Monthly Archives: May 2008

FeedBurner and RSS

Posted by on 21 May, 2008 No comments

Last night I set this website up to use FeedBurner. This is a more advanced way to send RSS feeds and as far as I’ve tested it works well. If you find any problems please let me know.

For those who don’t know, RSS is the technology behind a faster way to read websites such as FraudO. You set yourself up with a news reader and point it at all your favourite web sites. Then whenever something new appears on that website it shows you only the new parts. So instead of checking all your favourite sites each morning you get a real time display of what’s new in your world. It’s great.

If you haven’t used a news reader before head on over to google.com/reader and set yourself up. Then add a subscription to fraudo.com :-) There are hundreds of similar products, below are the more popular ones (they’re all FREE):

Microsoft’s Outlook is not free; many people already have this installed so I thought I’d mention it since it has a news reader built in: office.microsoft.com/en-us/outlook

The following article explains a lot more about RSS and news readers: http://www.readwriteweb.com/archives/tips_for_making_the_most_of_rss.php . If you haven’t tried it yet I suggest you have a look today.

AusCERT Survey

Posted by on 19 May, 2008 No comments

look An Australian security organisation called AusCERT has conducted a survey and come up with the following results. I’ve added my own comments on the right.

Survey Results Comments
84% of respondents use the internet for banking 84% of internet users have something to lose if they’re not careful.
5% have used a neighbour’s unsecured wireless internet This is not only illegal but they’re using an untrusted network
11% never update their operating system Updates exist to patch known vulnerabilities, so these 11% of people have computers that can be hacked
8% never update their anti-virus software New viruses are discovered every day so these people are at greater risk
23% have malware infections on their computer Malware such as spyware and internet banking don’t go well together (i.e. this is how criminals steal money). Malware is always a bad thing to have on your computer. Do something about it.
68% are confident or very confident with computer security The other 32% should be reading FraudO.com

The full survey results have been published here. It’s an interesting read, especially seeing the reasons why some people don’t use anti-virus and anti-spyware software.

SSH Brute Force Attacks

Posted by on 19 May, 2008 No comments

SSH is used to establish secure connections across the internet. For example a lot of people use SSH to connect to their servers because of the good security it provides. Lots of people trust it and rely on it.

In the past week there has been a large increase in the number of brute force attacks against SSH. What’s a brute force attack? It’s when someone writes a program that starts guessing passwords. It’ll keep trying to guess passwords all day and all night without rest until it finds something that works. The smarter brute force attacks do this slowly so that servers don’t lock the account in defense.

To increase a hacker’s chances of finding the right password these brute force programs use a dictionary and try to guess common words first. Then they try combinations such as replacing o’s with zeros, or putting a 1 at the end (have you ever done this with passwords?). So if your password is based on a word found in the dictionary it’ll be amongst the first ones tried.

The best defence against brute force attacks is to use a complicated password. Complicated passwords can take years to guess, simple passwords can take seconds to guess. Read here about how to evaluate the complexity of a password. And if remembering complicated passwords is a challenge then you might need a password safe.

So back to SSH. If you manage a server and use SSH to connect to it, have a look at the logs. Other people have reported a 5-10 times increase in the number of SSH attempts on their servers. Make sure your passwords are complicated enough to resist brute force attacks. Consider editing firewall rules to limit the entry points into your network. And make sure everything is patched including routers and firewalls. See this article for further information on these attacks.

And for everything that’s still wondering what SSH is, don’t worry about the jargon. Just realise that people can and do try to guess passwords.

Phishing Audits

Posted by on 13 May, 2008 No comments

Some companies have started testing their employees on how they respond to phishing attacks.

Trapped man A company called Intrepidus Group has a system whereby they basically send your company’s staff spam, testing them on how they respond to it. The system can even concentrate spam on people who are ore susceptible to clicking on links.

The system sends results back to the tester on who clicked on the emails, what data they entered in (e.g., their name, credit card numbers, etc).

So the next time you see an email that doesn’t look quite right, and has links to external sites, think hard whether it’s real, spam, or this new kind of "ethical" spam.

The company’s web site explains it better, http://phishme.com/

Domain Slamming

Posted by on 11 May, 2008 No comments

Nick, a regular reader, offered this advice on a scam known as domain slamming. If you have any domain names registered then take note of the following.

A company known as "Domain Registry of America" has been sending letters (the paper kind) telling people that their domain will expire soon and that they need to pay to renew it.

Normally you would renew your domain name with the company you’ve already used to register. But this company sends out letters that look like invoices hoping that some people will just pay it without questioning where it came from.

paperWhen you register a domain name you’re required to provide your name, mailing address, and email address. This information is made publicly available (use any of these free Whois services to view this information about any domain name). This is where they get your details from.

There’s plenty of information about domain slamming on these pages here, here and here.

If you own a domain name, especially a .com name, make sure that it’s locked. This is just an option you select when you setup the domain name. Then ignore any letters (or emails) you receive from other companies about your domain name.

Note that this happens in most countries, not just USA.

Yahoo! Malicious Page Alerts

Posted by on 8 May, 2008 No comments

Yahoo! now lets you know if a web site contains malicious content. It works very similar to how Google does it. From a technical perspective Yahoo’s implementation seems better – it scans files that automatically download.

McAfee have provided the malware detection technology, called SearchScan, so it has a company with a good reputation behind it. Below is an example of how it looks when it finds something dangerous:

yahoo searchscan

Yahoo! operates search engines in several countries, and it will be enabled by default for the following countries: Australia, Canada, France, Germany, Italy, New Zealand, UK, USA.

Password Safes

Posted by on 6 May, 2008 1 comment

rusty key lost in sand Password safes are programs that store your passwords. In general they’re a good idea because:

  • You have less reason to reuse passwords (having a unique password for every site is much safer)
  • You can use more complicated passwords without risk of forgetting them
  • If you forget a password you rarely use you can easily retrieve it
  • In a business it’s easier to share passwords and control who has access to what (especially in IT departments)

Below are some examples of good password safes:

And this is an example of something that looks good but still isn’t a good idea:

If you use a hosted service like this you’d be giving your passwords away to another organisation. They promise not to look at them. How comfortable would you be trusting someone you haven’t met to hold the password to your online banking?

This comes from their own web site and it should give you an idea (it’s in their FAQ page):

While we take every security precaution, we do not recomnmend storing sensitive information such as bank account passwords.

In summary:

  • It’s ok to store your passwords on your own PC
  • It’s not ok to let some other person or company store them for you
  • Ideally if you store the passwords on your PC you should:
  • Use a good password safe that encrypts them, like the ones above
  • Use a good anti virus package to ensure you don’t have spyware on your PC
  • Keep your PC in a safe place, like in your home or in a locked office
  • Keep backups (in case your PC dies) and store the backups in a safe place
  • Don’t do this on a shared computer, including some office computers

Side Note: The 3rd of May was the 30th anniversary of spam.

Telephone Scams

Posted by on 1 May, 2008 No comments

dark alleyMost of the scams I’ve written about on this site involve the internet. Now phone call scams are making a comeback. The ideas behind these scams are almost the same whether they happen on the internet or over the phone.

There are a few variations but the basic idea is the same:

  • The criminal will often steal a phone to make a call
  • A criminal calls someone’s phone (often a child)  and tells them maintenance needs to be done on their phone and to turn it off for an hour
  • They then call that person’s parents or relatives
  • They tell the parents that they’ve kidnapped their child
  • They demand a ransom to be dropped off at some location cash or jewelery

It’s not a small problem either. In Mexico, in a 3 month period 30,000 complaints were made to the police regarding this scam. In a 6 month period (also in Mexico) it’s estimated that US$20m was collected from worried parents. So it’s not a small problem, it’s rampant.

There’s another variation: instead of making fake ransom requests people are told they’ve won a car or some other prize, and that they need to deposit some money to be able to collect their prize. We’ve seen this before in email scams, I guess people are starting to not believe emails and criminals have moved back to phones.

So keep this scam in mind and plan accordingly on how you contact your family members.

More information here.