There’s an interesting news article here about someone who stole 130 million credit card numbers and was later arrested for it. The interesting points are:

• 130 million is a large number. How many people like in your city? Or country? He operated in the USA, and I don’t have any stats on how many credit cards there are in USA but it’d be somewhere around half of all credit cards. The more you think about this the less secure you’ll feel about your own credit card number.
• All this data was sold to hackers in various cities countries (California, Illinois, Latvia, the Netherlands and Ukraine). So even though he was arrested the data’s been compromised already.
• There’s nothing you or I could have done to protect ourselves from people like this. He stole the numbers from businesses (such as restaurants) that store the numbers on their databases, not from people’s home computers.
• He wasn’t a sophisticated hacker, he just looked for businesses with wireless networks and weak security (read here on how to secure a wireless network the right way) and installed malware to do the work.

Businesses should be doing more to keep their data safe. A lot of the time they just don’t have the skills or budget to spend on network security (especially non-technology businesses such as restaurants). Yet there’s a moral obligation to do so. What can we do about that?

You should also be watching your own credit card accounts regularly.  Internet banking makes it easy to check your account details every couple of nights from home. By doing so you’ll notice compromised accounts early and can get the card cancelled. Just make sure your computer is safe when you log onto internet banking sites (read here and here for some good tips).

The full article on this incident is here. It’s a bit long but an interesting read.

A lot of people are talking about Barack Obama, it seems to be a big news topic right now. Scammers have taken advantage of the media hype and have started publishing fake news sites.

These fake news sites are designed to get your attention and to go to their web page. Their web page then attempts to install malware on your PC.

Some of the fake headlines include:

• Barack Obama has refused to be a president
• Haven’t you heard latest news about our president-elect?
• Barack Obama abandoned sinking ship
• Obama doesn’t wany [sic] anymore to be a president

These fake sites have a professional look and feel. If you don’t have a good anti virus package installed it’s very likely your PC will become infected and you won’t know about it. The infection forms part of a botnet, meaning it’s under the control of someone else and will be used to commit online crimes.

So be cautious about these fake news articles. It’s highly unlikely that Obama has changed his mind at this stage. Use a good anti virus package that also scans web sites. And don’t use Internet Explorer, start using one of the popular alternative browsers such as FireFox, Opera, Chrome, and Safari.

Whenever something big happens in the news there are people that will always take advantage with made-up sensational headlines, designed to trick you into opening their web pages.

Here’s an interesting use of technology to copy someone’s keys (the metal kind that opens doors). It works with someone taking a hi res photo of your keys, then enhancing the image enough to make a template for someone to cut a copy of a the key.

What kind of photos will work?

Useful photos can be found on photo sharing web sites (such as Facebook or Flickr). This is a passive way for someone to find an image of your keys.

Another tactic is for someone to target you with a camera phone, taking photos of your keys while you hold them. Or with a camera and a telescopic lens, from 200 feet away as the article below suggests.

This isn’t really a new trick, but the software to do all the hard work is new. Technology like this only gets better so it’s time to learn how to protect yourself.

Some tips:

• If you upload photos showing your keys then take the time to blur the keys first. This is similar to how you would blur your car number plate, or a credit card
• Don’t display any keys in public. It wouldn’t be hard to obscure them with your hands
• If you have a choice (such as when purchasing a car) opt for something that uses RFID chips embedded in the keys (many cars have this these days)

Read more about the technique here, and read the full paper here.

There was a media announcement recently from a Russian company called Elcomsoft claiming to be able to crack WPA encryption. What’s this about and how does it affect you?

WPA is the preferred encryption for wireless networks, the kind you probably have at home or in the office. Here’s a quick recap of where WPA fits in:

• WEP – the old wireless security option. This is useless, it provides no real security.
• WPA – this replaced WEP. Some old devices didn’t support it but most new ones do. WPA is good, highly recommended.
• WPA2 – this is better than WPA

So what did Elcomsoft do?
They developed a way to speed up the time it takes to crack WPA and  WPA2 encryption. Here’s a short summary:

• If you use a short password, say 10 letters long, it used to take 579,000 years to crack. With this new technology it would now take 5793 years, or 5 years if they purchase 1000 of these machines dedicated to hacking into your wireless network (at a cost of over $1m of hardware).
• If you use a good password, e.g. 20 characters long, will now take 10,000,000,000,000 years to crack, or shorter if you have thousands of computers working together on this.

In other words the article is mostly hype. Making something 100 faster doesn’t mean much when we’re talking about trillions of years.

The short version is: use WPA/WPA2 and a long password when configuring your wireless network. Use at least 20 characters.

Further:
What I’ve written above applies to small networks such as home or small offices. For large networks you should be using a technology called Radius together with WPA, this is much more secure, extremely hard to crack, and of course more complicated and expensive to install and maintain.

A rather serious exploit has recently been discovered.

It’s called ClickJacking. The problem is in Adobe’s Flash player, which just about everyone in the world has installed (sometimes without even knowing it). 

The vulnerability makes it possible for someone to control your computer’s webcam or microphone, lettting other people spy on you. It’s a serious problem.

Who’s at risk?

Anyone who has Flash version 9.0.124.0 or earlier is at risk. This includes Windows, Mac, and Linux users, and FireFox, IE, Safari, Chrome, and Opera users (does this list include you?)

What can you do to protect yourself?

Adobe is publishing a fix very soon and the best thing to do is to upgrade to the latest version of  Flash. Flash should prompt you to download an update – say yes to this. Otherwise download the latest version from Adobe’s web site.

If for some reason you can’t update Flash on your PC there’s another way to protect yourself (this is a last resort tactic, updating Flash is much safer). The workaround is to set the Always Deny option, as detailed here on Adobe’s site.

Further info:

Someone has gone to the trouble of setting up a sample of how the exploit works and recorded a video to demonstrate. Play the YouTube video in this article.

People in China using Skype, or people elsewhere using Skype to talk to people in China, should be aware that some conversations are being monitored by the Chinese government. This article explains how this was recently exposed.

The system listens for sensitive terms (mostly political subjects) and logs conversations that meet this requirement. This works differently to how the Germans are doing it.

Here’s what happens when you don’t take proactive steps to secure your wireless router (or wireless network). Recently there were a series terrorist bomb attacks in India, and threat emails were sent by the terrorists. 

The source of the emails were traced and they came from the home of an innocent family in Mumbai (India). The terrorists had used their unsecure wireless network to gain access to the internet and do their thing. The residents said,

“We did not feel the need to secure or password-protect our internet connection. But now it has become a necessity for all citizens to secure their connections”

This stuff really happens, read the full article here.

So how do you secure your wireless router? What other consequences can you face for leaving it unsecure? Read our previous article. In fact, use the search box on the top right of this site and search for “wireless” – there’s a lot to learn about wireless security at home and in the office.

Keep in mind that when you buy new (or old) wireless equipment such as a wireless router, the security settings are almost always set to the most insecure options. That’s crazy, but manufacturers think that turning on security by default makes it too hard for people to install these things. Maybe, but most people are lazy and don’t turn on the security features, putting them at risk of being hacked or involved in serious crime.

As always people who write and distribute malware take advantage of popular news stories. This time there’s a fake link to a video about the Large Hadron Collider (a new science project). If you attempt to watch the video it asks you to download a plugin (it says that you need to download it in order to view the video).

We’ve mentioned this before, you don’t normally need to download plugins to view videos on the web.

If you see an email or web post with the following then ignore it, it just asks you to install a malicious plugin,

“This thing rocks! By the way, you can watch “Large Hadron Collider” start video report at http://***sed.com/clip/?id=Large_Hadron_Collider Pretty interesting, isn’t it?”

It’s interesting to see that even the most technologically sophisticated environments face the same challenges as the rest of us. Some computers aboard the international space station (ISS) have been infected with a worm (called W32.Gammima.AG). And it’s not the first time this has happened.

In this particular case there’s no threat to their operations, but it’s interesting to see how some of the best engineers in the world let this slip through. The theory at the moment is that it was transferred from a crew member’s personal compact flash card.

It’s also interesting to note that the computers on board do not have virus protection, and that it’s believed it spread from one computer to at least another one.

Lessons to be learnt?

1. Use a good anti-virus package. It’s not good enough to be extra careful, you need the best tools working in the background keeping watch.
2. Be aware that flash cards (the kind cameras use) can carry malware. You just have to be careful who’s computer you put it into. We’ve even seen brand new devices ship with infected memory cards.

Sometimes it’s hard to believe these statistics, the numbers are so large. The Australian Bureau of Statistics has finished their first survey of personal fraud. Their findings are that 800,000 Australians fell victim to fraud in some way.

453,100 of those lost money, for a total of $977 million. That’s a lot of people and a lot of money for a rather small population.

329,000 Australians lost money after responding to lottery scams and other phishing related scams.

A lot of people keep falling for scams. The best thing you can do is help them become aware of what scams and fraud tricks are being used. Remember that you can always subscribe to Fraudo.com by email or with an RSS reader.

Microsoft would like you to know that using Safari on a Windows PC is dangerous. And of course they’d say that, they have a competing product they’d like you to use (Internet Explorer). So what’s happening?

A few days ago Microsoft published a security advisory of a potential vulnerability in Apple Safari. Technically they’re correct, there is a vulnerability and we’ll look at it in a moment. The flaw hasn’t been exploited yet, at the moment it’s more theoretical. It’s just a little suspicious that they put this much effort into pointing out flaws in a competitor’s product and that they’ve used their security advisory system for what can be seen as a marketing manoeuvre.

So what’s the flaw?

It’s being called Carpet Bombing. Here’s how it works.

A web page is created that has hundreds of hidden download links (in the form of "iframes"). The files are silently downloaded onto the user’s desktop. This can be done without the user’s knowledge.

The vulnerability is that a user’s desktop could be covered with hundreds of icons for malicious programs, making it easy to accidentally click on one and run the malicious program.

Apple says it’s a security issue, not a vulnerability. Microsoft says users should avoid using Safari until researchers have looked further into.

So is this a sneaky marketing ploy from Microsoft? It could be, they’ve done things like this before. Or are they sincere and is Safari really as dangerous as they say?

We’ll know more in a few days, by which time Apple would most probably have a fix. I don’t consider this a high risk vulnerability, just something extra to be cautious about. A good antivirus program help here.

Microsoft’s advisory is here (it’s light on details at the moment): http://www.microsoft.com/technet/security/advisory/953818.mspx

Further info here, here and here.

This week everyone’s been talking about a new flaw in Flash that can be exploited to run malicious code on your computer. After a few days of media frenzy Adobe has released a fix for it.

If you use Windows then download the update (this includes users of FireFox, Opera and Internet Explorer). Link here.

The fixed version is 9.0.124.0. If you’re keen you can read more about the vulnerability here.

How much money do you think Australians send to Nigerians because of the old Nigerian 419 scam? (Keep in mind that Australia has a small population of 21 million)

The answer is millions of dollars.

This very interesting interview with the head of the Queensland Police Corporate Crime Investigation Group (what a long title) discusses these scams and provides some interesting details.

People who fall for these scams often don’t report it, and in many cases repeatedly fall for these scams. Watch the video, discuss it with your friends, family and colleagues, and help raise awareness of this particular kind of scam. You can also read this article on how Nigerian scams work.

Link to video.

An Australian security organisation called AusCERT has conducted a survey and come up with the following results. I’ve added my own comments on the right.

The full survey results have been published here. It’s an interesting read, especially seeing the reasons why some people don’t use anti-virus and anti-spyware software.

SSH is used to establish secure connections across the internet. For example a lot of people use SSH to connect to their servers because of the good security it provides. Lots of people trust it and rely on it.

In the past week there has been a large increase in the number of brute force attacks against SSH. What’s a brute force attack? It’s when someone writes a program that starts guessing passwords. It’ll keep trying to guess passwords all day and all night without rest until it finds something that works. The smarter brute force attacks do this slowly so that servers don’t lock the account in defense.

To increase a hacker’s chances of finding the right password these brute force programs use a dictionary and try to guess common words first. Then they try combinations such as replacing o’s with zeros, or putting a 1 at the end (have you ever done this with passwords?). So if your password is based on a word found in the dictionary it’ll be amongst the first ones tried.

The best defence against brute force attacks is to use a complicated password. Complicated passwords can take years to guess, simple passwords can take seconds to guess. Read here about how to evaluate the complexity of a password. And if remembering complicated passwords is a challenge then you might need a password safe.

So back to SSH. If you manage a server and use SSH to connect to it, have a look at the logs. Other people have reported a 5-10 times increase in the number of SSH attempts on their servers. Make sure your passwords are complicated enough to resist brute force attacks. Consider editing firewall rules to limit the entry points into your network. And make sure everything is patched including routers and firewalls. See this article for further information on these attacks.

And for everything that’s still wondering what SSH is, don’t worry about the jargon. Just realise that people can and do try to guess passwords.

A new malware infected email is being sent to people on Pro-Tibet mailing lists. This is an example of a targeted attack whereby a particular group of people are the intended recipients of the malware, and in this case politically motivated.

F-Secure have investigated the malware and have concluded that it originates from China. It carries a PDF file that installs a key-logger on a recipient’s computer. The key-logger sends all of the user’s key strokes to a server located in China.

To recognise the malicious email look for the following:

• The email is forged to appear to originate from Unrepresented Nations and Peoples Organization (UNPO)
• From: unpo@unpo.org
• Subject: UNPO Statement of Solidarity
• First few lines of the email:

The Hague, 17 March 2008 – The Presidency of the Unrepresented Nations and Peoples Organization (UNPO), led by President Mr Ledum Mitee, expresses its solidarity on behalf of all UNPO Members with the people of Tibet in this period of extreme tensioni and reiterates its support for their decades-long nonviolent campaign against Chinese suppression.

• Has an attachment called “UNPO Statement of Solidarity.pdf”

If you receive this email or others like it, delete it.

According to F-Secure there are other similar emails that are also part of the targeted attack and may contain any of the following attachments:

• UNPO Statement of Solidarity.pdf
• Daul-Tibet intergroup meeting.doc
• tibet_protests_map_no_icons__mar_20.ppt
• reports_of_violence_in_tibet.ppt
• genocide.xls
• memberlist.xls
• Tibet_Research.exe
• tibet-landscape.ppt
• Updates Route of Tibetan Olympics Torch Relay.doc
• THE GOVERNMENT OF TIBET.ppt
• Talk points.chm
• China’s new move on Tibetans.doc
• Support Team Tibet.doc
• Photos of Tibet.chm
• News ReleaseMassArrest.pdf
• Whole Schedule and Routing for Torch Relay.xls

For more information see here.

It’s no surprise there are so many stolen credit card numbers being bought and sold on the internet. Earlier this week there was a data intrusion to Hannaford Bros.’s network and 4.2 million credit card number were stolen, together with their expiry dates. Hannaford is a popular supermarket chain in USA.

If you shopped at Hannaford with a credit card recently then check your credit card statements for misuse.

The official notice from Hannaford’s CEO is here.

eBay fraud is rampant in Romania, Russia and China. In fact, eBay says that the majority of all eBay phishing emails comes from these countries.

Mark Lee is the trust and safety manager for eBay UK and he’s made the following comments:

• “[there's] no fear of real punishment [in these countries]“
• “These attacks are definitely organised”
• “There are towns in Romania where the entire focus is on sites like eBay as the main source of income”

There have been several hundred arrests in Romania after eBay initiated a campaign to stop fraud, in June 2007. But this hasn’t stopped them and it’s still rampant in these parts.

Techniques used by these criminals include asking eBay shoppers for personal details (when people bid or ask questions on the site) – this is known as phishing and the personal details are later used to commit other crimes.

If you use eBay to buy or sell goods have a read here [ http://pages.ebay.com/securitycenter/ ] for tips and tutorials on eBay security. And continue to read FraudO.com for online security tips.

If someone has physical access to a computer they have a pretty good chance of bypassing its security. This new attack uses the FireWire port found on some computers and notebooks to access its memory and change the system’s password.

It’s been demonstrated to work on  Windows XP and on Macs, and could possibly affect other systems.

It’s up to companies like Microsoft and other vendors to fix their software to disable this vulnerability. Some lessons to be learnt are:

• Restrict physical access to your computer
• Don’t let other people plug devices into your computer
• Apply software patches from vendors when they become available. Hopefully they’ll patch this problem
• And if you’re paranoid about this one you can disable FireWire on some computers (by disconnecting the cable inside the computer)

Here’s the article explaining how it works on Windows XP, and here is an article on how it affects Macs.

Haute Secure is a security service developed by 3 former Microsoft security specialists. It’s designed to filter the web pages you browse and it blocks any websites known to contain malware.

It’s free for people to download and install on their computers. If you run a website they charge money so they can scan your website and alert you if it gets hacked and infected with malware.

Most of the good antivirus packages have had this feature for a long time, and it’s a good idea to invest in one of these.

If you really believe it’s not worth spending money to keep your computer secure and you insist on using free antivirus programs, then this will make a good addition since free antivirus programs don’t usually filter web sites.

Adobe has been making news today for releasing version 1.0 of their AIR framework. AIR is a new way to develop and run programs, it’s a combination of a web page but runs without a web browser.

It has a long list of security features to make programs seem safe. And because of how internet applications work experts agree it won’t be long until this new technology is exploited.

One thing to be careful of is when AIR warns you about “self signed” applications. This means that no reputable company has verified the person who wrote the program. So if you download an AIR application and you get warned about it being self signed, the safe bet is to deny it.

If you’re tempted to play with AIR applications just be conscious of where you’re downloading programs from. They won’t remain safe for long.

The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.

The top 20 complaint categories were:

Rank    Category    Complaints

1. Identity Theft    258,427
2. Shop-at-Home/Catalog Sales    62,811
3. Internet Services    42,266
4. Foreign Money Offers    32,868
5. Prizes/Sweepstakes and Lotteries    32,162
6. Computer Equipment and Software    27,036
7. Internet Auctions    24,376
8. Health Care Claims    16,097
9. Travel, Vacations, and Timeshares    14,903
10. Advance-Fee Loans and Credit Protection/Repair    14,342
11. Investments    13,705
12. Magazines and Buyers Clubs    12,970
13. Business Opportunities and Work-at-Home Plans    11,362
14. Real Estate (Not Timeshares)    9,475
15. Office Supplies and Services    9,211
16. Telephone Services    8,155
17. Employ. Agencies/Job Counsel/Overseas Work    5,932
18. Debt Management/Credit Counseling    3,442
19. Multi-Level Mktg./Pyramids/Chain Letters    3,092
20. Charitable Solicitations    1,843

That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.

Australia’s CSIRO has developed a security device for online banking. It’s like a flash drive and contains a virtual computer environment which makes applications like online banking more secure.

However there’s a lot of doubt in the security world. You still need to plug it into a computer for it to start up, and you don’t always know what’s on the computer. Malware could still take screenshots and send them off to some unknown person on the other side of the world, and there’s little explanation on how it’s meant to avoid being tampered with.

It’s a technology to keep a watch on for the future. Full article here.

Skype, the popular internet phone software, has a new vulnerability with the way it handles video links. There aren’t any reported exploits yet but as always it’s only a matter of time.

Skype is susceptible to this vulnerability if all of the following happen:

• Your computer uses Windows
• You use Skype version 3.6.0.244 or older (versions 3.5 and 3.6)
• You do a video search from within Skype
• The search takes you to a page that’s been hacked

The damage from this is still unproven but it’s fair to say that if someone can write the required malicious code they could use it to any effect they like (such as installing spyware on your computer or taking over its control).

Skype has responded with disabling adding new videos to their Dailymotion gallery. This will slow down the chance of an exploit spreading. And Skype will release a new version soon to fix the vulnerability.

Skype’s report is located here.

A recent survey by a security company called Secunia shows that only 5% of computers are fully patched. The other 95% are running insecure software.

It’s important to patch all of your software. This includes the operating system itself (e.g. Windows, Mac OS, Linux), your web browser (e.g. Internet Explorer, Firefox), and all your applications. And of course in an office environment patches should be carried out by IT administrators (complete with backups).

This serves as a gentle reminder to our previous post on patching. Read Secunia’s article here.

If you use public computers in hotels and similar environments (e.g. internet cafes) you need to keep in mind that the computer could be capturing your passwords. You can’t just assume it’s a safe computer.

This week a man was sentenced for installing key-logging programs on hotel computers in Miami, Las Vegas, and other US cities. Customers used these computers and whenever they entered a credit card number, the number was captured and used to buy over US$400,000 worth of products and services.

Mario Alberto Simbaqueba Bonilla, a 40 year old engineer, was arrested in Miami International Airport last year and has just pleaded guilty. He installed the key-logging software onto hotel computers and watched as hotel guests used the computers.

This isn’t a once off incident. If the computer isn’t yours then you just have to assume someone can capture your passwords or credit card numbers. If you need to use these computers to log into a corporate network or some other secure service (such as online banking) then think twice. Is it really that important? If so, then change the password as soon as you get onto a different computer.

The US Army has been upgrading their servers and workstations to Macs and are claiming they’re harder to hack (i.e. they’re more secure).

The primary reason they state is that fewer attacks are written for Macs than for Windows. This seems true for now.

One common weakness between all operating systems (Mac, Windows, Linux, etc) is the user. People can be tricked into clicking on things or carrying out other hazardous tasks no matter what computer they use (this is where security education comes in).

More details here.

Sophos (a large IT security company) recently conducted a survey of 560 people. 54% of them admitted to using someone else’s wireless network without permission. That’s more than half the respondents. Why should you care?

If you have a wireless network that isn’t well secured then:

• Someone could be using your internet account and incurring expenses (or pushing you over a capped limit and effectively slowing down your connection)
• Someone could be illegally downloading copyrighted content (such as using a file sharing program to download commercial movies – it’s illegal and you’re liable for providing the connection)
• Someone could be using your internet connection to commit online crimes (just read the posts on this site to get an idea of how common this is).
• It lets anyone within range bypass your firewall, making your computers and other wireless devices vulnerable. This is especially important if you have wireless in an office environment
• It’s easier for someone to install spyware on your computer, making activities like online banking very dangerous

The most important reason of these is how easy it makes it for someone to use your network to commit crimes. Imagine being involved in a child pornography investigation, or having your internet disconnected because your network was used to send millions of spam emails.

I’ve written before on how to secure a wireless network and if you haven’t done so it’s worth reading through here.

If you’re in the 54% of people who wouldn’t think twice of using someone else’s wireless network without permission then you should know that:

• It’s illegal in a lot of countries (people get arrested for this quite often)
• It’s effectively stealing. It isn’t a victimless crime
• You can’t trust the network you’re using. It’s easy for someone to setup a wireless network in such a was that they can record all the traffic from it. This is one way to eavesdrop on other people’s traffic and to capture passwords

So the message here is to secure your wireless network, and don’t use other people’s wireless networks without permission.

An Australian man in Rockhampton has been arrested for trying to extort money from people. Here’s how he did it.

• He gained access to other people’s wireless networks. This is fairly easy to do, even if you turn on WEP encryption (read about securing a wireless network here). By using other people’s networks he was harder to locate
• He sent users threatening messages, made to look like they came from elsewhere
• He then demanded money to be dropped off at a specific location
• And he repeated this a total of 12 times

The police were able to find him and arrest him. It’s important to secure your wireless networks so that other people don’t use it to commit crimes.

Full article here.

A quick update about online crime.

In Italy, 26 people were recently arrested for taking part in running phishing sites (web sites that look like bank sites (for example) but are designed to capture your account number and password). Two of these people have already been sentenced (5.5 – 6 years prison). It’s important to realise how common this problem is in the world.

And a short while ago I wrote about some important disks that were lost by the British government, containing personal data on 25 million people. That incident received a lot of press coverage and it’s not an isolated case. This stuff happens frequently, like in Northern Ireland. Two CDs were lost this week by one of their government agencies containing personal data on 6000 residents. These disks were not encrypted, as the previous case. Full article here.

Then in California a laptop was stolen containing personal information on 45,000 patients of Sutter Lakeside Hospital. Again the data was not encrypted, making it all too easy for anyone to use this personal information as they see fit. I recently wrote an article on protecting laptops when used to take home work. Full press article here.

Some lessons to be learnt are:

• There are a very large number of online criminals doing everything they can to try and steal your money
• Disks and notebooks (laptops) are lost or stolen all the time. If they contain sensitive information they should be encrypted
• Keep in mind that your personal details are not all that private anymore

Skype is a popular communication tool allowing people to have voice and video conversations over the internet. And one of its features is how it transports that communications data. Skype first encrypts your data then distributes it using a network of other skype users (using what’s called a peer to peer model).

The encryption is intended to stop random strangers eavesdropping on your conversations. And it seems to be fairly effective from what this article says – the German Federal Police Office have a problem wiretapping Skype calls.

Is this a good thing or a bad thing? Well, it’s a little of both. It gives Skype users a level of security that makes the general public comfortable enough to use it, and stops casual eavesdropping. That’s the good news.

The bad news is that VoIP traffic (phone calls over internet) can be intercepted in other ways. When it becomes too hard to break the encryption, as the German police found, an easier path is to install a trojan on the PC and intercept the voice data before it becomes encrypted. This stuff really happens.

The German federal police office is looking into developing trojans so they can install one on people’s computers they need to listen in on (article here). This is a legal form of spyware (at least in the country it’s used in). Other governments have been using this technique for years and legally it’s not much different to wiretapping a phone. What makes it scary is that antivirus companies have an understanding with law enforcement agencies and some government spyware may go undetected.

This isn’t a problem to most people. And at the end of the day it’s no different to using a house or mobile (cellular) phone.

The message in this article is that you should place the same level of trust in any VoIP phone (such as Skype) as you would with any other phone. It doesn’t offer any additional level of privacy. Law enforcement agencies have been finding ways to listen in, and fairly soon we’ll have spyware that can do the same thing only with less legal intentions.

Some pages on the website gameige.com have been compromised, using iframes to cause people’s browsers to download malware and steal information from the computer. This is a risk if your web browser loads ActiveX controls (such as Internet Explorer). Gameige.com is used by players of online games such as World of Warcraft.

The use of a good antivirus program that filters websites would help here. And hopefully by the time you read this the people supporting the site would have fixed it.

Wireless keyboards can be intercepted, very easily. This is something you should be aware of not only when purchasing new equipment but when using someone else’s computer. There’s no real defence against it either, other than using a wired keyboard.

Before I explain the risks let me point out which keyboards it does and doesn’t affect:

• All keyboards using a 27MHz transmitter are at risk (which includes most of them)
• Keyboards that advertise "wireless encryption" or "secure" features are also at risk
• Bluetooth keyboards are safer (though these are generally more expensive)

The risks of such an "attack" should be obvious – other people within range could be recording every keystroke. This includes the address of websites you go to, usernames, passwords, the contents of emails, chat conversations, etc.

In a business environment this would be a critical breach of security. Giving away passwords, trade secrets, and other sensitive information is quite serious, and in a lot of cases criminally irresponsible. Wireless keyboards that fall into the "at risk" categories above should be banned.

At home the risks are just as serious. Anyone using a home computer to do internet banking should immediately recognise the dangers of giving away too much information (i.e. finding a large amount of money removed from your bank account). Again, either use a wired keyboard at home, a Bluetooth wireless keyboard (expensive), or limit the keyboard & computer’s use to trivial tasks such as gaming.

How does the attack work?

Well, it seems there are only 256 possible encryption codes, so hackers have cleverly written software that tries them all within seconds. Then there are other tricks they use to break the encryption that some keyboards use (for the IT savvy reader, it’s an XOR protocol).

So it takes about 20 to 50 keystrokes before enough information can be gathered to break the encryption.

How close does one need to be to "sniff" wireless keyboard signals? Usually it’s 4-8 feet, or 1-3 metres. But with more powerful aerials this can be extended much further (hundreds of metres).

Also keep in mind that Bluetooth generally isn’t a very security protocol. It’s only considered safer because of how easy it now is to hack normal wireless keyboards. But you shouldn’t use it to keep million dollar secrets.

There’s a video here demonstrating how it works (warning, it’s geeky and technical): Wireless keyboard hacking.

So go back to wired keyboards, they not only more reliable and more secure, they don’t have batteries that need replacing or recharging.

British businesses are being warned about Chinese industrial espionage aimed at retrieving financially sensitive data. In particular, at least 1000 businesses have been warned that they’ve potentially been targeted to obtain data on their trading with Chinese companies, in an attempt for the Chinese parties to negotiate higher prices in their business dealings. There’s an article here with the full story.

This post is aimed at businesses, whether large or small. Online espionage, or cyber spying, is a real threat. It doesn’t necessarily need to come from China either, the technology and skills exist in just about every city and country that’s connected to the internet.

Everyone needs to secure both their networks and the computers with it. The old belief that a firewall is enough has always been false, even more so now that data threats can come from so many levels (see the SANS document that was mentioned here earlier). It’s everyone’s responsibility to do everything within their power to increase security. The threats are out there, large amounts of (your) money are stake, and there’s always something you can do.

So now is a good time to review your network security and to improve it.

SANS is an organisation that does a lot of security research as well as other things, and they have a good reputation for their work. They’ve just published a report showing the top 20 internet security risks. They point out that social engineering is one of the biggest risks at the moment. Social engineering is the term used to describe how people effectively trick (or otherwise convince) others to provide sensitive details.

There’s a lot of detail in this report and it’s well worth reading. Below are a few bits of information from the report and it’s just not possible to summarise it all here. Have a read through it if you have time.

• Web applications are vulnerable to being hacked and information misused or stolen.
• People can be manipulated
• The following applications are the most vulnerable:
  • Web Browsers
  • Office Software
  • Email Clients
  • Media Players
• Unencrypted laptops are a risk to losing large amounts of data
• Instant messaging and peer-to-peer programs are a risk to businesses

The full report is here. It’s long and very detailed, and well worth your time in reading it.

As well as the usual advice on staying safe online it’s often useful to hear about security incidents that have made the media. And this time I’d like to point out what happens when a government loses disks containing personal data on 25 million individuals.

The two disks that were lost contained names, addresses, insurance numbers and bank account details of 25 million people. This is personal data that could be used to commit fraud or identity theft. This hasn’t been the case so far but it could still happen. Nobody seems to know where the disks are now.

How can this happen? The people handing the transport of the disks didn’t follow proper procedures. They’re human and they made mistakes. The disks were not encrypted before being shipped. The courier company lost them and have no records of where the disks might be. Then the police were involved only about 3 weeks after the incident occurred.

These kinds of accidents can and do happen every now and then. Your personal details can easily end up where you least expect it. One solution would be to make the agencies pay heavy fines for such security breaches, making it worth their time to ensure all procedures are followed.

The other lesson to be learnt here is that when you fill out a form these days you just have to assume it could one day end up in the wrong place. These days some of your personal details are no longer private. It’s just something that’s been happening slowing over the past couple of decades.

Some detailed articles can be found here.

26 year old John Kenneth Schiefer from Los Angeles is facing 60 years in prison and a US$1.75m fine for infecting 250,000 computers with the intention of stealing information. This is exactly the kind of person I’ve been writing here about in the hope everyone can avoid being a victim. It would be useful to know how serious and widespread these crimes are, and how serious it all is.

He ran what’s known as a botnet. This is when malware (viruses, trojans, etc) is installed on a large number of victim’s computers and controlled from one central location. 250,000 infected computers makes a large botnet. That’s a lot of victims, real people who didn’t know someone else was remotely using their computer and stealing their money.

In this case he allegedly stole money from people’s Paypal accounts. It’s not a problem with Paypal’s system, the problem lies in people using compromised computers.

One lesson to be learnt is that you should never shop or bank online on a computer you don’t trust. And a large part of that trust in a computer comes from using an up to date internet security package (an antivirus program).

Another import lesson for everyone is that these criminals are real, and their operations are large and widespread.

Read some articles on his case here.

The emergence of a new kind of crime is an interesting thing. We’ve had virtual worlds for quite a few years and as their popularity grows so too do crimes such as fraud, or in this case theft.

There’s a game called Habbo Hotel, it’s an online game where people have online characters. Like a few other online games they can pay real money to decorate their characters and the rooms they occupy. Effectively they buy virtual items to enhance their game.

So when some teenagers are accused of stealing username and passwords of other players, logging in with these accounts and transferring items to their own accounts, it becomes theft. The current buzzword is Virtual Theft. A 17 year old Dutch teenager has been arrested over this allegation, and five other 15 year olds are being questioned. What makes the “theft” significant is that the value of the virtual items is around US$5000.

A spokesman for Sulake, Habbo Hotel’s operator, said:

“It is a theft because the furniture is paid for with real money. But the only way to be a thief in Habbo is to get people’s usernames and passwords and then log in and take the furniture.”

The full article is here. It’s important to note that this isn’t an isolated case. Virtual worlds (in the form of online games) have been a growing trend and like most things that can happen in the real world most forms of crime can carry across to virtual worlds.

Passwords have been an everyday part of life with computers, and they won’t be replaced any time soon. It’s a form of authentication, granting you access to a system or service.

When security is based on passwords two pieces of information are required:

1. A username
2. A password

Often it’s not difficult to guess a username. Some computers keep this information easily available to anyone who cares to look, and other times it’s just a matter of guessing.

Passwords are more difficult. The “strength” of a password is critical to keeping out unauthorised people. “Strength” is a measure of how easily it can be guessed. And if you’re wondering who really sits there trying to guess passwords you’re in for a surprise.

Passwords can be made stronger by using a combination of the following tips:

• Make your password long. Tip: join 2 or 3 words together
• Have at least one letter in uppercase
• Don’t put a 1 at the end of your password (it doesn’t help at all)
• Use a made-up word if you can think of one, or spell a real word incorrectly
• Try not to use the same password on every website (more on this another day)

If you under the impression that no one will bother trying to guess your password then you’re definitely need to continue reading. Hackers don’t sit there trying to guess passwords (what could be more boring than that?). They write programs that do all the hard work of guessing programs. Then they maliciously install this program on other people’s computers (sometimes tens of thousands of hacked computers) to do lots of hard work for them. They just sit back and wait for the results to come in.

Protecting systems with passwords is a tough battle for the good guys (like you and me). As the progress of technology marches on we have faster computers which means hacking passwords becomes easier.

Now the really interesting part. There’s been some development on all this password guessing technology – where it used to take one computer months to crack a Windows Vista password, by utilising the untapped power of a modern computer’s graphics processor it’s now possible to do the same work with the same computer in 3 – 5 days. That’s 25 times faster just from some clever programming (see this article for the details on how).

So in the real world we have programs running on tens of thousands of computers, guessing billions of password combinations relentlessly, with the expectation that soon they’ll find all the easy ones.

So be smart about passwords. Make it very difficult to guess. And remember that there really are people out there trying to hack into your accounts so always be careful.

Some Maxtor external drives have been found to contain a virus. These are brand new units straight from the factory. The unit with this problem is a Maxtor Basics Personal Storage 3200, shipping between August 2007 and November. If you’ve recently purchased one of these you need to call Seagate’s technical support and quote the serial number on the drive.

What is Search Jacking? And how is it bad?

The term Search Jacking is used when a program or network takes you to a search engine when you type an incorrect address into your web browser (e.g. Internet Explorer). For example, if you enter ffraudo.com into the address bar of your web browser it is supposed to show you an error. The address doesn’t exist (at the time of writing this article). At least that’s how it’s meant to work in theory.

Some people with large marketing ambitions decided that if you enter an address that doesn’t exist it should take you to a search engine that can suggest some websites for you. One prominent company that did this is Microsoft. Microsoft’s Internet Explorer takes you to a search engine and suggests some other sites, and not necessarily the site you really wanted to see.

There have been a few companies that have taken it upon themselves to redirect the general internet user to their search engine of choice. And their choice is decided by whoever’s paying them the most. The technique is similar to domain squatting, where mistyping a web site takes you somewhere unexpected. Cox and Earthlink have also used this technique before.

The latest in search jacking attempts comes from Verizon (an American telecommunications company). If your internet is connected through Verizon and you try going to an invalid web site, you might land on Verizon’s search website (for the moment it’s active on one of their fibre network).

Is there a danger to you? For now there’s no real danger, it’s more of a nuisance. Soon they’ll most probably start putting ads on this search site. It’s a little deceptive, and is called by some as “accidental content delivery”. You accidentally type in an incorrect address, they deliver content of their choice. And of course they’ll make money from it.

It’s more of a nuisance for now, and if it works out for them other companies are likely to follow. If your network has already adopted this search jacking system you could complain to your internet provider. After all, someone’s paying for your internet connection and you shouldn’t expect your internet provider to fill it with ads for you.

Should you download new codecs when a website tells you to?

What’s a codec anyway?

Your computer needs video codecs to play videos. And like everything else there are quite a few different codecs to choose from. Your computer came with a set of the most popular codecs so you can watch videos, both online and from DVDs.

There are some websites that encode their videos with unusual codecs then ask you to install a new codec to view it. In particular, some pornographic websites have been tricking people into downloading a new codec. Unfortunately in some cases the codec is a trojan that makes very dangerous changes to your computer (allowing attackers to redirect your web browser to wherever they want).

There’s been a reportof some websites tricking Mac users into installing a bad codec like the one mentioned above. In the past Macs have been considered more safe than Windows computers but as they become more popular they also become targets to malware such as this. This particular attack doesn’t work very well because it asks the user to carry out a number of steps. Over time attackers get more sophisticated so it’s best to learn about it as early as possible.

The lessons to be learnt here are:

• Don’t install anything a website tells you to, unless you completely trust the person or company operating it. Even then you need to be certain of what you’re downloading.
• No computer is safe from malicious attacks, no matter what the ads, salesmen or zealous enthusiasts say.
• Pornographic websites are well known to carry malicious content like viruses and trojans.
• Attackers are creative and always find new ways to distribute viruses

A few banks have recently introduced SMS authentication for their credit cards. Basically they’ll send an SMS (text message) to your mobile phone (cell phone, or handphone) to confirm a transaction. You reply to the SMS to approve the transaction.

It’s a security model called “Two Factor Authentication“. This means you need to be in possession of two “things” for a transaction to be approved. If someone stole your credit card details and made a transaction, e.g. online, you would receive an SMS on your phone and you’d know it was fraudulent. In this case you wouldn’t reply to the SMS and the transaction would be halted. And if you’re making the purchase yourself you can approve your own transaction.

The idea sounds good at first. And of course it has its own set of problems. More interesting is the reasons why these banks have introduced this technology.

Problems:

• Only some transactions are protected using this method. It’s up to the banks but generally it seems that a large number of transactions will continue to function as before. 
• For legitimate purchases it can be a nuisance
• It’s not a foolproof system
• As more people use the SMS option the costs to the bank will increase greatly and they would either end the service or pass on costs to their customers

Here’s an interesting comment published in this ZDNet article. Matthew Woodrow, Head of Information Security at Westpac, was quoted saying “It’s not to do with security at all… consumers have expectations of security levels while using their mobile phones to do their banking. So you’re not thinking about security at all, but you’re thinking about the product and what consumers want”. In other words a large bank’s security expert is admitting that SMS authentication is more about how customers “feel” about safety.

It seems to be a temporary fix to credit card fraud. Smart card technologies (chips embedded in the credit card) seem to be a better solution.

In summary security is often more about how it makes people “feel” rather than truly preventing crimes. It helps to see things for what they really are and not believe what you hear in ads.

Nigerian scams are so called because the majority of them originate from Nigeria, and they use the same tactic. Below is a brief summary on what it is, why it works, and how large the problem is.

A victim received an email (or sometimes an old fashioned letter) from someone posing as a lawyer. The text contains a story about a large amount of money locked up in a bank account, which gets the reader’s attention, and asks for help in retrieving it. In exchange the pretend lawyer promises a large reward.

The email can contain a statement such as “…In the discharge of my duty, I stumbled on this domiciliary account that has remained dormant for three years now with eight million, five hundred thousand United States dollars ($8.5M) in it…. That my purpose of contacting you is because the deceased has the same name with you…”

What happens next is an exchange of correspondence, with the scammer and victim writing to each other. The story usually becomes emotional and touching, keeping the victim’s attention. Then the victim is asked to hand over some money to help with legal fees. The scammer often sends the victim a cheque as a token of good faith that the money is there. Unfortunately the cheque is fake and the victim’s bank won’t accept it. This is often where the victim realises what’s happened.

This scam has apparently been in use for many years, even before emails became prevalent. It continues to work because the victims are tempted by a large amount of money.

How widespread is the problem? In this British articledated 4 Oct 2007 it states that 4500 fake documents were seized and that US$16.2m of fake cheques were seized. It also states that it costs the UK GBP4.5b every year, though this probably includes law enforcement costs. The problem isn’t limited to the UK either, it’s global.

What can you do? Be aware that this is a common scam and talk about it with anyone unfamiliar with the dangers present on the internet, especially older people. It would also be useful to report such emails (and letters) to your local authorities. A lot of people get arrested for taking part in these scams and any evidence you might have could be useful.

I’ve read articles describing victims that have gone to Nigeria to hunt down the scammer and reclaim their money, and they story ends tragically with murder or kidnapping. If I find these articles again I’ll post them here.