Gmail Can Encrypt Connections Automatically

Gmail has a new feature to always encrypt connections. It’s always been possible but not everyone uses it.

What’s encryption? Say you’re at work (or at school, or at a library or an internet cafe) and using a computer to read Gmail - it’s technically possible for someone to monitor everything going out to the internet. Encryption protects your privacy in this situation, making it difficult for someone to monitor your internet usage.

How do you use it? Inside Gmail go to the Settings menu. You get the following options:

  1. Always use https (select this option to use encryption)
  2. Don’t always use https

https

Pros:

Cons:

I strongly encourage you to use this feature. Every little bit of additional security helps, especially when it’s so easy to use.

Note that using this form of encryption only protects your privacy between the computer you’re using and Gmail. Emails were never meant to be secure or private.

Facebook Exposes Birth Dates

dates A flaw in a beta version of Facebook made it possible to see member birth dates, even those set to hide this information. Birth dates are often used to confirm someone’s identity. By having a full name and birth date it’s possible to phone up companies and ask for more private information (this is called Identity Theft).

Facebook has already fixed the flaw. However it’s a good reminder that any private information you enter into a social network such as Facebook could some day be read by someone not meant to read it.

If something is important enough to be private then don’t enter it into someone else’s system without thinking through the potential consequences.

You can view a video of how this flaw works here.

Fake Invoices

departures There’s some new spam that claims you bought a plane ticket and has an invoice attached. The invoice is in fact a piece of malware. This is similar to the UPS (United Parcel Service) emails that have been popular in the past couple of weeks.

The email will have a variation of the following:

If you get any emails like this just delete it. Don’t open the attachment.

Latest Trojan Emails

New trojan emails will never cease. I’ll just summarise these new spam emails below. The deal’s always the same, some story and/or photo to get you interested enough to click on a link, download some malicious code or to type in some personal details into a stranger’s web site.

So delete unsolicited emails featuring the following:

Legally Installed Spyware

In December last year I wrote about Germany’s police wanting to install spyware on people’s computers when they deem it necessary. The legislation has now been approved, at least  in the German state of Bavaria.

What this means to you:

If you live in Bavaria, either as a resident or as a visitor, keep in mind that authorities can now legally install spyware on any computer you use if they suspect you of being a terrorist, or posing other serious criminal threats. This sounds fairly general and could apply to a lot of situations.

If the police can’t install spyware on your computer remotely they also have the authority to enter your premises and install the spyware directly onto any computers you use.

No judicial warrants are required.

So if you have any data you wish to keep private (assuming you have a perfectly legitimate reason to do so) you’ll have to start being creative. You could take your business elsewhere, be paranoid about what computer or operating systems you use (hint: popular systems are usually easier targets), and keep informed on the latest computer spying and hacking techniques.

This article’s aim is to raise awareness that governments can and do spy on people’s computers.

More information here.

Iran Invaded - Malicious Emails

Some emails have been seen with headlines such as:

The email looks like it has a link to a video.

bombing In the background it installs a variant of the Storm trojan, probably the most widely spread and malicious trojan to date. Your PC will then be under the control of others without your knowledge. It’s bad. Estimates vary but there are between 1 million and 10 million PCs in the world that are currently under the control of Storm.

So don’t open this email. At this time Iran has not been invaded (and hopefully no country ever will be). Delete it, and let others know.

Skype Phishing Emails

Skype has issued a warning that people have been receiving emails that appear to be from Skype. When a user clicks on a link in the email, they’re taken to a login page that looks like Skype’s website (but in fact it’s operated by someone else). When you enter your username and password, they’re sent to someone who will then use them for some malicious purpose.

How can you tell a real Skype login page from a fake one?

According to Skype the only page that they will ask you for login details is:

https://secure.skype.com/…(anything else is ok here)…

If you’re about to enter your Skype details into a website that doesn’t exactly match the above then it’s probably fake. What if it’s just a few letters different? What if the dot’s in the wrong place?

The part after the // and before the first / needs to be an exact match. I’ve made this bold just to make it as clear as possible. The part at the end is ok.

Below is a copy of one of these Skype phishing emails. I’ve copied the contents here to help Google index this page. When you receive suspicious emails it’s a good idea to copy and paste a few lines into Google. You’ll soon be able to tell if it’s a known fake email or real.

Account blocked

Hello!

We have to notice that your account is suspended because Skype major Terms are being changed.
To re-activate your account you need to agree with the new Terms here:

Follow this link to re-activate: ACTIVATE

after that, your account will be automatically re-activated.

Thank You!

Skype Administration

The word ACTIVATE has a link that goes to the fake Skype login page. In most email clients, if you hold the mouse pointer over the link you can see the real destination. If it’s not like the one shown at the top of this article then it’s fake. See this screenshot of the fake one:

Camera Memory Card Scam

This scam is interesting. A shopper was approached by someone and asked not to photograph in the store. Then he was asked for his camera’s memory card. It wasn’t a security guard that did this, just some random stranger hoping to be mistaken for some security person.

Within a few minutes a man came up dressed in plain clothes, flashed a badge, and told him he couldn’t take photos in the store.

Read the full post here.

Gmail and Yahoo Mail blocking fake eBay emails

keys Yahoo owns some technology called DomainKeys that can verify the sender of some emails. One thing it can do is recognise real and fake emails from eBay and PayPal. This is good because quite a few phishing emails claim to be from eBay or PayPal, intended to trick people into providing their login details.

Google has just implemented the technology for Gmail. So if safe email is of concern to you, your best bets are to use either Yahoo or Gmail for your emailing.

More technical information here.

TrueCrypt 6.0

TrueCrypt is an encryption program we wrote about earlier. It lets you do things like "whole disk encryption" (good for people who carry around laptops full of confidential files), and other encryption functions.

Version 6.0 came out a few days ago. It’s open source, meaning everyone is free to review the source code. It’s available for Windows (Vista, XP, 2000), Mac OS X, and Linux.

http://www.truecrypt.org/

New Gmail security feature

Gmail has a new security feature. If you log into Gmail more than once (at the same time) it now tells you. Then it’s up to you to decide if you did this intentionally or if someone has stolen your account details.

At the bottom of your inbox is a summary of the last activity and whether it’s open from another location. Then clicking on the Details link shows more details on all your connections.

630,000 Laptops Lost at Airports Each Year

Another amazing statistic - across 46 states in USA there were more than 630,000 laptop computers reported lost in the past year. That’s more than 12,000 a week. And when you consider that most people still keep documents on their laptop computer when they travel they haven’t just lost a piece of hardware, they’ve potentially lost control of private and confidential documents.

What can you do?

airport1 Laptops can be insured. Anyone who carries a laptop around for work would have it insured, it’s just a cost of doing business. Nothing new here.

As for the documents stored on them, delete them before you travel!. If this sounds extreme then you need to wake up and realise what’s happening in the world.

At many airport security checkpoints customs officers now have the authority to look at the contents of your laptop’s hard drive before they let you board the plane or enter a country. And they don’t always just "look" - sometimes they make a copy of your hard drive so they can look more closely at a later time. Is this legal? Yes, in some places (including most US airports today). Read more about this in this article.

So you now have two reasons to delete all documents from a laptop before travelling:

  1. You could lose your laptop (like 630,000 other people each year in one country alone).
  2. You could be asked to hand over your laptop’s data to customs officers.

What a lot of large organisations do these days is hand their employees "clean" laptops that have no documents on them. Employees are given VPN access, so when they arrive at their destination they can access their office network and carry on with their regular work. If you’re new to the concept of a VPN read our previous article on its benefits. Another trick is to carry your files on a USB flash drive, and hide it in your wallet or luggage. This could be encrypted as well for security, in case you lose it.

Whole disk encryption is another technology that can help you with lost laptops. Whole disk encryption makes the entire contents of the laptop useless without a password. There’s no known way to recover the data. There are still two risks with this method:

Now if you’re thinking that your laptop needs a password to startup and that this is enough to stop people, remember that the files on your laptop’s hard drive can be copied without a password. You just need to pull out the hard drive (easy to do with laptops). Whole disk encryption is the only effective password protection for laptops.

airport2 And while we’re talking about travelling now’s a good time to remind you not to trust free or hotel wireless networks. You never know who’s monitoring the network traffic (read our previous article on this).

Read the study on lost laptops here, sponsored by Dell.

So in summary:

Windows Steady State

If you use Window XP or Windows Vista, Microsoft has a tool that could be useful to some people. It’s meant more for shared computers, or for any PC that’s at greater risk of infection.

tools What it does is fairly simple. Every time you reboot the PC, Steady State will restore it to how it was before. So no matter how many viruses, spyware and adware you end up accidentally installing. it becomes fresh and anew.

You need to install it and set it up correctly, and for most people it might be a good idea to get some advice from someone who’s IT savvy, just to make sure you take full advantage of this great tool.

Best of all is that it’s free, as long as you have a genuine Windows XP or Vista license.

While you should still be responsible with how you use a computer, what you download and which web sites you visit, this tool is great tool for certain people.

More info and a download link here.

Google Calendar Phishing

password Here’s a new spin in phishing attacks. The idea is to trick people into providing confidential data. This new technique is aimed at Gmail users. Here’s how it works:

VERIFY YOUR ACCOUNT (…)

This Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email to so that you can verify and let us know if you still want to use this account. (…)

You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 24 hours for security reasons.

* Username:

* Password:

It’s an attempt to get you to provide your username and password. If you see anything like that simply delete it.

Don’t use old browsers

A new report has concluded that 637 million people are using out of date web browsers. This is bad.

expired Old web browsers have security flaws and vulnerabilities. You’re meant to update your web browser to the latest version because the developers have worked hard to patch it and fix up security holes. And in almost every case an upgrade is completely free. Why would anyone choose to use an old browser?

There are no legal obligations to upgrade a web browser but with this many people ignoring the very simple task of upgrading maybe it’s time for something to change. Now’s a good time to check for updates (the option is often in the Tools menu of the browser you’re using right now).

The report is here.

New Fraud Statistics

Sometimes it’s hard to believe these statistics, the numbers are so large. The Australian Bureau of Statistics has finished their first survey of personal fraud. Their findings are that 800,000 Australians fell victim to fraud in some way.

453,100 of those lost money, for a total of $977 million. That’s a lot of people and a lot of money for a rather small population.

329,000 Australians lost money after responding to lottery scams and other phishing related scams.

A lot of people keep falling for scams. The best thing you can do is help them become aware of what scams and fraud tricks are being used. Remember that you can always subscribe to Fraudo.com by email or with an RSS reader.

Next Page →