Have a look at the following screenshot and try to guess what’s wrong with it?

This screenshot was captured from the US National Archives’ signup page (click here then click on New User). It asks for a challenge question and challenge answer, in case you forget your password. The problem here is one of the questions, “What is your preferred internet password?“.

Why would you give someone this information?

Challenge questions and answers are a way to recover lost passwords. Unfortunately this information is often not encrypted – it’s less secure. So whatever you set for your challenge question and answer is sometimes vulnerable to hacking. Also, the questions are often things that other people can easily find out about you, like your pet’s name. This is why I don’t like them.

Poll:

Facebook’s security and privacy have never been perfect but they’re now starting to take it more seriously. Maybe some strong competition from Google+ has something to do with it.

Facebook have published a security guide and it’s quite good. It covers topics like recognising scams, recognising hacked accounts and how to use SSL connections. All good stuff! For example,

The common scams offer prizes like free  virtual objects. Other lures claim that your account has been suspended and provide a link for you to remedy the problem.

If you use Facebook at all I recommend reading through the guide. I also strongly suggest you print it out and lend it to your friends and family – people who might not be able to do their own research on security.

The more people understand security on Facebook the better it will be for everyone. Click here for A Guide to Facebook Security.

There are many ways now to share your current location, including

• Foursquare
• Facebook Places
• Bing and Google have their location sharing systems

It’s a popular thing to do. But have you ever had a good think about the pros and cons of doing this?

Pros:

Daniel Amitay has been able to collect a sample of over 200,000 passcodes used to lock an iPhone. The most common ones were:

1. 1234
2. 0000
3. 2580 (a vertical row)
4. 1111
5. 5555
6. 5683 (spells LOVE)
7. 0852 (a vertical row)
8. 2222
9. 1212
10. 1998

This list represents 15% of all PINS (that’s too high). Years starting with 199 were also found to be common. And PINS starting with 1 are also very common.

The information here is relevant to other devices as well, basically anything that uses a 4 digit PIN typed into a keypad.

If you use any of these codes to lock something you consider important you should change it now.

URL shorteners are so common these days people don’t give them a second thought. Especially on social media sites like Facebook and Twitter. Some common URL shorteners are

• bit.ly
• tiny.cc
• fb.me

The list is endless. You can even make your own service, which is exactly what spammers are now doing.

Spam messages are now being posted on Twitter with these new URL shorteners and it’s difficult to filter them out. E.g. URLs that begin with

• www.srtu.in/

The best thing you can do is to use a modern web browser that does some URL scanning, such as Chrome, Opera, or IE9 (older versions of IE are vulnerable). Also buy and install a good virus scanner.

More information about URL shorteners here.

Security companies sometimes get to analyse real people’s passwords and create interesting reports. Imperva has just done that, analysing 32 million passwords used on the Rockyou.com site (which was recently hacked).

Below is a summary of their findings. Why is this important to you? Because it means that statistically, you probably have a weak password that can be guessed.

• 41% of passwords only use lower case letters (weak)
• 15% of passwords only user numerals (even weaker)
• Nearly 50% of people used names, slang words, dictionary words or trivial words as their passwords. These can be guessed in seconds by a “brute force” program.

The ten most common passwords were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

If you use any of these as your password then change it now, it’s too easy to guess, especially now that everyone can see this list.

For tips on how to choose a good password read our previous article. And here are some tips on testing how good your password is.

Imperva’s complete report is here. It’s full of interesting technical details on what they found and what the risks are.

McAfee, a large anti-virus company, has published a report called “Inside the Password Stealing Business: the Who and How of Identity Theft”. It goes into the details of password stealing programs and explains the “industry” driving it.

It’s quite detailed and at 17 pages it won’t take too long to read – it’s not very technical.

Password stealing is when a program gets installed on your PC that catches every stroke of your keyboard and sends it back to a criminal. The idea is that it’ll record all your passwords as you type them, no matter how strong they are. It’s a sophisticated piece of technology and a very large problem worldwide. If you’re not constantly upgrading your anti-virus software, web browser and OS then you’re at high risk.

These passwords are then sold off and used to steal money from your bank account or to commit other crimes. Even if you don’t use online banking you still have something to lose – someone can apply for a credit card under your name and use it to make expensive purchases, then you’re left to deal with the credit card company and convince them it wasn’t you (this happens every day).

So click on this link and have a read of the report.

A quick post about spam. Some of the most common sentenced used in spam are:

• We are letting you try it for FREE, you just pay the shipping costs!
• FREE Download without limits!
• Get your Free Trial Now!
• Take FREE exotic vacations!
• Get Free trial bottle!

In similar news, Norton has published a list of what they consider the top 100 most dangerous web sites. I won’t copy & paste the names here because my site and newsletter will no doubt be blocked by filters everywhere. You can have a look here to get an idea of what they consider to be highly dangerous web sites.

An Australian investigative program called Four Corners will feature an episode on the scope of online crime in Australia. If you have access to this program it’ll be worth watching. They’ll go over how identity theft works, how online crooks have attacked businesses, and how unsecured wireless networks are hacked.

Monday 17th August, 8:30pm, ABC1. And a repeat on Tuesday 18th August, 11:35pm, ABC1.

ABC will also provide this program online if you have a fast internet connection, on their iView application.

Update: Part of the episode featured federal police raiding a hacker group. The hacker group has attacked a federal police network in retaliation. Interesting.

GFI Backup is a simple backup program for Windows. It has enough features for most home users, and it’s free. If you haven’t thought about your own backup strategy this would be a decent program to start with (for Windows users).

For more backup tips read here.

A while back I wrote about wireless network security, click here to see the article. Basically you have 4 ways to set up a wireless network (at home or at the office):

1. No wireless security
2. WEP
3. WPA
4. WPA2

No wireless security means just that, anyone can connect to it and use your internet. If you’re wondering why this is a problem have a quick read of this article.

WEP is a very old security system. It doesn’t work.

WPA and WPA2 are still good, as long as you use a long (20 character) password. Read here to learn more about WPA.

Below is a tutorial video that has step by step instructions on how to hack into a WEP protected network. The point is: it’s easy to hack into a wireless network protected with WEP. WEP doesn’t work.

Today I received from someone claiming to be from Vodafone (a local phone company), offering me a new phone and new plan. Fair enough, I’m a Vodafone customer and my contract’s close to renewal.

But things turned ugly when the person on the phone asked for my account password, so that he could verify he’s talking to the right person. I refused.

I explained that I received an unsolicited call, I don’t know who I’m really speaking to, and that I’m not prepared to give a random stranger my account password.

He’s probably heard this several times so he said he understands, and I could give a few other personal details instead. I refused again. Confused, he put me onto his team leader, or at least someone claiming to be his team leader – I have no way of knowing who I’m speaking to. If I had been the one to initiate the call then I know I’m speaking to the right company. If I receive a call then I don’t know. There’s a fundamental difference here.

The team leader tried to explain they need to confirm who they’re speaking to. She claimed to understand my position, but wouldn’t change her argument. I continued refusing to give my password to a random stranger just so I can hear about new phones.

So we agreed to end the conversation. I wrote Vodafone a complaint using their website, explaining the situation. I’m not sure if the complaint went through because their web page took me to an answer’s and questions page after I’d typed everything out.

It’s not completely the cold-calling people’s fault, they’re doing what they’re paid to do. It’s Vodafone’s problem that they came up with this procedure. They’re giving their customers an expectation that it’s normal for strangers to call them and ask for their passwords.

And if you haven’t worked out the problem yet, look at it this way. I now know that Vodafone customers must be used to receiving unsolicited calls and giving out their passwords. So if I call 20 random people in Australia, chances are at least one will be a Vodafone customer. I just have to say I can offer them a new phone plan if they can give me their password. Then I can call up Vodafone, confirm my identity using that password, change my mailing address, and order a new phone and ask for it to be sent to my residence. I wouldn’t actually do it this way but you get the idea. It’s called identity theft.

I’ve written about the same problem before in 2007, it seems nothing’s changed in the past 2 years.

The technology spammers use is always changing. A report released by MessageLabs in June 2009 shows that 83% of spam is currently being sent from botnets. Now let’s explain what a botnet is.

There are people out there who hack into people’s home PCs (the PCs of ordinary people like you and me). They usually write a virus to do this, or pay someone to write the virus. Then when they’ve hacked into a home PC, they add it to a list.

After a few days they can get about 500,000 home computers on their list (yes, they work very fast). So once the hacker has hundreds of thousands of computers on their list, he writes a program that can control them all at once.

Now keep in mind that most home users won’t know their PC has been hacked. Everything still looks normal.

The hacker then sells this list of PCs to a spammer. The technical word for this list of controlled PCs is called a botnet.

A spammer buys this list of hacked computers and the program that controls them all at once. He uses also buys an email list from someone else (a list with millions of people’s email addresses). He presses a button, and all of the home PCs he’s controlling start sending out spam.

Again, home users don’t know their PC is now being used to send out spam. They might notice their internet go a little slower but most people don’t have the technical skill to work out why. It just gets ignored.

The spammer then sits back, relaxes after doing his 5 minutes of work. If anyone gets caught for sending spam it’ll be the home user, not him. The home user is ignorant of what’s going on. The hacker made his money and will do it again. And the cycle repeats again after a few days.

So how much spam are we talking about?

The largest botnet in operation in June 2009 is sending 74 million spam emails a day, all of this from people’s home computers. That’s a lot of spam.

What can you do?

Don’t let your own computer become part of a botnet. Use a good antivirus product, scan for malware, and fix up any problems.

Some of Lenovo’s laptops have been shipped with adware installed, and it wasn’t an accident. Lenovo thought it would be a good idea if their new laptops showed popup ads to convince you buy more Lenovo products.

It’s bad form, a new computer shouldn’t be popping up ads without your consent. Lenovo generally build good quality machines but this move is ethically wrong.

Click here to see a screenshot of the ad.

USB Drives are so popular these days nobody thinks much about them anymore. They come in all sizes (up to 128GB these days) and don’t really cost that much. They’re cheap enough that some people give them away.

So can they spread malware such as viruses? Yes, they certainly can. On many Windows computers, when you plug in a USB drive it does a quick search and it can run programs installed on them. Microsoft calls this a feature.

But malware authors (bad hackers) know all about this and they write malware that runs as soon as the device is plugged into a computer. You won’t know it’s happened, malware can install itself quietly in the background without getting in the way of your work.

So what do you do about it?

• Be cautious about what you plug into your computer
• Have a good anti-virus package installed that can scan these devices for you
• You can disable a feature in Windows that automatically runs programs on these USB drives
• In an office environment a good system administrator can lock down this feature across the entire network

What else can plug into your USB port and carry malware?

• USB Flash drives (also called flash drives, pen drives, thumb drives or USB sticks)
• Digital cameras
• MP3 players (including iPods)
• Mobile phones (cell phones)

And if you’re thinking how can malware get onto a camera, I’ve seen it myself. A friend took their camera to the local shop to print some photos, then lent me the camera so I could help them with something, I detected a virus that installed itself on it from the shop.Yes, it really happens. Take care with USB devices.

One of the best things you can do to protect your PC is to perform regular backups. Nightly backups are best – that’s how almost all business operate (some businesses go one step further and do backups every hour!). But for home use this is a bit of a burden, so you should be doing weekly backups, at least.

There are so many ways these days to do a backup. Some common methods are:

• Copy your important files to a flash drive. Flash drives are so cheap these days, they’re reliable and are large enough to hold your most important documents. Backing up is just a matter of dragging your files across using something like Windows Explorer (or the equivalent in your OS)
• Using a built-in backup program. I personally don’t like built-in backup programs, they’re often tricky to use and don’t offer enough features. But systems like Windows come with a built in backup program so you could begin by using it.
• 3rd party backup programs – this is where you get the most value. For a modest fee you can purchase a backup program that will get the job done how you want. I prefer Acronis TrueImage Home because:

• It backs up everything, a complete image of my PC. There won’t be anything left out, and if my hard drive dies I can restore the system exactly how it was
• It’s simple to use
• It has so many features that as my needs change it will be able to provide the backups I need
• It’s not very expensive

Having a good backup is extremely important. There are so many things that can go wrong with computers, from hard drive crashes, theft, to malware that takes your files hostage. Having a backup is common sense, it’s a cheap simple insurance against all the things that can go wrong.

You should also have more than one backup. Using external drives is a good option these days, they’re affordable, and you can keep one at a friend or relative’s house as added insurance.

How not to do backups:

• RAID (disk mirroring, or disk striping) is not a backup. It’s a form of data redundancy, there’s a fundamental difference.
• Overwriting backups – if you only have one backup and you overwrite it every time you do another backup, there’s a brief moment where you have no backups (during the backup itself). I’ve seen it before, the computer dies half way through a backup and you’re left without a working computer and with half a backup. This is no good.
• Relying on Windows System Restore is not good enough. There are still so many things that can go wrong and leave you without your previous files, photos, etc.

So how do you do backups? Post your comments below. We’re also running a poll on backups.

I’m trying something new here, polls. I’ll move it to the sidebar later, for now here’s our first poll!
Take Our Poll

A business owner in USA had been twittering about his upcoming holiday, and provided further updates when they’d left home for their holiday. Then their home was burgled. Was is chance or did someone know the house would be empty via Twitter?

It’s not possible to know but it certainly raises awareness about how safe it is to tell strangers about your travel plans. And this doesn’t just apply to Twitter, but to any social site where you’re giving personal information to strangers.

Read the full article here.

Would you be comfortable knowing that people can “listen in” to your wireless keyboard and watch what you type? It would be a great way to capture passwords, and that’s not a good thing.

I’ve written about how vulnerable wireless keyboards are. It used to take a lot of skill to hack into a wireless keyboard but now someone’s made it so much simpler. Here are instructions on how to build a wireless keyboard hacking device, complete with the software necessary. This model only works with 27MHz keyboards, which are the older and cheaper kind. It’s quite easy to build this device and to use it.

With a good enough aerial these type of hacks could be done from your neighbouring unit, house, office, or probably from a vehicle parked outside. You won’t know your wireless keyboard’s been hacked.

More modern and expensive keyboards can also be hacked, even those that have stickers on them saying how secure they are. But they take a bit more effort and skill.

I don’t believe in using wireless keyboards, they’re not secure. If you’re using one, it only costs $10 or so to upgrade to a wired one.

Today is “Change Your Password Day” in Australia, an idea by National E-security Awareness week.

Whether you live in Australia or anywhere else in the world, changing your password is always a good idea. Below are some do’s and don’ts for passwords:

• Do use numbers in the password
• Do make it difficult to guess
• Do make up words, or misspell words
• Do make it at least 8 characters

• Don’t put a “1” at the end of the password, this is too common
• Don’t use a word that you could find in a dictionary
• Don’t use the same password on every site. Web sites you use every day (e.g. Facebook, email) should always have a unique password, they’re more at risk.

To help you work out if your password is good you could try using a password meter. Click here for more information.

And you can use a password safe to keep track of all your complicated passwords. Click here for more information on password safes.

What are your suggestions for choosing strong passwords? Add your comments below and I’ll put them all together in a new article dedicated to choosing good passwords.

Social web sites are all the rage these days, such as Facebook, MySpace, Twitter, and there are hundreds of less popular ones as well. The idea with them is that all your friends and family can join and you can share aspects of your life such as photos and comments.

Often these same sites will ask for other passwords, in an effort to help you find more of your friends and family. For example, when you sign up to Badoo.com it asks you for your MSN username and password. They do this so they can log into MSN with your account, get a list of your contacts, and invite them to join Badoo. Facebook can do this too only on a grander scale.

It’s good in theory but there are some large risks involved. When you sign up and are prompted to enter your MSN details (or any other account), consider these questions:

• Who runs Badoo? Is it some guy sitting at home with no one to answer to?
• Do you trust the company (such as Badoo) and all of their employees?
• What is their privacy policy? Who are they accountable to if they breach their privacy policy?
• Do they store your MSN password? (You have no way of knowing this for sure)
• Have their servers been hacked and is someone else also capturing your password? (Again you have no way of knowing this, web sites get hacked every day)

You can see where this is leading. If you enter your other passwords into someone’s web site you’ve lost control and put yourself at some risk.

So when you sign up to a new site and it asks you for other passwords you already have, your initial reaction should be to refuse. Then consider if the benefits of doing so are worth the risk.

I’d like to thank our regular reader Nick for bringing this issue up.

Twitter is the biggest internet craze since Facebook, there are currently an estimated 6 million people using it.

A few days ago Twitter users were asked to take part in a “game” called #twitterpornnames. How does it work? You’re supposed to announce a made-up name along with the hash tag and share it. The formula provided to create your name just happens to match some very common security questions to help people reset their passwords. Pet’s name. First teacher. Street you grew up on.

So when people started participating they were in fact sharing the same information used by web sites to reset passwords. It’s called social engineering. It tricked people into revealing sensitive information. And the nature of Twitter is that people share information and click on links without much thought (is this a Gen-Y thing?)

If you use Twitter and see these sort of “games” going around, don’t share private sensitive data so easily. This same data can be used to hack into your accounts.

We all know that malware can steal your passwords, cause you to lose money, and spread itself to other PCs. But can malware actually cause damage to your PC?

The short answer is yes.

A botnet is a collection of infected PCs under a hacker’s control. There are millions of PCs today forming these botnets (millions of infected home computers being controlled by hackers). Some new research on botnets shows that they sometimes include code to completely disable the PC.

In April 2009 a malicious hacker decided to “kill” the PCs he was controlling using a botnet. It disabled Windows on 100,000 computers, making all those PCs useless until a technician can repair it. (This is a slight simplification but for the general public it’s accurate enough). These 100,000 computers belonged to real people using their computers at home or at the office. One day it just stopped working because a malicious hacker thought it’d be fun. You can read more detailed information about this here.

And then there are other malware (viruses etc) that can damage the PC in more serious ways. In March 2009 researches created a sample malware that writes itself to the computer’s BIOS (the BIOS is inside a chip inside the PC) . Reformatting the PC won’t remove it, buying a new hard drive won’t remove it either, and they claim that even a “BIOS flash” won’t remove it. You’d have to buy a new PC (or if you’re technical, a new motherboard) to fix it. More info here.

In the past there have been viruses that could damage drives and monitors but there’s been very little of this lately.

So overall malware can cause your PC to visit a repair shop for servicing, which is not only an inconvenience but also costly. It’s always better to prevent malware than to repair the damage (and often you may not know a PC is infected). And the usual tips apply here:

• Use a good anti-virus package, the kind that updates itself several times a day and scans web pages as well as files. They’re not expensive.
• Always patch and update your programs, including your operating system (Windows, Linux, Mac OS X).
• Never assume it can’t happen to you or that your computer is somehow better than others.
• Use one of the newer browsers such as FireFox, Chrome, or Opera. Read about browser hacking here.
• Don’t download programs from hacker sites such as password generators (they’re usually infected with malware).
• Don’t be tricked into installing something to watch a funny video. If your computer can’t play the video as it is then it’s probably not worth watching. Read more about it here.
• Don’t be tricked by fake anti-virus programs. Examples here.
• And backup your files. Do this often.

I don’t recommend this, I just want to share what others are doing and raise awareness of the problem in general.

Nigerian scams are emails (or letters) telling you that some random stranger in Nigeria wants to give you a very large sum of money, and they need your help (and your money) to make it happen.

And some people are starting a trend in baiting the scammers, making them waste time and giving them misleading information, just for amusement. It’s a vigilante action fraught with real danger hence why I don’t recommend it. But it’s certainly interesting to read about it.

Click here for the full article.

Ghostnet is the name given to some malware that’s been spreading around the world recently. This sort of thing happens every day, but what’s different about Ghostnet is that it has mainly targeted political offices.

This can’t be an accident or coincidence. So far 1,300 computers have been found to be infected with Ghostnet (not many), including the computer used by the Dalai Lama, a NATO computer, computers in the embassies of India, South Korea, Indonesia, Romania, Thailand and many other government offices around the world. These were clearly targeted.

What’s Ghostnet do? Researchers have found that it can turn on the camera and microphone on computers that have one, allowing people to spy in a room (or office). Can malware really do things like that? Yes, malware can do anything on a PC, that’s why it’s important to protect your PC.

Who’s behind Ghostnet? Researchers have directly accused the Chinese of operating it.

How do you get it? So far it seems people are tricked into downloading a file that infects the PC. Specific people are targeted and asked to download the file. This is called social engineering. And because they only targeted a small number of people it takes a long time for anti-virus companies to find out about it and to update their anti-virus programs.

TinyURL is a web redirection service. Its main purpose in life is to make long URL’s short (a URL is a web “address”). Here’s an example:

Sometimes you end up with a long URL such as: http://fraudo.com/2009/03/19/does-windows-safe-mode-protect-you-from-malware/

TinyURL can shorten this address for you. Try clicking on the following address: http://tinyurl.com/dfwohy

You’ll notice it takes you to the same page as the first link, but it’s much shorter to write. And why would someone want a short URL? Marketing people would argue that short URLs are easier on the eyes. And sometimes there are technical reasons – for example, Twitter only supports short messages so it’s normal to shorten URLs.

So what’s the risk?

If you receive an email from some company telling you to click on their link, and if you notice their link goes to a Chinese or Russian web site, you’ll be suspicious and you won’t click on it. And if you have a good anti-virus package installed it can detect the links and warn you before you click on them.

However, if the email’s links point to TinyURL you have no way of knowing if it’s legitimate (actually there is a way, keep reading). Maybe it goes to the company’s real site, maybe it goes to a hacker’s. You won’t know until you click (and usually once you click it’s too late).

Do legitimate companies really use TinyURL? Unfortunately yes. Marketing people write these newsletters, not their IT security people.

What about Twitter? Almost everyone on Twitter uses a service such as TinyURL to shorten addresses they share. When you click on these you’re taking a chance.

TinyURL isn’t the only redirection service. Here’s a list of the popular ones:

• tinyurl.com
• bit.ly
• budurl.com
• eweri.com
• hex.io
• idek.net
• is.gd
• poprl.com
• snipr.com
• twurl.nl
• ub0.cc

Notice how many there are? Shortening URLs has become a popular thing to do. Also notice that international domain names are popular here, such as .io and .ly.

So what can you do?

• Use a good web browser. In a recent hacking competition Google’s Chrome was not hacked, showing that at the moment it’s a good choice.
• Use a good anti-virus package that also scans web pages.
• Be cautious of shortened URLs, realise that you’ll be redirected to a different place
• You could ask companies such as TinyURL to scan all their links but that’s not going to happen, they don’t see it as their job.
• You could boycott all shortened URLs. That’s easier said than done and it’s not very realistic.
• And finally, the best way to protect yourself from this is also the most troublesome, so I’ve left it to last. Services such as TinyURL do give you a tool to test a link before you click on it.

TinyURL’s Preview Feature:

TinyURL has a preview feature. It’s a good security decision to turn it on. It’s an inconvenience if you enjoy clicking on unknown links but it’s a smart move. Click here to turn on their Preview feature: http://tinyurl.com/preview.php?enable=1

Then when you click on an unknown TinyURL link, it will show you where you’re about to go. You still have to be careful about weird Chinese and Russian sites that might be hacked but at least you’ll have enough information to make that decision.

It’s not a foolproof system though. Even if you’ve enabled Preview there might be times where it doesn’t work. That’s just the way computers work, it’s technically complicated. And enabling Preview on TinyURL doesn’t help you with all the other services I listed above. There’s just too many of them at the moment.

If you’ve read this far you’ve done well. Being aware of the dangers gets you half way to being secure.

Update (19 July 2011):

Google has a new URL shortening service called g.co . For now their plan is to use it for official Google sites and applications. So shortened URLs beginning with g.co should be considered safe and legitimate for now.

Windows has something called "Safe Mode". You usually see it when you don’t shut down Windows properly, then when you restart you’re prompted if you want to start in safe mode.

So what is safe mode? It’s basically Windows without all the frills, very simplified. It’s intended to help techies fix problems if Windows is broken.

There’s also an assumption that malware can’t hurt your computer if you start it in safe mode. This has been proven to be a false assumption. Malware can still run in safe mode.

To be protected from malware you need some common sense (you’ll get plenty of that from this site), and having a good anti-virus helps.

Just recently something happened: people using Twitter started seeing messages saying "Don’t Click". Most people are curious so they clicked. The link had an iframe with some hidden code that sent a Twitter message using your account, telling others not to click. Technically this is a virus because it propagated through a network.

The result was that a message saying "Don’t Click" quickly spread through Twitter. No harm was done. But it could have been harmful. Whoever came up with the idea managed to get lots of people to click on an unknown link, and it could have had malicious code on it.

Twitter says they’ve fixed the problem that made this possible. But it highlights a problem with Twitter, that people are seeing links they don’t understand and are clicking on them.

More info here.

Here’s something new. In North Dakota, USA, pieces of yellow paper were placed on the windshield of parked cars with the following text printed on them:

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to website ….

The website that was printed tells people they need to download a program called PictureSearchToolbar.exe. This program then downloads malware onto people’s PCs. The malware can change but at the moment it tells people their PC is infected and asks them to download more malware.

This is a new way to trick people into downloading malware.

You can avoid these tricks by being cautious on what you download. The rule of thumb is that you never need to download anything to view a picture or video on the internet, unless you either know what you’re doing or really trust the company giving you this information (e.g. if you’re using Windows you could trust Microsoft since they made the operating system you’re using).

You can also install a good anti-virus package that scans web pages. This needs to be updated daily which generally means you need a paid subscription. It’s a good investment.

Recently some people have been tricked into paying for OpenOffice.

OpenOffice is a free alternative to Microsoft Office. You can download it for free from here: http://www.openoffice.org/ . Don’t download it from anywhere else other than the official site.

If anyone asks you to pay for this then they’re trying to cheat you. There’s no reason to pay for the software, and there are no subscriptions you need to use it.

Disclaimer: while the software is free for anyone to download and use, you need to have an internet connection, and most people pay for their internet. This is just common sense. If this is a problem, sometimes computer magazines download it for you and put it on a DVD bundled with the magazine. Again the software is free but you have to pay for the magazine. This too is common sense. And it’s completely legal to copy it from someone else.

A new way of stealing internet banking passwords has been discovered. Here’s how a victim would see it:

• You’re reading a few web pages on the internet. One of them is infected with some malicious code – you don’t know.
• You log onto your normal internet banking site
• The malicious code on the other site detects that you’ve logged into internet banking
• the malicious code bring up a window asking you to type in your internet banking password again, giving you some excuse as to why you have to log in again
• The malicious code sends your password to a 3rd party who uses it or sells it to someone who will

How can this happen?

I won’t go into the technical explanation, suffice it to say that most browsers will trust and run code under certain conditions, and hackers have discovered how to exploit those conditions.

It works because it knows what banks to look for and won’t do anything until you log into your internet banking. So to a casual person it sounds plausible that they need your password again.

What can be done to prevent this?

• When you use internet banking close all the other tabs you might have open. Just keep the internet banking page open by itself.
• If you get a popup window to enter your password again you need to decide if the popup window is really from your bank.

• Does it look the same as your normal login screen?
• Is there a good reason why you have to enter your details again? (e.g. if you don’t use the internet banking page for 10 minutes it might time out, but otherwise it shouldn’t have timed out)
• Does it have the SSL icon? This is often a padlock icon on the top right corner, if you click on it it should identify your bank.

The makers of web browsers (Microsoft, Mozilla, Google, etc) need to address this issue. When they do it’s up to you to update your browser to the latest version. Then this particular problem will go away.

Below is a press release from a banking security company offering more information on this type of attack.

http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

Anti-Malware Toolkit is a package produced by Lunarsoft. It helps you download 37 different tools you can use to protect your PC from all kinds of malware. A few of the tools it can install are quite useful, such as:

Spyware Blaster, CCleaner, RogueRemover, SUPERAntiSpyware, Malwarebytes, Spybot, Hijack This

I’d recommend this to more experienced PC users. General users are better off investing in commercial products, such as Trend Internet Security (there are a few good packages out there, Trend is just one). I say this because commercial products do most of the thinking for you and for a lot of people security is better this way.

The Anti-Malware toolkit can be downloaded from Lunarsoft’s site: http://www.lunarsoft.net/downloads

Note that it’s for Windows computers only.

A keylogger is a small program that sits on your PC quietly capturing each key you press on your keyboard. It either logs each keystroke to a file, or sends it off somewhere on the internet.

It’s used to spy on people. By capturing keystrokes your login and password can be revealed, as well as other confidential information. And usually they’re what’s known as “stealthy” programs – most of the time you wouldn’t know it’s there.

Where do they come from?

There are quite a few keyloggers available. Most are written by hackers (the bad kind). A few are written by commercial software companies (more on that below). 

Are they legal?

Usually no. They’re used as spyware to capture your passwords which is illegal in most places.

How can you detect them?

Use a good anti-spyware program. Most antivirus packages come with this feature these days, others are available separately. There are free ones too. Search Google for current a list.

But there’s another kind of keylogger that you can’t detect this way. You can buy a little plastic device that plugs in between your keyboard and your PC. Since it’s directly connected to the cable hanging off your keyboard it can detect every key stroke and record it. Someone has to have physical access to your PC to install it (and to later remove it). You need to look at the back of your PC where the kayboard plugs in to detect it. Search here for a list of these devices.

News

Recently a US court has looked at a commercial keylogging company called CyberSpy and decided it’s illegal. They’ve ordered CyberSpy to stop selling their software (called RemoteSpy). Unfortunately there are too many alternatives for people keen on spying and stealing passwords. More on this here.

Here’s an interesting use of technology to copy someone’s keys (the metal kind that opens doors). It works with someone taking a hi res photo of your keys, then enhancing the image enough to make a template for someone to cut a copy of a the key.

What kind of photos will work?

Useful photos can be found on photo sharing web sites (such as Facebook or Flickr). This is a passive way for someone to find an image of your keys.

Another tactic is for someone to target you with a camera phone, taking photos of your keys while you hold them. Or with a camera and a telescopic lens, from 200 feet away as the article below suggests.

This isn’t really a new trick, but the software to do all the hard work is new. Technology like this only gets better so it’s time to learn how to protect yourself.

Some tips:

• If you upload photos showing your keys then take the time to blur the keys first. This is similar to how you would blur your car number plate, or a credit card
• Don’t display any keys in public. It wouldn’t be hard to obscure them with your hands
• If you have a choice (such as when purchasing a car) opt for something that uses RFID chips embedded in the keys (many cars have this these days)

Read more about the technique here, and read the full paper here.

Tuesdays are when Microsoft publishes patches to their software, and today they’ve published quite a few (if you use Windows then you should be installing the patches today). 

However today there’s a malicious email being sent around that looks like it came from Microsoft (it’s actually fake). The email tells people about the patches and has a file attached. 

The attachment isn’t really a Microsoft update, it’s actually a trojan that installs something on your PC that lets hackers log into it, without you ever finding out. You really don’t want this kind of thing installed on your PC.

The email has a few features designed to convince people that it’s genuine, such as a PGP signature at the end, and the fake sender address.

The subject of the email is:

Security Update for OS Microsoft Windows

If you see this just delete it. You should also have a good spam filter for your inbox – email services such as Gmail do a good job of this. For businesses it’s a little more complicated and even more important. You should also invest in a good antivirus package, one that checks everything and downloads updates at least once a day.

And remember to never trust attachments you unexpectadly receive(you didn’t ask Microsoft to send you an attachment, so why would they really do this?)

A rather serious exploit has recently been discovered.

It’s called ClickJacking. The problem is in Adobe’s Flash player, which just about everyone in the world has installed (sometimes without even knowing it). 

The vulnerability makes it possible for someone to control your computer’s webcam or microphone, lettting other people spy on you. It’s a serious problem.

Who’s at risk?

Anyone who has Flash version 9.0.124.0 or earlier is at risk. This includes Windows, Mac, and Linux users, and FireFox, IE, Safari, Chrome, and Opera users (does this list include you?)

What can you do to protect yourself?

Adobe is publishing a fix very soon and the best thing to do is to upgrade to the latest version of  Flash. Flash should prompt you to download an update – say yes to this. Otherwise download the latest version from Adobe’s web site.

If for some reason you can’t update Flash on your PC there’s another way to protect yourself (this is a last resort tactic, updating Flash is much safer). The workaround is to set the Always Deny option, as detailed here on Adobe’s site.

Further info:

Someone has gone to the trouble of setting up a sample of how the exploit works and recorded a video to demonstrate. Play the YouTube video in this article.

Here’s what happens when you don’t take proactive steps to secure your wireless router (or wireless network). Recently there were a series terrorist bomb attacks in India, and threat emails were sent by the terrorists. 

The source of the emails were traced and they came from the home of an innocent family in Mumbai (India). The terrorists had used their unsecure wireless network to gain access to the internet and do their thing. The residents said,

“We did not feel the need to secure or password-protect our internet connection. But now it has become a necessity for all citizens to secure their connections”

This stuff really happens, read the full article here.

So how do you secure your wireless router? What other consequences can you face for leaving it unsecure? Read our previous article. In fact, use the search box on the top right of this site and search for “wireless” – there’s a lot to learn about wireless security at home and in the office.

Keep in mind that when you buy new (or old) wireless equipment such as a wireless router, the security settings are almost always set to the most insecure options. That’s crazy, but manufacturers think that turning on security by default makes it too hard for people to install these things. Maybe, but most people are lazy and don’t turn on the security features, putting them at risk of being hacked or involved in serious crime.

A lot of web sites these days have a question & answer system as a backup to your password. The idea is that if you forget your password you’ll be prompted to answer a private question.  Assuming you’re the only one who knows the answer to this private question it’ll give you a password to log into the website.

It’s really a second password in case you forget the main password. And it’s not very secure. Let’s look at why.

Your web site password could be anything. If you use a common word then there’s approx 1 in 100,000 chance of someone guessing it (this is actually pretty poor). If  you make up a password that couldn’t possibly exist in the dictionary, e.g. by adding a random number at the end, misspelling words, etc, then the chances of guessing the password are much lower, one in millions or billions. This is good.

Now if you have to provide the name of your pet, school, or mother’s name as a password, the choices are very limited. There aren’t billions of popular pet names, there’s only a handful.

For someone to guess the answer to this question is much easier than guessing a real password. And if someone was to do a little research on you it could be possible to find this out. 

My suggestion is that you don’t use these password recovery options. When signing up to a service and you’re prompted to enter some personal details, enter random characters instead. Go crazy bashing keys on the keyboard, use something like iojxcnmvaioasflseqq. The idea is that no one could possibly guess the answer, including yourself. Then write down your real password and keep it safe.

I’d also like to add a bit about someone that recently had her private question (backup password) guessed by a random stranger.

Her name is Sarah Palin. Someone wanted to read Sarah’s Yahoo email and instead of trying to guess a password they just tried guessing a private question, and got in. This was recently publicised. It isn’t really hacking, someone just did some research and guessed correctly.

The results were disastrous – Sarah Palin is a US governor hoping to be a vice president, and there were sensitive documents in her emails that were then leaked to the internet. 

There’s a lesson here for everyone, including web site developers. Don’t use these private password questions, it’s the weakest link into web services.

Everyone’s talking about Google Chrome today. It’s a new web browser much like IE, FireFox, Opera and Safari. Here are some things you should know about its security.

• It’s still in "beta", meaning they’re still testing it. It’s an unfinished product. There will be bugs to be found, including security bugs.
• There’s a debate going on about Google’s intentions on releasing a free browser. It seems Google will be collecting some information from some users on their browsing habits. It’s an opt-in service so there isn’t anything sneaking going on, and it can be turned off. But it still makes some people uncomfortable.
• Chrome has a private mode called "Incognito". Some other browsers also have this feature. It’s a good thing. It puts you in control over which web sites save information on your computer and which don’t.
• It uses a new programming model putting each page in its own process. This should make everything safer, but it’s new and time will tell how secure it really is.

And did I mention it’s in beta and security bugs will no doubt be found soon?

I suggest that as soon as Google are comfortable with the performance of this new product it’ll be a good alternative to Internet Explorer.

In December last year I wrote about Germany’s police wanting to install spyware on people’s computers when they deem it necessary. The legislation has now been approved, at least  in the German state of Bavaria.

What this means to you:

If you live in Bavaria, either as a resident or as a visitor, keep in mind that authorities can now legally install spyware on any computer you use if they suspect you of being a terrorist, or posing other serious criminal threats. This sounds fairly general and could apply to a lot of situations.

If the police can’t install spyware on your computer remotely they also have the authority to enter your premises and install the spyware directly onto any computers you use.

No judicial warrants are required.

So if you have any data you wish to keep private (assuming you have a perfectly legitimate reason to do so) you’ll have to start being creative. You could take your business elsewhere, be paranoid about what computer or operating systems you use (hint: popular systems are usually easier targets), and keep informed on the latest computer spying and hacking techniques.

This article’s aim is to raise awareness that governments can and do spy on people’s computers.

More information here.

Skype has issued a warning that people have been receiving emails that appear to be from Skype. When a user clicks on a link in the email, they’re taken to a login page that looks like Skype’s website (but in fact it’s operated by someone else). When you enter your username and password, they’re sent to someone who will then use them for some malicious purpose.

How can you tell a real Skype login page from a fake one?

According to Skype the only page that they will ask you for login details is:

https://secure.skype.com/…(anything else is ok here)…

If you’re about to enter your Skype details into a website that doesn’t exactly match the above then it’s probably fake. What if it’s just a few letters different? What if the dot’s in the wrong place?

The part after the // and before the first / needs to be an exact match. I’ve made this bold just to make it as clear as possible. The part at the end is ok.

Below is a copy of one of these Skype phishing emails. I’ve copied the contents here to help Google index this page. When you receive suspicious emails it’s a good idea to copy and paste a few lines into Google. You’ll soon be able to tell if it’s a known fake email or real.

Account blocked

Hello!

We have to notice that your account is suspended because Skype major Terms are being changed.
To re-activate your account you need to agree with the new Terms here:

Follow this link to re-activate: ACTIVATE

after that, your account will be automatically re-activated.

Thank You!

Skype Administration

The word ACTIVATE has a link that goes to the fake Skype login page. In most email clients, if you hold the mouse pointer over the link you can see the real destination. If it’s not like the one shown at the top of this article then it’s fake. See this screenshot of the fake one:

Yahoo owns some technology called DomainKeys that can verify the sender of some emails. One thing it can do is recognise real and fake emails from eBay and PayPal. This is good because quite a few phishing emails claim to be from eBay or PayPal, intended to trick people into providing their login details.

Google has just implemented the technology for Gmail. So if safe email is of concern to you, your best bets are to use either Yahoo or Gmail for your emailing.

More technical information here.

Gmail has a new security feature. If you log into Gmail more than once (at the same time) it now tells you. Then it’s up to you to decide if you did this intentionally or if someone has stolen your account details.

At the bottom of your inbox is a summary of the last activity and whether it’s open from another location. Then clicking on the Details link shows more details on all your connections.

Like any other thing on the internet that can be downloaded, e-books present their own risks.

If you need to download an unknown program or plugin to access the e-book then consider if it’s really necessary. Sometimes things you download carry malicious code which often ends up installing spyware on your computer.

One such example is a browser plug-in from bitroad.net. It promises to help download free e-books. In the background it installs malware.

E-books represent a large shift in technology for distributing media. Formats will continue to change, new tools will continue to be developed, and new opportunities will be found to distribute malware on the side.

So always take care what you download or install (in general, the less you install on a computer the better it’ll work). And invest in a good anti-virus package that also scans for spyware.

There is an email being circulated that warns people on the dangers of plastic containers. It provides a pseudo-scientific explanation on how plastic containers can cause cancer, and references some medical sources.

It’s a hoax. People start these emails for fun just to see it forwarded to millions of people. There’s no financial gain to be made from these hoaxes, no harm done either. And to you this should be an important reminder not to believe everything you read on the internet.

Here is some of the text from the email (to help Google index this page and to help more people find this article):

Dear Friends, Gentle reminder, is never to late to change our bad habits of having everything fast. Avoid warming food in microwave using plastic containers. This may endangers your lives.

Cancer Update please see below ! Hopkins
This information is being circulated at Walter Reed Army Medical Center as well.
Please circulate to all you know; Cancer update
Johns Hopkins – Cancer News from Johns Hopkins

No plastic containers in micro
No water bottles in freezer
No plastic wrap in microwave…

A dioxin chemical causes cancer, especially breast cancer.

Dioxins are highly poisonous to the cells of our bodies. Don’t freeze your plastic bottles with water in them as this releases dioxins from the plastic.

Recently, Edward Fujimoto, Wellness Program Manager at Castle Hospital , was on a TV program to explain this health hazard. He talked about dioxins and how bad they are for us.

He said that we should not be heating our food in the microwave using plastic containers..

This especially applies to foods that contain fat.

He said that the combination of fat, high heat, and plastics releases dioxin into the food and ultimately into the cells of the body…

Instead, he recommends using glass, such as Corning Ware, Pyrex or ceramic containers for heating food… You get the same results, only without the dioxin. So such things as TV dinners, instant ramen and soups, etc., should be removed from the container and heated in something else

Paper isn’t bad but you don’t know what is in the paper. It’s just safer to use tempered glass, Corning Ware, etc.

He reminded us that a while ago, some of the fast food restaurants moved away from the foam containers to paper. The dioxin problem is one of the reasons

Also, he pointed out that plastic wrap, such as Saran, is just as dangerous when placed over foods to be cooked in the microwave. As the food is nuked, the high heat causes poisonous toxins to actually melt out of the plastic wrap and drip into the food.

Cover food with a paper towel instead.

—

Now onto the explanation about this hoax:

At the beginning of the hoax email it states that this research comes from John Hopkins. John Hopkins Bloomberg School of Public Health is a medical school in USA. They have nothing to do with this email or the information contained within it. In fact they’ve published a statement that says,

These messages, frequently titled “Johns Hopkins Cancer News” or “Johns Hopkins Cancer Update,” are falsely attributed to Johns Hopkins and we do not endorse their content.

Freezing water does not cause the release of chemicals from plastic bottles.

Read the full notice here. And in case you’re still thinking “what if the email is right, what if…”, John Hopkins Bloomberg School of Publish Health also adds:

This is an urban legend. There are no dioxins in plastics. In addition, freezing actually works against the release of chemicals. Chemicals do not diffuse as readily in cold temperatures, which would limit chemical release if there were dioxins in plastic, and we don’t think there are.

Read the rest of this quote, and much more scientific information about why this is a hoax, here. Note that microwaving some types of plastics can be hazardous, read the medical article for accurate information. The above Q&A was published in 2004. This hoax email has been going since 2002.

So the next time you receive one of these emails, instead of forwarding it to 10 people thinking you’re doing them and yourself a favour, let the sender know it’s a hoax and refer them to this article for reference.

Recruitment companies receive a lot of resumes in Word format, as you’d expect. But it seems that there’s a growing trend of these Word files being infected with some type of malware. Often there is automated software at recruitment companies to forward the resumes to their clients without scanning them for malware.

Hackers have caught onto this and are targeting these companies. They’ve been sending resumes (probably not their own) with backdoor trojans embedded in the document. This gives them a chance to gain access to these networks.

If your work involves receiving many Word documents from the general public put in place a plan to screen these for known malware, and to limit the damage they can do if a new (unknown) trojan gets through. Most security specialists can help with this.

Phishing emails are very common these days. Below is a common phishing email from a local bank. Keep in mind that the same technique is used with most banks these days. Spelling and grammatical mistakes usually give them away (although this example is pretty good), and read the end of this article for the best ways to tell a phishing email from the real thing.

An email arrives with a topic “Verify Your Phone Number“. Emails asking people to verify something can be eye catching, and add a sense of urgency. Below are the contents of the email:

Dear customer!

St.George Bank Limited is constantly working to improve the account security of our customers. In order, to ensure the integrity and security of our online banking system, we periodically review accounts. We were unable to contact you by phone during the last check, so please verify the information at your account file and make sure it is right.

Please, verify your account information by following the link.
Click here for verification: https://ibank.stgeorge.com.au/verify/

The next verification will be done soon, invalid account information will result in your account being placed to restricted status.

Customer Service
St.George Bank Limited
http://stgeorge.com.au/

Some things you should keep in mind:

• Banks shouldn’t be trying to contact you by email (although sadly some still do)
• Banks rarely need to verify anything
• The links in the email are false

What would happen if you clicked on the links provided in the email? They look geuine enough.

In most email clients when you put the mouse pointer over the link and wait a second, you’ll see the real link. That’s right, the way email works is someone can display a link that looks like a bank site’s address but in fact it can go somewhere completely different. Maybe the technology behind emails should be changed to make this impossible.

In this case the links point to a site called stgeorgeverify dot com. Again this might fool some people because it has the bank’s name in the address, but it’s not the bank’s address. It’s a phishing site designed to let customers type in their bank details so that scammers can sell the information on the black market (and eventually so that money can be stolen from bank accounts).

There’s very little regulation in domain names (web addresses). It’s easy for someone to register a domain name that looks like a bank’s site. Even if it has one additional or different letter it’s enough for anyone to register. And when someone registers a new domain name they can make it do whatever they like. Technically it’s a new site (even though the name looks similar to a legitimate site).

So when you receive emails from important organisations, such as from your bank, don’t ever click on the links. Go to the bank’s web site by typing its address into a web browser. Because the links in emails can be misleading.

For further reading see our article on how domain names work, and another detailed example of phishing.

How much money do you think Australians send to Nigerians because of the old Nigerian 419 scam? (Keep in mind that Australia has a small population of 21 million)

The answer is millions of dollars.

This very interesting interview with the head of the Queensland Police Corporate Crime Investigation Group (what a long title) discusses these scams and provides some interesting details.

People who fall for these scams often don’t report it, and in many cases repeatedly fall for these scams. Watch the video, discuss it with your friends, family and colleagues, and help raise awareness of this particular kind of scam. You can also read this article on how Nigerian scams work.

Link to video.

An interesting study on orphaned accounts has found some serious security holes.

An orphaned account is when someone leaves an organisation and their network account remains active, instead of being disabled (locked). In a lot of cases those people who have left could still log onto their previous employer’s network and access files and services.

The study found that 27 percent of people reported that they had more than 20 orphaned accounts on their system. If everyone did their job well ideally it would be 0.

38 percent of people said they had no way of knowing if a terminated employee had logged into their system. Security auditing is very important and not very difficult, without it IT managers won’t know who’s doing what on their network.

In other words, in about 27% of companies if someone left they could still log in from home, copy files, send emails, and otherwise use the system the same as when they were officially employed. And in 38% of cases nobody would ever find out.

So how long should it take to terminate an account? Accounts should be disabled at the end of the employee’s last day and not a moment later. In some companies there’s so much bureaucratic admin that, according to the above article, it ends up taking 3 days to a month to do this. Shocking.

It’ an organisation it should be everybody’s responsibility to protect the network and all private data. If your organisation is slacking in this area say something about it.

An Australian security organisation called AusCERT has conducted a survey and come up with the following results. I’ve added my own comments on the right.

The full survey results have been published here. It’s an interesting read, especially seeing the reasons why some people don’t use anti-virus and anti-spyware software.