details can be found at Skype’s security site.
What is Search Jacking?
What is Search Jacking? And how is it bad?
The term Search Jacking is used when a program or network takes you to a search engine when you type an incorrect address into your web browser (e.g. Internet Explorer). For example, if you enter ffraudo.com into the address bar of your web browser it is supposed to show you an error. The address doesn’t exist (at the time of writing this article). At least that’s how it’s meant to work in theory.
Some people with large marketing ambitions decided that if you enter an address that doesn’t exist it should take you to a search engine that can suggest some websites for you. One prominent company that did this is Microsoft. Microsoft’s Internet Explorer takes you to a search engine and suggests some other sites, and not necessarily the site you really wanted to see.
There have been a few companies that have taken it upon themselves to redirect the general internet user to their search engine of choice. And their choice is decided by whoever’s paying them the most. The technique is similar to domain squatting, where mistyping a web site takes you somewhere unexpected. Cox and Earthlink have also used this technique before.
The latest in search jacking attempts comes from Verizon (an American telecommunications company). If your internet is connected through Verizon and you try going to an invalid web site, you might land on Verizon’s search website (for the moment it’s active on one of their fibre network).
Is there a danger to you? For now there’s no real danger, it’s more of a nuisance. Soon they’ll most probably start putting ads on this search site. It’s a little deceptive, and is called by some as “accidental content delivery”. You accidentally type in an incorrect address, they deliver content of their choice. And of course they’ll make money from it.
It’s more of a nuisance for now, and if it works out for them other companies are likely to follow. If your network has already adopted this search jacking system you could complain to your internet provider. After all, someone’s paying for your internet connection and you shouldn’t expect your internet provider to fill it with ads for you.
Beware of Yahoo550
If you see any links to yahoo550.com it’s a malware site that installs a trojan. The authors behind it are trying to trick people into thinking it’s one of Yahoo’s websites (Yahoo has a service called 360°). So ignore the fake 550 and take this as a reminder to have a good internet security program (one that checks websites as well as the traditional files and emails).
Deceptive Template Downloads
If you run your own website, in particular a blog such as the one this article is written on, you’ve come across templates. A template may also be called a skin, or a theme. These templates add the design, colour, layout, and feel of a website, and are developed by creative web designers.
Some templates are free, others are bought or custom made. And there are websites that collect free templates to make it easier for non designers to pick and choose.
It’s recently come to light that some of these template collections have been tainted. The person (or people) collecting and hosting the templates have quietly edited them all and embedded some code to suit their own purposes.
One such deceptive template collection is blogstheme.com. They’ve been caught adding code to the footer in the themes they host to collect marketing data. What makes this even more deceptive is that they didn’t actually create any of the templates, they’re modifying other people’s work. Another website previously ousted for doing something similar is templatesbrowser.com.
So if you run a website, blog, or similar and hunt around for interesting templates on these collection sites, always go back to the original developer’s website and download it from there. This way you’re downloading it directly from the person who created it, and not risking downloading a tainted copy.
It’s unfortunate that as the Internet continues to grow there are always new threats appearing where you least expect them. Hopefully by reading this site and encouraging others to do to we can all avoid the dangers and use the Internet to its full potential. Education is always a good solution.
-
-
Ads
-
-
Stats