Collecting Passwords

This statement from Bruce Schneier is interesting,

How to harvest passwords: Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

It points out how easy it is for someone to collect passwords. A couple of human weaknesses are at play here:

• People tend to trust programs they come across on the internet (and websites and services) . More-so if it looks new and shiny.
• People tend to use the same password on multiple sites.

The internet’s a very dynamic environment, and with the rise of Web 2.0 we have lots of interesting new sites appearing daily. Most of them ask us to register, to provide a username and a password.

And behind every interesting new site are people (the programmers). Most of the time their intentions are honourable, providing an application online (and often for free). But what if a website’s intentions are more devious? What happens when you register an account and type in a (new) password? Usually it gets encrypted and stored in a database. It would be a simple task for the programmer to change the code and get it to store your password in some other way. And if people continue to use one or two password for all sites this information becomes a little more valuable.

In other words it would be easy for the programmer of any new and interesting web site to collect user names, email addresses, and your favourite passwords.

So always be cautious of where you type your password, it can be a valuable thing.

Don’t always trust websites. There are a few exceptions – Google for example does an excellent job with their users’ security.

And whenever possible don’t reuse important passwords on websites you don’t trust.

Keep critical software up to date

Some programs you use are critical to the safe use of your computer, and it’s important to keep these patched.

In this article critical software is the collection of programs (both visible and those that run in the background) that transport information from a web server to your screen. It’s the chain of data flow that you use the most often when using the internet.

You have your operating system (e.g. Windows, MacOS, Linux), a web browser, and a stack of drivers that basically make the internet work for you. This is a simplified model, most people’s computers will be unique and full of all sorts of programs.

Because information is flowing along this chain of programs, data being handed off from the operating system to the web browser, every link in the chain is critical. And like the old mantra, the price of security is eternal vigilance. In this case we’re looking at the eternal task of patching your software.

Patches are released by software vendors, whether it’s a free open source program or from a commercial software company. Patches are written because the programmers are always fixing bugs, in particular they’re always fixing security vulnerabilities as they are discovered. It’s a way of strengthening each of the links in your data chain.

The point of this article is that you should always update the following:

• Patch your operating system (Windows, Mac OS, Linux, etc). Yes there’s a risk in being the first to install a patch, it might break something. Large companies have long complicated procedures to test patches before installing them. Small companies and home users need to take the risk and apply the patch blindly, trusting the vendor. It’s a choice between having the most secure computer possible or waiting to see if a patch is released by mistake. My advice is to take the secure option and make regular backups of all your data (backups would be a good topic for a future article). Most operating systems these days have automated patching systems in place making this simple and often a transparent process.
• Patch your web browser. All web browsers need to be patched – Microsoft Internet Explorer (IE), FireFox, Opera, Safari, etc. Apply patches as soon as they’re released. Today a web browser is the most vulnerable program on a computer, it gets used to run code that other people write. Code that comes from all corners of the world and is almost always not certified in any way and there’s almost no way of trusting the code. Your web browser will execute it blindly, trusting that it’s safe and you trust that all other programs on your computer (including the operating system) will handle the attacks in a graceful way. Web browsers will be attacked, this is almost a certainty these days. So you need to very latest version that hopefully has had every known vulnerability fixed.
• Patch your antivirus software. This is often automatic, and it’s often a paid service. Antivirus companies spend a lot of time and money keeping their tools up to date and it’s in your best interest to use their technology. Consider it a good investment, it could cost you thousands of dollars if your system is compromised.
• Sometimes routers will have to be patched as well. This is a little more advanced and you should only do it if you’re comfortable working with your router.
• Personal firewalls should also be patched. If your antivirus software includes a [personal] firewall then it’ll be patched automatically, otherwise it’s a separate process.

All software that uses the internet in any way, including the various video and music players, needs to be kept up to date. Web browsers and operating systems are the most critical and should be patched the most often. The time and effort you spend is the price you pay for having a safe computer.

When A Government Office Loses Disks.

As well as the usual advice on staying safe online it’s often useful to hear about security incidents that have made the media. And this time I’d like to point out what happens when a government loses disks containing personal data on 25 million individuals.

The two disks that were lost contained names, addresses, insurance numbers and bank account details of 25 million people. This is personal data that could be used to commit fraud or identity theft. This hasn’t been the case so far but it could still happen. Nobody seems to know where the disks are now.

How can this happen? The people handing the transport of the disks didn’t follow proper procedures. They’re human and they made mistakes. The disks were not encrypted before being shipped. The courier company lost them and have no records of where the disks might be. Then the police were involved only about 3 weeks after the incident occurred.

These kinds of accidents can and do happen every now and then. Your personal details can easily end up where you least expect it. One solution would be to make the agencies pay heavy fines for such security breaches, making it worth their time to ensure all procedures are followed.

The other lesson to be learnt here is that when you fill out a form these days you just have to assume it could one day end up in the wrong place. These days some of your personal details are no longer private. It’s just something that’s been happening slowing over the past couple of decades.

Some detailed articles can be found here.

The Popularity of Videos

Online videos are popular these days and as with anything popular scams are everywhere. The following two items take advantage of this popularity.

1. A movie called ” Lust, Caution” has been attracting some attention lately. Some websites have been setup (in China) that promise the ability to download a bootleg copy of the movie. What the websites don’t point out is that the download is infected with a virus that steals your passwords.

So don’t try illegally obtaining copyrighted movies, and especially not this one.

2. YouTube Scams – An email has been doing the rounds containing an ad for a video supposedly hosted on YouTube. The email goes on to explain how the video is about two lovers, includes comments and reviews.

If someone was to click on the link in this email (a link that at first sight appears to point to YouTube) they’ll be taken to a fake website made to look a little like YouTube. Then a message comes up saying that a new Flash player is required. Don’t install this player, it’s a virus. Pay close attention to links (URL’s) in emails.

Laos Airlines Website

It used to be that your computer could become infected if you went to a pornographic or warez website (warez sites are where people can illegally obtain software cracks). While this is still true, “normal” websites can also be vulnerable these days.

The Laos Airlines website was hacked and some code was added at the bottom – malicious code that isn’t visible to the average person. If you were to visit their website (whether to look up travel information or to book a flight) your web browser will also try to load a web page (being hosted in China) that then will try to install malware onto your computer.

The airline itself was a victim, and now that it’s been discovered and made public they’ll no doubt fix it. It’s certainly no reason not to travel to Laos or to use their airline. And the fact that the malicious code was hosted in China is an indicator that a lot of (black hat)hackers are setting up shop over there (until recently Russia was their country of choice to hide their malicious activities).

A couple of tips to avoid being a victim of crimes like this:

• Use alternative web browsers whenever possible. Use FireFox or Opera instead of Internet Explorer.
• Use a good antivirus program that monitors web browsing, and that constantly updates itself (these are usually not free, and it’s well worth paying their fee to keep you safe).

And keep reading as much as possible about online security. Education can only help you.

A QuickTime Flaw

Here’s a new vulnerability in Apple’s QuickTime program, discovered just recently (and published today). A computer can become vulnerable if the following events happen:

• You have Quicktime version 7.x installed (any version beginning with 7.)
• Your computer uses Windows XP or Windows Vista
• You use FireFox for web browsing (IE 6, 7, and Safari are safe from this vulnerability for the now)
• QuickTime is your default media player
• You visit a site hosting a malicious video file that takes advantage of this exploit.

Chances are you don’t meet all of the above criteria, but since there are so many computers on the internet now there would still be a large number of people who do.

The damage from this could be anything for now. Since the exploit has been published malicious hackers all over the world are probably busy writing viruses and trojans to take advantage of it.

So when Apple releases an update be sure to install it. And if you use a good antivirus package it won’t be long until they release a new update (this is why it’s important to keep your antivirus program updated).

Details have been published here.

Malicious Emails Targeting Financial Customers

There has been a rise in malicious emails (emails carrying malicious attachments) that are aimed at individuals. These emails are customised for the recipients with details such as their name and official title.

Two recent occurrences appear to be from the US Department of Justice, and from the Better Business Bureau. They have been sent to customers of financial institutions, indicating that email addresses were stolen and the information used to make the emails appear more convincing.

What makes these appear obviously malicious is that the first (from the US Department of Justice) carries an attachment with a file extension of .scr. These type of files are Windows screen savers, something that should immediately appear out of the ordinary. If you open the attachment it will install a trojan allowing malicious hackers to later take control of your computer.

The second one (from the Better Business Bureau) contains an infected PDF file. This is unfortunate because traditionally PDF files were considered safe from viruses, but lately it’s been proven that even PDF files can carry viruses and trojans. ( A PDF file is an attached document). Keep in mind that these emails have been tampered with to make them appear to be from the relevant senders. In fact they aren’t.

The best defence against these types of targeted attacks is to use a good antivirus program on your computer with the following features:

• It must scan emails
• It must be updated daily

It can be very difficult to pick out these malicious emails unless you have something scanning them for you.

These type of targeted email attacks have been increasing in frequency. Up to 10 new (unique) attacks have been discovered every day. This is a rather large number. Be very careful with suspicious looking emails.

Know Your Enemy

26 year old John Kenneth Schiefer from Los Angeles is facing 60 years in prison and a US$1.75m fine for infecting 250,000 computers with the intention of stealing information. This is exactly the kind of person I’ve been writing here about in the hope everyone can avoid being a victim. It would be useful to know how serious and widespread these crimes are, and how serious it all is.

He ran what’s known as a botnet. This is when malware (viruses, trojans, etc) is installed on a large number of victim’s computers and controlled from one central location. 250,000 infected computers makes a large botnet. That’s a lot of victims, real people who didn’t know someone else was remotely using their computer and stealing their money.

In this case he allegedly stole money from people’s Paypal accounts. It’s not a problem with Paypal’s system, the problem lies in people using compromised computers.

One lesson to be learnt is that you should never shop or bank online on a computer you don’t trust. And a large part of that trust in a computer comes from using an up to date internet security package (an antivirus program).

Another import lesson for everyone is that these criminals are real, and their operations are large and widespread.

Read some articles on his case here.

Virtual Theft

The emergence of a new kind of crime is an interesting thing. We’ve had virtual worlds for quite a few years and as their popularity grows so too do crimes such as fraud, or in this case theft.

There’s a game called Habbo Hotel, it’s an online game where people have online characters. Like a few other online games they can pay real money to decorate their characters and the rooms they occupy. Effectively they buy virtual items to enhance their game.

So when some teenagers are accused of stealing username and passwords of other players, logging in with these accounts and transferring items to their own accounts, it becomes theft. The current buzzword is Virtual Theft. A 17 year old Dutch teenager has been arrested over this allegation, and five other 15 year olds are being questioned. What makes the “theft” significant is that the value of the virtual items is around US$5000.

A spokesman for Sulake, Habbo Hotel’s operator, said:

“It is a theft because the furniture is paid for with real money. But the only way to be a thief in Habbo is to get people’s usernames and passwords and then log in and take the furniture.”

The full article is here. It’s important to note that this isn’t an isolated case. Virtual worlds (in the form of online games) have been a growing trend and like most things that can happen in the real world most forms of crime can carry across to virtual worlds.

Next Page →

• About

  Read the latest articles shown on the left, and use the options below to search for past articles. FraudO.com is committed to educating all users on the dangers of the internet and how to avoid them.

• Email Subscription

  Enter your email address:

  Delivered by FeedBurner

• Ads

  • Anastasia International Scam

• Recently Written

  • Another Scam Job
  • ICS Monitoring Team
  • Facebook Groups And Toolbars
  • An Interview with a Nigerian Internet Scammer
  • Fake CUA Email
  • Microsoft Does Not Send Updates By Email
  • Texaco Money Mule Scam
  • Facebook Un Named App
  • Avast 5
  • ATM Card Skimmers
  • Common Passwords
  • Fake ATO Emails
  • TwitterBuilding
  • IE6
  • BlackBerry Hoax Message

• Categories

  • Admin
  • Antivirus
  • Backups
  • Fraud
  • General
  • hoax
  • Identity Theft
  • Malware
  • News/Media
  • Phishing
  • Privacy
  • Scams
  • Security
  • Software
  • Statistics
  • Uncategorized

• Archived Articles

  Select Month March 2010  (2) February 2010  (5) January 2010  (11) December 2009  (1) November 2009  (2) October 2009  (4) September 2009  (10) August 2009  (9) July 2009  (7) June 2009  (20) May 2009  (15) April 2009  (12) March 2009  (10) February 2009  (14) January 2009  (10) December 2008  (10) November 2008  (3) October 2008  (7) September 2008  (5) August 2008  (11) July 2008  (17) June 2008  (8) May 2008  (17) April 2008  (23) March 2008  (22) February 2008  (20) January 2008  (31) December 2007  (17) November 2007  (21) October 2007  (11) September 2007  (5)

• Ads

• Affiliates

• Spam Blocked

  30,747 spam comments

  blocked by
  Akismet

• Stats