Category Archives: General

Can Twittering Help Thieves?

luggage stuffed with money A business owner in USA had been twittering about his upcoming holiday, and provided further updates when they’d left home for their holiday. Then their home was burgled. Was is chance or did someone know the house would be empty via Twitter?

It’s not possible to know but it certainly raises awareness about how safe it is to tell strangers about your travel plans. And this doesn’t just apply to Twitter, but to any social site where you’re giving personal information to strangers.

Read the full article here.

Wireless Keyboards

keyboard green Would you be comfortable knowing that people can “listen in” to your wireless keyboard and watch what you type? It would be a great way to capture passwords, and that’s not a good thing.

I’ve written about how vulnerable wireless keyboards are. It used to take a lot of skill to hack into a wireless keyboard but now someone’s made it so much simpler. Here are instructions on how to build a wireless keyboard hacking device, complete with the software necessary. This model only works with 27MHz keyboards, which are the older and cheaper kind. It’s quite easy to build this device and to use it.

With a good enough aerial these type of hacks could be done from your neighbouring unit, house, office, or probably from a vehicle parked outside. You won’t know your wireless keyboard’s been hacked.

More modern and expensive keyboards can also be hacked, even those that have stickers on them saying how secure they are. But they take a bit more effort and skill.

I don’t believe in using wireless keyboards, they’re not secure. If you’re using one, it only costs $10 or so to upgrade to a wired one.

Change Your Password Day

e-security Today is “Change Your Password Day” in Australia, an idea by National E-security Awareness week.

Whether you live in Australia or anywhere else in the world, changing your password is always a good idea. Below are some do’s and don’ts for passwords:

  • Do use numbers in the password
  • Do make it difficult to guess
  • Do make up words, or misspell words
  • Do make it at least 8 characters

 

  • Don’t put a “1” at the end of the password, this is too common
  • Don’t use a word that you could find in a dictionary
  • Don’t use the same password on every site. Web sites you use every day (e.g. Facebook, email) should always have a unique password, they’re more at risk.

To help you work out if your password is good you could try using a password meter. Click here for more information.

And you can use a password safe to keep track of all your complicated passwords. Click here for more information on password safes.

What are your suggestions for choosing strong passwords? Add your comments below and I’ll put them all together in a new article dedicated to choosing good passwords.

Web Sites That Ask For Your Other Passwords

Social web sites are all the rage these days, such as Facebook, MySpace, Twitter, and there are hundreds of less popular ones as well. The idea with them is that all your friends and family can join and you can share aspects of your life such as photos and comments.

mystery cubeOften these same sites will ask for other passwords, in an effort to help you find more of your friends and family. For example, when you sign up to Badoo.com it asks you for your MSN username and password. They do this so they can log into MSN with your account, get a list of your contacts, and invite them to join Badoo. Facebook can do this too only on a grander scale.

It’s good in theory but there are some large risks involved. When you sign up and are prompted to enter your MSN details (or any other account), consider these questions:

  • Who runs Badoo? Is it some guy sitting at home with no one to answer to?
  • Do you trust the company (such as Badoo) and all of their employees?
  • What is their privacy policy? Who are they accountable to if they breach their privacy policy?
  • Do they store your MSN password? (You have no way of knowing this for sure)
  • Have their servers been hacked and is someone else also capturing your password? (Again you have no way of knowing this, web sites get hacked every day)

You can see where this is leading. If you enter your other passwords into someone’s web site you’ve lost control and put yourself at some risk.

So when you sign up to a new site and it asks you for other passwords you already have, your initial reaction should be to refuse. Then consider if the benefits of doing so are worth the risk.

I’d like to thank our regular reader Nick for bringing this issue up.

Twitter Phishing: #twitterpornnames

Twitter is the biggest internet craze since Facebook, there are currently an estimated 6 million people using it.

A few days ago Twitter users were asked to take part in a “game” called #twitterpornnames. How does it work? You’re supposed to announce a made-up name along with the hash tag and share it. The formula provided to create your name just happens to match some very common security questions to help people reset their passwords. Pet’s name. First teacher. Street you grew up on.

So when people started participating they were in fact sharing the same information used by web sites to reset passwords. It’s called social engineering. It tricked people into revealing sensitive information. And the nature of Twitter is that people share information and click on links without much thought (is this a Gen-Y thing?)

If you use Twitter and see these sort of “games” going around, don’t share private sensitive data so easily. This same data can be used to hack into your accounts.

Can Malware Damage Your PC?

We all know that malware can steal your passwords, cause you to lose money, and spread itself to other PCs. But can malware actually cause damage to your PC?

The short answer is yes.

A botnet is a collection of infected PCs under a hacker’s control. There are millions of PCs today forming these botnets (millions of infected home computers being controlled by hackers). Some new research on botnets shows that they sometimes include code to completely disable the PC.

In April 2009 a malicious hacker decided to “kill” the PCs he was controlling using a botnet. It disabled Windows on 100,000 computers, making all those PCs useless until a technician can repair it. (This is a slight simplification but for the general public it’s accurate enough). These 100,000 computers belonged to real people using their computers at home or at the office. One day it just stopped working because a malicious hacker thought it’d be fun. You can read more detailed information about this here.

And then there are other malware (viruses etc) that can damage the PC in more serious ways. In March 2009 researches created a sample malware that writes itself to the computer’s BIOS (the BIOS is inside a chip inside the PC) . Reformatting the PC won’t remove it, buying a new hard drive won’t remove it either, and they claim that even a “BIOS flash” won’t remove it. You’d have to buy a new PC (or if you’re technical, a new motherboard) to fix it. More info here.

In the past there have been viruses that could damage drives and monitors but there’s been very little of this lately.

So overall malware can cause your PC to visit a repair shop for servicing, which is not only an inconvenience but also costly. It’s always better to prevent malware than to repair the damage (and often you may not know a PC is infected). And the usual tips apply here:

  • Use a good anti-virus package, the kind that updates itself several times a day and scans web pages as well as files. They’re not expensive.
  • Always patch and update your programs, including your operating system (Windows, Linux, Mac OS X).
  • Never assume it can’t happen to you or that your computer is somehow better than others.
  • Use one of the newer browsers such as FireFox, Chrome, or Opera. Read about browser hacking here.
  • Don’t download programs from hacker sites such as password generators (they’re usually infected with malware).
  • Don’t be tricked into installing something to watch a funny video. If your computer can’t play the video as it is then it’s probably not worth watching. Read more about it here.
  • Don’t be tricked by fake anti-virus programs. Examples here.
  • And backup your files. Do this often.

Baiting Nigerian Scammers

I don’t recommend this, I just want to share what others are doing and raise awareness of the problem in general.

Nigerian scams are emails (or letters) telling you that some random stranger in Nigeria wants to give you a very large sum of money, and they need your help (and your money) to make it happen.

And some people are starting a trend in baiting the scammers, making them waste time and giving them misleading information, just for amusement. It’s a vigilante action fraught with real danger hence why I don’t recommend it. But it’s certainly interesting to read about it.

Click here for the full article.

Ghostnet – Cyber Espionage

Ghostnet is the name given to some malware that’s been spreading around the world recently. This sort of thing happens every day, but what’s different about Ghostnet is that it has mainly targeted political offices.

spying through the blinds This can’t be an accident or coincidence. So far 1,300 computers have been found to be infected with Ghostnet (not many), including the computer used by the Dalai Lama, a NATO computer, computers in the embassies of India, South Korea, Indonesia, Romania, Thailand and many other government offices around the world. These were clearly targeted.

What’s Ghostnet do? Researchers have found that it can turn on the camera and microphone on computers that have one, allowing people to spy in a room (or office). Can malware really do things like that? Yes, malware can do anything on a PC, that’s why it’s important to protect your PC.

Who’s behind Ghostnet? Researchers have directly accused the Chinese of operating it.

How do you get it? So far it seems people are tricked into downloading a file that infects the PC. Specific people are targeted and asked to download the file. This is called social engineering. And because they only targeted a small number of people it takes a long time for anti-virus companies to find out about it and to update their anti-virus programs.

What is TinyURL and how does it affect internet security?

TinyURL is a web redirection service. Its main purpose in life is to make long URL’s short (a URL is a web “address”). Here’s an example:

Sometimes you end up with a long URL such as: http://fraudo.com/2009/03/19/does-windows-safe-mode-protect-you-from-malware/

TinyURL can shorten this address for you. Try clicking on the following address: http://tinyurl.com/dfwohy

You’ll notice it takes you to the same page as the first link, but it’s much shorter to write. And why would someone want a short URL? Marketing people would argue that short URLs are easier on the eyes. And sometimes there are technical reasons – for example, Twitter only supports short messages so it’s normal to shorten URLs.

So what’s the risk?

dice If you receive an email from some company telling you to click on their link, and if you notice their link goes to a Chinese or Russian web site, you’ll be suspicious and you won’t click on it. And if you have a good anti-virus package installed it can detect the links and warn you before you click on them.

However, if the email’s links point to TinyURL you have no way of knowing if it’s legitimate (actually there is a way, keep reading). Maybe it goes to the company’s real site, maybe it goes to a hacker’s. You won’t know until you click (and usually once you click it’s too late).

Do legitimate companies really use TinyURL? Unfortunately yes. Marketing people write these newsletters, not their IT security people.

What about Twitter? Almost everyone on Twitter uses a service such as TinyURL to shorten addresses they share. When you click on these you’re taking a chance.

TinyURL isn’t the only redirection service. Here’s a list of the popular ones:

  • tinyurl.com
  • bit.ly
  • budurl.com
  • eweri.com
  • hex.io
  • idek.net
  • is.gd
  • poprl.com
  • snipr.com
  • twurl.nl
  • ub0.cc

Notice how many there are? Shortening URLs has become a popular thing to do. Also notice that international domain names are popular here, such as .io and .ly.

So what can you do?

  • Use a good web browser. In a recent hacking competition Google’s Chrome was not hacked, showing that at the moment it’s a good choice.
  • Use a good anti-virus package that also scans web pages.
  • Be cautious of shortened URLs, realise that you’ll be redirected to a different place
  • You could ask companies such as TinyURL to scan all their links but that’s not going to happen, they don’t see it as their job.
  • You could boycott all shortened URLs. That’s easier said than done and it’s not very realistic.
  • And finally, the best way to protect yourself from this is also the most troublesome, so I’ve left it to last. Services such as TinyURL do give you a tool to test a link before you click on it.

TinyURL’s Preview Feature:

TinyURL has a preview feature. It’s a good security decision to turn it on. It’s an inconvenience if you enjoy clicking on unknown links but it’s a smart move. Click here to turn on their Preview feature: http://tinyurl.com/preview.php?enable=1

Then when you click on an unknown TinyURL link, it will show you where you’re about to go. You still have to be careful about weird Chinese and Russian sites that might be hacked but at least you’ll have enough information to make that decision.

It’s not a foolproof system though. Even if you’ve enabled Preview there might be times where it doesn’t work. That’s just the way computers work, it’s technically complicated. And enabling Preview on TinyURL doesn’t help you with all the other services I listed above. There’s just too many of them at the moment.

If you’ve read this far you’ve done well. Being aware of the dangers gets you half way to being secure.

lottery wheel

Update (19 July 2011):

Google has a new URL shortening service called g.co . For now their plan is to use it for official Google sites and applications. So shortened URLs beginning with g.co should be considered safe and legitimate for now.