e-books

Like any other thing on the internet that can be downloaded, e-books present their own risks.

books If you need to download an unknown program or plugin to access the e-book then consider if it’s really necessary. Sometimes things you download carry malicious code which often ends up installing spyware on your computer.

One such example is a browser plug-in from bitroad.net. It promises to help download free e-books. In the background it installs malware.

E-books represent a large shift in technology for distributing media. Formats will continue to change, new tools will continue to be developed, and new opportunities will be found to distribute malware on the side.

So always take care what you download or install (in general, the less you install on a computer the better it’ll work). And invest in a good anti-virus package that also scans for spyware.

June 23, 2008 | Filed Under General, Malware | Leave a Comment 

Plastic Container Hoax

There is an email being circulated that warns people on the dangers of plastic containers. It provides a pseudo-scientific explanation on how plastic containers can cause cancer, and references some medical sources.

It’s a hoax. People start these emails for fun just to see it forwarded to millions of people. There’s no financial gain to be made from these hoaxes, no harm done either. And to you this should be an important reminder not to believe everything you read on the internet.

plastic water bottle Here is some of the text from the email (to help Google index this page and to help more people find this article):

Dear Friends, Gentle reminder, is never to late to change our bad habits of having everything fast. Avoid warming food in microwave using plastic containers. This may endangers your lives.

Cancer Update please see below ! Hopkins
This information is being circulated at Walter Reed Army Medical Center as well.
Please circulate to all you know; Cancer update
Johns Hopkins - Cancer News from Johns Hopkins

No plastic containers in micro
No water bottles in freezer
No plastic wrap in microwave…

A dioxin chemical causes cancer, especially breast cancer.

Dioxins are highly poisonous to the cells of our bodies. Don’t freeze your plastic bottles with water in them as this releases dioxins from the plastic.

Recently, Edward Fujimoto, Wellness Program Manager at Castle Hospital , was on a TV program to explain this health hazard. He talked about dioxins and how bad they are for us.

He said that we should not be heating our food in the microwave using plastic containers..

This especially applies to foods that contain fat.

He said that the combination of fat, high heat, and plastics releases dioxin into the food and ultimately into the cells of the body…

Instead, he recommends using glass, such as Corning Ware, Pyrex or ceramic containers for heating food… You get the same results, only without the dioxin. So such things as TV dinners, instant ramen and soups, etc., should be removed from the container and heated in something else

Paper isn’t bad but you don’t know what is in the paper. It’s just safer to use tempered glass, Corning Ware, etc.

He reminded us that a while ago, some of the fast food restaurants moved away from the foam containers to paper. The dioxin problem is one of the reasons

Also, he pointed out that plastic wrap, such as Saran, is just as dangerous when placed over foods to be cooked in the microwave. As the food is nuked, the high heat causes poisonous toxins to actually melt out of the plastic wrap and drip into the food.

Cover food with a paper towel instead.

Now onto the explanation about this hoax:

At the beginning of the hoax email it states that this research comes from John Hopkins. John Hopkins Bloomberg School of Public Health is a medical school in USA. They have nothing to do with this email or the information contained within it. In fact they’ve published a statement that says,

These messages, frequently titled “Johns Hopkins Cancer News” or “Johns Hopkins Cancer Update,” are falsely attributed to Johns Hopkins and we do not endorse their content.

Freezing water does not cause the release of chemicals from plastic bottles.

Read the full notice here. And in case you’re still thinking “what if the email is right, what if…”, John Hopkins Bloomberg School of Publish Health also adds:

This is an urban legend. There are no dioxins in plastics. In addition, freezing actually works against the release of chemicals. Chemicals do not diffuse as readily in cold temperatures, which would limit chemical release if there were dioxins in plastic, and we don’t think there are.

microwave oven Read the rest of this quote, and much more scientific information about why this is a hoax, here. Note that microwaving some types of plastics can be hazardous, read the medical article for accurate information. The above Q&A was published in 2004. This hoax email has been going since 2002.

So the next time you receive one of these emails, instead of forwarding it to 10 people thinking you’re doing them and yourself a favour, let the sender know it’s a hoax and refer them to this article for reference.

June 10, 2008 | Filed Under General, hoax | Leave a Comment 

Malware in Resumes

cubicles Recruitment companies receive a lot of resumes in Word format, as you’d expect. But it seems that there’s a growing trend of these Word files being infected with some type of malware. Often there is automated software at recruitment companies to forward the resumes to their clients without scanning them for malware.

Hackers have caught onto this and are targeting these companies. They’ve been sending resumes (probably not their own) with backdoor trojans embedded in the document. This gives them a chance to gain access to these networks.

If your work involves receiving many Word documents from the general public put in place a plan to screen these for known malware, and to limit the damage they can do if a new (unknown) trojan gets through. Most security specialists can help with this.

June 5, 2008 | Filed Under General, Malware, Security | Leave a Comment 

St George Bank Phishing Emails

Phishing emails are very common these days. Below is a common phishing email from a local bank. Keep in mind that the same technique is used with most banks these days. Spelling and grammatical mistakes usually give them away (although this example is pretty good), and read the end of this article for the best ways to tell a phishing email from the real thing.

An email arrives with a topic “Verify Your Phone Number“. Emails asking people to verify something can be eye catching, and add a sense of urgency. Below are the contents of the email:

Dear customer!

St.George Bank Limited is constantly working to improve the account security of our customers. In order, to ensure the integrity and security of our online banking system, we periodically review accounts. We were unable to contact you by phone during the last check, so please verify the information at your account file and make sure it is right.

Please, verify your account information by following the link.
Click here for verification: https://ibank.stgeorge.com.au/verify/

The next verification will be done soon, invalid account information will result in your account being placed to restricted status.

Customer Service
St.George Bank Limited
http://stgeorge.com.au/

Some things you should keep in mind:

What would happen if you clicked on the links provided in the email? They look geuine enough.

In most email clients when you put the mouse pointer over the link and wait a second, you’ll see the real link. That’s right, the way email works is someone can display a link that looks like a bank site’s address but in fact it can go somewhere completely different. Maybe the technology behind emails should be changed to make this impossible.

In this case the links point to a site called stgeorgeverify dot com. Again this might fool some people because it has the bank’s name in the address, but it’s not the bank’s address. It’s a phishing site designed to let customers type in their bank details so that scammers can sell the information on the black market (and eventually so that money can be stolen from bank accounts).

There’s very little regulation in domain names (web addresses). It’s easy for someone to register a domain name that looks like a bank’s site. Even if it has one additional or different letter it’s enough for anyone to register. And when someone registers a new domain name they can make it do whatever they like. Technically it’s a new site (even though the name looks similar to a legitimate site).

So when you receive emails from important organisations, such as from your bank, don’t ever click on the links. Go to the bank’s web site by typing its address into a web browser. Because the links in emails can be misleading.

For further reading see our article on how domain names work, and another detailed example of phishing.

May 26, 2008 | Filed Under Fraud, General | Leave a Comment 

Nigerian 419 Scams

How much money do you think Australians send to Nigerians because of the old Nigerian 419 scam? (Keep in mind that Australia has a small population of 21 million)

wallet The answer is millions of dollars.

This very interesting interview with the head of the Queensland Police Corporate Crime Investigation Group (what a long title) discusses these scams and provides some interesting details.

People who fall for these scams often don’t report it, and in many cases repeatedly fall for these scams. Watch the video, discuss it with your friends, family and colleagues, and help raise awareness of this particular kind of scam. You can also read this article on how Nigerian scams work.

Link to video.

May 23, 2008 | Filed Under General, News/Media, Scams, Statistics | 1 Comment 

Orphaned Accounts

An interesting study on orphaned accounts has found some serious security holes.

An orphaned account is when someone leaves an organisation and their network account remains active, instead of being disabled (locked). In a lot of cases those people who have left could still log onto their previous employer’s network and access files and services.

3 wise monkeysThe study found that 27 percent of people reported that they had more than 20 orphaned accounts on their system. If everyone did their job well ideally it would be 0.

38 percent of people said they had no way of knowing if a terminated employee had logged into their system. Security auditing is very important and not very difficult, without it IT managers won’t know who’s doing what on their network.

In other words, in about 27% of companies if someone left they could still log in from home, copy files, send emails, and otherwise use the system the same as when they were officially employed. And in 38% of cases nobody would ever find out.

So how long should it take to terminate an account? Accounts should be disabled at the end of the employee’s last day and not a moment later. In some companies there’s so much bureaucratic admin that, according to the above article, it ends up taking 3 days to a month to do this. Shocking.

It’ an organisation it should be everybody’s responsibility to protect the network and all private data. If your organisation is slacking in this area say something about it.

May 22, 2008 | Filed Under General, Security | Leave a Comment 

AusCERT Survey

look An Australian security organisation called AusCERT has conducted a survey and come up with the following results. I’ve added my own comments on the right.

Survey Results Comments
84% of respondents use the internet for banking 84% of internet users have something to lose if they’re not careful.
5% have used a neighbour’s unsecured wireless internet This is not only illegal but they’re using an untrusted network
11% never update their operating system Updates exist to patch known vulnerabilities, so these 11% of people have computers that can be hacked
8% never update their anti-virus software New viruses are discovered every day so these people are at greater risk
23% have malware infections on their computer Malware such as spyware and internet banking don’t go well together (i.e. this is how criminals steal money). Malware is always a bad thing to have on your computer. Do something about it.
68% are confident or very confident with computer security The other 32% should be reading FraudO.com

The full survey results have been published here. It’s an interesting read, especially seeing the reasons why some people don’t use anti-virus and anti-spyware software.

May 19, 2008 | Filed Under General, News/Media, Statistics | Leave a Comment 

SSH Brute Force Attacks

SSH is used to establish secure connections across the internet. For example a lot of people use SSH to connect to their servers because of the good security it provides. Lots of people trust it and rely on it.

In the past week there has been a large increase in the number of brute force attacks against SSH. What’s a brute force attack? It’s when someone writes a program that starts guessing passwords. It’ll keep trying to guess passwords all day and all night without rest until it finds something that works. The smarter brute force attacks do this slowly so that servers don’t lock the account in defense.

To increase a hacker’s chances of finding the right password these brute force programs use a dictionary and try to guess common words first. Then they try combinations such as replacing o’s with zeros, or putting a 1 at the end (have you ever done this with passwords?). So if your password is based on a word found in the dictionary it’ll be amongst the first ones tried.

The best defence against brute force attacks is to use a complicated password. Complicated passwords can take years to guess, simple passwords can take seconds to guess. Read here about how to evaluate the complexity of a password. And if remembering complicated passwords is a challenge then you might need a password safe.

So back to SSH. If you manage a server and use SSH to connect to it, have a look at the logs. Other people have reported a 5-10 times increase in the number of SSH attempts on their servers. Make sure your passwords are complicated enough to resist brute force attacks. Consider editing firewall rules to limit the entry points into your network. And make sure everything is patched including routers and firewalls. See this article for further information on these attacks.

And for everything that’s still wondering what SSH is, don’t worry about the jargon. Just realise that people can and do try to guess passwords.

May 19, 2008 | Filed Under General, News/Media, Security | Leave a Comment 

Phishing Audits

Some companies have started testing their employees on how they respond to phishing attacks.

Trapped man A company called Intrepidus Group has a system whereby they basically send your company’s staff spam, testing them on how they respond to it. The system can even concentrate spam on people who are ore susceptible to clicking on links.

The system sends results back to the tester on who clicked on the emails, what data they entered in (e.g., their name, credit card numbers, etc).

So the next time you see an email that doesn’t look quite right, and has links to external sites, think hard whether it’s real, spam, or this new kind of "ethical" spam.

The company’s web site explains it better, http://phishme.com/

May 13, 2008 | Filed Under General, Security | Leave a Comment 

Domain Slamming

Nick, a regular reader, offered this advice on a scam known as domain slamming. If you have any domain names registered then take note of the following.

A company known as "Domain Registry of America" has been sending letters (the paper kind) telling people that their domain will expire soon and that they need to pay to renew it.

Normally you would renew your domain name with the company you’ve already used to register. But this company sends out letters that look like invoices hoping that some people will just pay it without questioning where it came from.

paperWhen you register a domain name you’re required to provide your name, mailing address, and email address. This information is made publicly available (use any of these free Whois services to view this information about any domain name). This is where they get your details from.

There’s plenty of information about domain slamming on these pages here, here and here.

If you own a domain name, especially a .com name, make sure that it’s locked. This is just an option you select when you setup the domain name. Then ignore any letters (or emails) you receive from other companies about your domain name.

Note that this happens in most countries, not just USA.

May 11, 2008 | Filed Under General, Scams | Leave a Comment 

Yahoo! Malicious Page Alerts

Yahoo! now lets you know if a web site contains malicious content. It works very similar to how Google does it. From a technical perspective Yahoo’s implementation seems better - it scans files that automatically download.

McAfee have provided the malware detection technology, called SearchScan, so it has a company with a good reputation behind it. Below is an example of how it looks when it finds something dangerous:

yahoo searchscan

Yahoo! operates search engines in several countries, and it will be enabled by default for the following countries: Australia, Canada, France, Germany, Italy, New Zealand, UK, USA.

May 8, 2008 | Filed Under Antivirus, General, Malware | Leave a Comment 

Password Safes

rusty key lost in sand Password safes are programs that store your passwords. In general they’re a good idea because:

Below are some examples of good password safes:

And this is an example of something that looks good but still isn’t a good idea:

If you use a hosted service like this you’d be giving your passwords away to another organisation. They promise not to look at them. How comfortable would you be trusting someone you haven’t met to hold the password to your online banking?

This comes from their own web site and it should give you an idea (it’s in their FAQ page):

While we take every security precaution, we do not recomnmend storing sensitive information such as bank account passwords.

In summary:

Side Note: The 3rd of May was the 30th anniversary of spam.

May 6, 2008 | Filed Under General, Security | 1 Comment 

BT Home Hub Wireless Networks

Wireless networks can be made safe but it’s so common to find networks that haven’t been secured properly. It’s even worse to see ISPs giving their customers routers that have been configured with weak security.

BT Broadband in the UK has been supplying wireless routers to their customers, called BT Home Hub, setup to use a very weak security system called WEP.

old rusty padlockIn fact it’s so weak that anyone sitting within wireless range (which can include a few of your neighbours) can just guess the wireless password in 80 attempts. And you wouldn’t even know someone’s trying to guess your password.

WEP is an old security system made for wireless routers, it’s been cracked before and it’s really no safer than an old rusty padlock with the key hidden in a pot plant. As the old saying goes, it keeps out honest people. WEP is practically useless. And BT Home Hub leaves it setup this way for their customers.

What everyone with a wireless network should do is change WEP to WPA. WPA is considered safe at the moment. And it’s best used with a long password (20 characters long).

To learn more about securing a wireless network read here. And to understand why it’s important to secure a wireless network read our article here.

Just remember, WEP = useless, WPA = secure.

April 19, 2008 | Filed Under General, Security | Leave a Comment 

2Wire Modems

2Wire is a DSL modem manufacturer. Earlier we reported that a Mexican ISP offers 2Wire modems to their customers and that there was a vulnerability in them affecting their customers. The vulnerability is called DNS poisoning.

Many other ISPs also offer this modem to their customers including AT&T. AT&T has taken some positive action to fix the issue, so if you’re an AT&T customer using a 2Wire modem then have a talk to them and see if your modem needs patching.

An AT&T spokesman, Seth Bloom, responded to a Slashdot article and had the following to say:

“The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we’ve already updated the majority of affected 2Wire gateways, and we’re nearing completion of the process. We’ve received no reports of any significant threats targeting our customers.”

April 13, 2008 | Filed Under General, Security | Leave a Comment 

Credit Card Black Market

Where do stolen credit card numbers go?

One place is a web site called SellCVV2. Recently credit card details were discovered being sold on this site. Prices range from US$38 for a small set of credit card details.  This is a fairly professional service offering guarantees and volume discounts on the stolen information.

It now seems that the site’s illegal contents have been cleared out since this information was made public. This doesn’t mean that the black market for stolen credit card numbers has disappeared, it’s only moved to another place.

sellcvv2 
This is how the site appears now.

April 11, 2008 | Filed Under Fraud, General | Leave a Comment 

Malware Statistics

Symantec, a  large security company, have reported that there are now more malware writers than legitimate software writers.

They state that 65% of the 54,609 Windows applications released to the public in the past 6 months were malicious.

Another interesting statistic from this report is the percentage of browser plug-in vulnerabilities:

What this means is that by disabling ActiveX from your web browser (Internet Explorer) you can avoid 79% of web browser plug-in attacks. Here’s an article on how to disable ActiveX.

As for the other types of plug-ins, keep them patched and up to date to reduce the risk of infecting your computer.

Here is Symantec’s internet security report.

April 11, 2008 | Filed Under General, Security, Software, Statistics | 1 Comment 

Next Page →