Statistics on Malware

Some new statistics on how widespread malware has become. This research comes from Google’s Anti-Malware team (full document is here)

That’s 3 million web pages that will attempt to install some form of malicious code on your computer.

With things this bad you’d be crazy to use the internet without some kind of web filtering. This is different to virus scanning. Web filtering scans each web page before your web browser loads it, looking for things like phishing and malicious code.

All of the big antivirus products include web filtering these days, it’s a good investment if you haven’t purchased one already.

February 27, 2008 | Filed Under General, Malware, Statistics | Leave a Comment 

“Be More Careful” Scam

There are some scam emails going around asking for large amounts of money from readers, such as $30,000.

The emails contain the following in the subject and in the first line of the email:

BE MORE CAREFUL

The rest of it has a long story saying they’ve been asked to kill you and in exchange for money they won’t. It’s a scam hoping to lure worried people with plenty of cash, and if you’re worried you can mention it to your local police.

Note: this is also classified as a hoax though it’s more like a scam.  A hoax is doesn’t involve asking for money whereas a scam does.

February 27, 2008 | Filed Under Scams | Leave a Comment 

Windows Mobile PocketPC Trojan

There’s a new trojan going around for Windows Mobile PocketPC devices. Once installed on a device it sends some details to the person who wrote it, and it leaves a back door to allow the author to install programs on your device without your permission.

pocketpc It’s being called WinCE/InfoJack by antivirus companies. It gets installed when you download a legitimate program from a “hacked” site. For example, it’s been detected in Google Maps (a hacked version of Google Maps, not the original one).

To safeguard against these type of malware only download applications from the vendor who created it. In the case of Google Maps, you should download it from Google’s own website and not a more generic download site.

You should also invest in antivirus software for these devices.

February 26, 2008 | Filed Under Malware, Security, Software | 1 Comment 

Adobe AIR 1.0

Adobe has been making news today for releasing version 1.0 of their AIR framework. AIR is a new way to develop and run programs, it’s a combination of a web page but runs without a web browser.

Adobe Air It has a long list of security features to make programs seem safe. And because of how internet applications work experts agree it won’t be long until this new technology is exploited.

One thing to be careful of is when AIR warns you about “self signed” applications. This means that no reputable company has verified the person who wrote the program. So if you download an AIR application and you get warned about it being self signed, the safe bet is to deny it.

If you’re tempted to play with AIR applications just be conscious of where you’re downloading programs from. They won’t remain safe for long.

February 26, 2008 | Filed Under General, News/Media, Security, Software | 1 Comment 

GSM Encryption

Most mobile phones in the world (also called cell phones, or hand phones) use the GSM network, and GSM generally uses an encryption protocol called A5.

phone booths A5 encryption was always a weak design but the equipment to decode it used to cost between US$70,000 and US$500,000 so it wasn’t very common.

Now some new research shows it can be cracked with around US$1000 of equipment. This makes it accessible to most businesses and individuals. It’s still theoretical though it won’t be long until anyone can download the software required to do it.

What does this mean to phone users?

Conversations carried out over mobile phones should not be considered secure. If the technology exists for competitors to sit outside an office and listen in on calls then you should change how you carry out business.

Apart from this new research on cracking the encryption there’s another method that has existed since phone networks began operation. All mobile phone carriers have the ability to record conversations for law enforcement purposes. They just have to press some buttons on their computer and your conversations get recorded. So you shouldn’t be sharing trade secrets on the phone anyway.

And now’s a good time to mention that SMS messages have never been secure. Most GSM networks keep a log of all SMS messages and this information is available to law enforcement agencies (or to anyone corrupt at the phone companies or to anyone that hacks into a phone company’s network).

Some articles to read if you need more information: here, here and here.

February 23, 2008 | Filed Under General, Privacy, Security | Leave a Comment 

Has your email been hacked?

If you suspect someone else is reading your emails you normally change your password immediately and figure out how they were able to access your account.

lens If you’re curious then the following information could interest you ;-)

There’s a free online service called OneStatFree that can be used as a tripwire to detect access to your emails. It will tell the time and day your email was opened (by someone other than you), the country it was access from, the IP address and possibly more information (such as city) depending on the actual network used.

The way it works is you create a special email and send it to yourself. You never open this email yourself and if someone else does it will instantly send some information to the OneStatFree service, which you then check at a later date.

Full instructions are provided here, it should be fairly easy for most people to follow.

Just keep in mind that if someone is indeed reading your emails this trick won’t stop them. So think carefully if you want to continue compromising your email while you investigate the culprit, or take immediate action and change your password.

February 22, 2008 | Filed Under General, Identity Theft, Security | Leave a Comment 

Comando Antifrode CAFF

italian flag A fraudulent Italian web site has appeared called the Comando Antifrode CAFF. This organisation doesn’t really exist but they’ve made it look like other Italian government web sites.

The site has links to download some malware files that install a trojan on the computer. It’s best avoided.

February 21, 2008 | Filed Under Malware, Scams | Leave a Comment 

Fraud Statistics

The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.

The top 20 complaint categories were:

Rank    Category    Complaints

  1. Identity Theft    258,427
  2. Shop-at-Home/Catalog Sales    62,811
  3. Internet Services    42,266
  4. Foreign Money Offers    32,868
  5. Prizes/Sweepstakes and Lotteries    32,162
  6. Computer Equipment and Software    27,036
  7. Internet Auctions    24,376
  8. Health Care Claims    16,097
  9. Travel, Vacations, and Timeshares    14,903
  10. Advance-Fee Loans and Credit Protection/Repair    14,342
  11. Investments    13,705
  12. Magazines and Buyers Clubs    12,970
  13. Business Opportunities and Work-at-Home Plans    11,362
  14. Real Estate (Not Timeshares)    9,475
  15. Office Supplies and Services    9,211
  16. Telephone Services    8,155
  17. Employ. Agencies/Job Counsel/Overseas Work    5,932
  18. Debt Management/Credit Counseling    3,442
  19. Multi-Level Mktg./Pyramids/Chain Letters    3,092
  20. Charitable Solicitations    1,843

That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.

February 21, 2008 | Filed Under Fraud, Identity Theft, News/Media, Statistics | Leave a Comment 

Trust Encryption Device (TED)

Australia’s CSIRO has developed a security device for online banking. It’s like a flash drive and contains a virtual computer environment which makes applications like online banking more secure.

However there’s a lot of doubt in the security world. You still need to plug it into a computer for it to start up, and you don’t always know what’s on the computer. Malware could still take screenshots and send them off to some unknown person on the other side of the world, and there’s little explanation on how it’s meant to avoid being tampered with.

It’s a technology to keep a watch on for the future. Full article here.

February 20, 2008 | Filed Under General, News/Media, Security | Leave a Comment 

Encrypted external hard drive isn’t

A new external hard drive claims to use hardware data encryption using 128 bit AES. The case is a 2.5″ Easy Nova Data Box PRO-25UE RFID hard drive case by German vendor Drecom.

drecom drive In the security world AES is a recognised and trusted encryption protocol, so at first glance this external hard drive enclosure seems useful for transporting data outside the office or home.

However on closer inspection the drive uses a chipset from INNMAX, the IM7206, believing it provided AES encryption to data. INNMAX’s marketing strongly implies that AES encryption is being used for data on disk.

When questioned, INNMAX said:

The IN7206 merely uses AES encryption when saving the RFID chip’s ID in the controller’s flash memory. The company explained that actual data encryption is based on a proprietary algorithm. The company claims the IM7206 only offers basic protection and is designed for “general purpose” users.

In fact they’re using a security known as XOR, which is as secure as writing “do not read” on an envelope. Anyone with a basic understanding of programming can decode it in minutes.

It’s a case of marketing people not really understanding the technology and using buzzwords to sell products.

If you need to transport lots of data on portable hard drives then you should encrypt the disk using some encryption software, such as the ones mentioned in our previous article.

February 20, 2008 | Filed Under Scams, Security | Leave a Comment 

Free Online Health Check from F-Secure

F-Secure is a security software company that has been making good products for a long time. They have published a new tool that scans your computer for vulnerabilities and provides a report on what programs you need to update.

The application runs inside Internet Explorer and requires Window XP or Vista. Try it out here, http://support.f-secure.com/enu/home/onlineservices/fshc.shtml

Note that this doesn’t replace anti-virus software. It only checks which programs on your computer are vulnerable to attacks and need to be updated.

February 18, 2008 | Filed Under Antivirus, Security, Software | Leave a Comment 

Online Tax Returns In The UK

Doing your income tax returns online is fairly common these days. In the UK there are more than 3 million people that file their tax return online.

UK’s tax department, HM Revenue and Customs, is a little unclear on how secure this is. They’re providing an online service that be default should be secure.

dollar signBut they’ve recently barred high profile people, including MPs, celebrities and the Royal Family, from using the same online system for security reasons.

If the system’s security isn’t good enough for high profile people then it shouldn’t be good enough for anybody. This can be taken as an admission that their security isn’t quite good enough to use.

February 16, 2008 | Filed Under General, Security | 1 Comment 

Whole Disk Encryption

briefcase lockIf you carry a notebook outside of your home or office then Whole Disk Encryption is a technology you should be interested in. It’s also called Full Disk Encryption. First let’s identify the problem.

Most people who carry notebook computers (laptops) keep sensitive files on the machine’s drive. Business documents, business databases, contact lists, emails, chat logs, password lists, etc. The most common situation is someone carrying confidential documents on the computer.

If the notebook is lost or stolen then whoever holds the notebook computer has access to the files. Login passwords aren’t enough to protect the documents, they’re easily recovered by anyone.

A more worrying trend is for international business travellers who carry confidential data on their notebooks. passportThere have been many instances of airport customs staff not only inspecting the notebook for banned items but they’re now looking in the notebook’s hard drive and looking through any documents stored there. Their excuse is that they have to search for anything that’s a threat to national security. Irrespective of why they’re doing this the point is that someone else can gain access to your files at airports. Read this article for an example. And for examples of lost or stolen notebooks see here.

Most large companies are now telling their staff to wipe all documents off notebook computers before travelling. This is excellent advice.

Another solution is to use whole disk encryption. This is a software technology that encodes the entire drive so that it’s unreadable without a password. At present this technology is rarely used on notebooks.

Advantages:

Disadvantages:

notebook in the park So with more disadvantages than advantages you’re probably put off. It depends how valuable your files are. If you’re a lawyer carrying around all your client’s documents then your files are probably quite valuable, and you should be doing everything in your power to stop strangers getting at them.

How does it work?

The technical explanations are beyond the scope of this article. It’s enough to know that it encrypts all of the drive. Older encryption programs encrypt some files only and smart hackers can usually recover all or part of documents. Therefore the “whole disk” part of the encryption program is important. The disk is completely unreadable and unusable without the password.

What whole disk encryption programs are available?

Recently there has been some progress on this and there are now good free versions including ones for Mac notebooks, as well as commercial solutions.

Free Windows Solutions:

There are quite a few solutions, below are the more popular ones available today.

Commercial Solutions:

Below are low cost commercial solutions. There are many expensive enterprise level solutions not listed here.

Summary

If you take your computer outside of a secure environment (home, office, etc) and you have anything on there you wouldn’t like others to have then whole disk encryption is a must.

As for airport customs and other law enforcement agencies, a lot of countries have laws making it possible for them to demand your password. So while you can keep random strangers from reading your data it’s really up to you how you comply with legal requests to hand over data. At least you have a choice.

Notes:

Open Source: in security it’s often a good thing to make programs or algorithms open source. It enables the programming community or security community to review the code and find any possible bugs as quickly as possible. It’s also a form of full disclosure. With commercial solutions you have to trust a company that they didn’t include a backdoor for whatever reason. With open source solutions everything’s exposed for public review.

February 16, 2008 | Filed Under Backups, General, Security, Software | 3 Comments 

Tax Refund Scams Have Reached Australia

The tax refund scam mentioned a few days ago now comes in an Australian version. It’s the same email and same scam but customised to look like the Australian Tax Office (ATO). They even make a fake website that copies the ATO’s website.

The scam involves asking people for their credit card number, expiry date, security code, and other personal details.

australia

February 14, 2008 | Filed Under Fraud, Identity Theft, Scams | 1 Comment 

Happy Valentine’s Day

With all the virus infected emails being sent with Valentine’s Day themes now’s a good time to remind you not to save or run anything just because it asks you to. Especially if the filename ends with .exe

Some examples of what not to run, download or save:

And recall our earlier warning on Valentine’s Day malware.

Apart from this, have a great Valentine’s Day :-)

heart_wood

February 13, 2008 | Filed Under Malware, Security | Leave a Comment 

Spear Phishing - Targetting Students

spear Spear phishing is a term referring to targeted attacks on organisations to collect personal details. This latest warning will explain:

Students and staff at a few colleges and universities in the US have been receiving emails that appear to come from their system administrators. The emails state that a database is being updated and asks users to provide their username, password, and date of birth.

The schools targeted include Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame.

This information is collected by the people who sent the emails and used to compromise their accounts.

Be very suspicious of emails asking you to provide any personal details, especially if you didn’t request the email. And pay particular attention to which website the email links to - it’s a common tactic to use a similar sounding address that contains a typo (something that the human mind sometimes ignores).

Update: Australian universities have also been targetting in this attack. 

February 12, 2008 | Filed Under Identity Theft, Scams | 1 Comment 

Next Page →