Monthly Archives: July 2008

Gmail Can Encrypt Connections Automatically

Posted by on 28 July, 2008 No comments

Gmail has a new feature to always encrypt connections. It’s always been possible but not everyone uses it.

What’s encryption? Say you’re at work (or at school, or at a library or an internet cafe) and using a computer to read Gmail – it’s technically possible for someone to monitor everything going out to the internet. Encryption protects your privacy in this situation, making it difficult for someone to monitor your internet usage.

How do you use it? Inside Gmail go to the Settings menu. You get the following options:

  1. Always use https (select this option to use encryption)
  2. Don’t always use https

https

Pros:

  • It provides a good level of privacy, especially if you’re using someone else’s network. This is great for public networks (e.g. libraries), offices, and internet cafes.
  • It’s easy to use. Just turn it on, never think about it again.

Cons:

  • It slows Gmail down a bit (every single part of your Gmail emails needs to be encrypted then decrypted, this takes a small amount of time).

I strongly encourage you to use this feature. Every little bit of additional security helps, especially when it’s so easy to use.

Note that using this form of encryption only protects your privacy between the computer you’re using and Gmail. Emails were never meant to be secure or private.

Facebook Exposes Birth Dates

Posted by on 28 July, 2008 No comments

dates A flaw in a beta version of Facebook made it possible to see member birth dates, even those set to hide this information. Birth dates are often used to confirm someone’s identity. By having a full name and birth date it’s possible to phone up companies and ask for more private information (this is called Identity Theft).

Facebook has already fixed the flaw. However it’s a good reminder that any private information you enter into a social network such as Facebook could some day be read by someone not meant to read it.

If something is important enough to be private then don’t enter it into someone else’s system without thinking through the potential consequences.

You can view a video of how this flaw works here.

Fake Invoices

Posted by on 28 July, 2008 No comments

departures There’s some new spam that claims you bought a plane ticket and has an invoice attached. The invoice is in fact a piece of malware. This is similar to the UPS (United Parcel Service) emails that have been popular in the past couple of weeks.

The email will have a variation of the following:

  • It claims to be an order for a flight ticket from some random airline
  • It gives you a login name and password
  • It claims that your credit card was charged for some amount. This could cause people to become concerned
  • Tells you that the invoice is attached. If you’re concerned about being charged for something you didn’t order then you’d be tempted to open the invoice.
  • Claims that an e-ticket is also attached and that if you print it you can just board a flight. This "getting something for free" could get people’s attention.

If you get any emails like this just delete it. Don’t open the attachment.

Latest Trojan Emails

Posted by on 18 July, 2008 No comments

New trojan emails will never cease. I’ll just summarise these new spam emails below. The deal’s always the same, some story and/or photo to get you interested enough to click on a link, download some malicious code or to type in some personal details into a stranger’s web site.

So delete unsolicited emails featuring the following:

  • A pixelated photo of Angelina Jolie, promising to show you a video of her
  • A notification from UPS about an undelivered parcel
  • As above (UPS) but in German
  • You won the Beijing 2008 Olympics Lotto (something that you didn’t enter and that doesn’t even exist). It promises US$500,000 if you provide enough personal banking details.
  • "‘Roswell’ Victims Spill Beans on the Beijing Olympics"  (the subject doesn’t even make sense)

Legally Installed Spyware

Posted by on 14 July, 2008 No comments

In December last year I wrote about Germany’s police wanting to install spyware on people’s computers when they deem it necessary. The legislation has now been approved, at least  in the German state of Bavaria.

What this means to you:

If you live in Bavaria, either as a resident or as a visitor, keep in mind that authorities can now legally install spyware on any computer you use if they suspect you of being a terrorist, or posing other serious criminal threats. This sounds fairly general and could apply to a lot of situations.

If the police can’t install spyware on your computer remotely they also have the authority to enter your premises and install the spyware directly onto any computers you use.

No judicial warrants are required.

So if you have any data you wish to keep private (assuming you have a perfectly legitimate reason to do so) you’ll have to start being creative. You could take your business elsewhere, be paranoid about what computer or operating systems you use (hint: popular systems are usually easier targets), and keep informed on the latest computer spying and hacking techniques.

This article’s aim is to raise awareness that governments can and do spy on people’s computers.

More information here.

Iran Invaded – Malicious Emails

Posted by on 12 July, 2008 No comments

Some emails have been seen with headlines such as:

  • World War III has started
  • US has invaded Iran

The email looks like it has a link to a video.

bombing In the background it installs a variant of the Storm trojan, probably the most widely spread and malicious trojan to date. Your PC will then be under the control of others without your knowledge. It’s bad. Estimates vary but there are between 1 million and 10 million PCs in the world that are currently under the control of Storm.

So don’t open this email. At this time Iran has not been invaded (and hopefully no country ever will be). Delete it, and let others know.

Skype Phishing Emails

Posted by on 12 July, 2008 No comments

Skype has issued a warning that people have been receiving emails that appear to be from Skype. When a user clicks on a link in the email, they’re taken to a login page that looks like Skype’s website (but in fact it’s operated by someone else). When you enter your username and password, they’re sent to someone who will then use them for some malicious purpose.

How can you tell a real Skype login page from a fake one?

According to Skype the only page that they will ask you for login details is:

https://secure.skype.com/…(anything else is ok here)…

If you’re about to enter your Skype details into a website that doesn’t exactly match the above then it’s probably fake. What if it’s just a few letters different? What if the dot’s in the wrong place?

The part after the // and before the first / needs to be an exact match. I’ve made this bold just to make it as clear as possible. The part at the end is ok.

Below is a copy of one of these Skype phishing emails. I’ve copied the contents here to help Google index this page. When you receive suspicious emails it’s a good idea to copy and paste a few lines into Google. You’ll soon be able to tell if it’s a known fake email or real.

Account blocked

Hello!

We have to notice that your account is suspended because Skype major Terms are being changed.
To re-activate your account you need to agree with the new Terms here:

Follow this link to re-activate: ACTIVATE

after that, your account will be automatically re-activated.

Thank You!

Skype Administration

The word ACTIVATE has a link that goes to the fake Skype login page. In most email clients, if you hold the mouse pointer over the link you can see the real destination. If it’s not like the one shown at the top of this article then it’s fake. See this screenshot of the fake one:

Camera Memory Card Scam

Posted by on 12 July, 2008 No comments

This scam is interesting. A shopper was approached by someone and asked not to photograph in the store. Then he was asked for his camera’s memory card. It wasn’t a security guard that did this, just some random stranger hoping to be mistaken for some security person.

Within a few minutes a man came up dressed in plain clothes, flashed a badge, and told him he couldn’t take photos in the store.

Read the full post here.

Gmail and Yahoo Mail blocking fake eBay emails

Posted by on 11 July, 2008 No comments

keys Yahoo owns some technology called DomainKeys that can verify the sender of some emails. One thing it can do is recognise real and fake emails from eBay and PayPal. This is good because quite a few phishing emails claim to be from eBay or PayPal, intended to trick people into providing their login details.

Google has just implemented the technology for Gmail. So if safe email is of concern to you, your best bets are to use either Yahoo or Gmail for your emailing.

More technical information here.