1234 is the most common PIN used in banking.

A new study of 1100 banking customers found that 1234 and birth dates make up a large percentage of PINS. This means if your wallet is stolen, a thief can find your birth date from your license or other ID, take your ATM card and guess your PIN. And it will work for 1 in 18 stolen wallets (or 1 in 11 for some banks). They’re good odds for thieves.

The study suggests that banks issue a random PIN instead of letting you set one yourself. I think it’s a good idea. Here’s the full document.

Have a look at the following screenshot and try to guess what’s wrong with it?

This screenshot was captured from the US National Archives’ signup page (click here then click on New User). It asks for a challenge question and challenge answer, in case you forget your password. The problem here is one of the questions, “What is your preferred internet password?“.

Why would you give someone this information?

Challenge questions and answers are a way to recover lost passwords. Unfortunately this information is often not encrypted – it’s less secure. So whatever you set for your challenge question and answer is sometimes vulnerable to hacking. Also, the questions are often things that other people can easily find out about you, like your pet’s name. This is why I don’t like them.

Poll:

Facebook’s security and privacy have never been perfect but they’re now starting to take it more seriously. Maybe some strong competition from Google+ has something to do with it.

Facebook have published a security guide and it’s quite good. It covers topics like recognising scams, recognising hacked accounts and how to use SSL connections. All good stuff! For example,

The common scams offer prizes like free  virtual objects. Other lures claim that your account has been suspended and provide a link for you to remedy the problem.

If you use Facebook at all I recommend reading through the guide. I also strongly suggest you print it out and lend it to your friends and family – people who might not be able to do their own research on security.

The more people understand security on Facebook the better it will be for everyone. Click here for A Guide to Facebook Security.

Daniel Amitay has been able to collect a sample of over 200,000 passcodes used to lock an iPhone. The most common ones were:

1. 1234
2. 0000
3. 2580 (a vertical row)
4. 1111
5. 5555
6. 5683 (spells LOVE)
7. 0852 (a vertical row)
8. 2222
9. 1212
10. 1998

This list represents 15% of all PINS (that’s too high). Years starting with 199 were also found to be common. And PINS starting with 1 are also very common.

The information here is relevant to other devices as well, basically anything that uses a 4 digit PIN typed into a keypad.

If you use any of these codes to lock something you consider important you should change it now.

I received an email that claims to be from Facebook (it’s a forged email). The email is designed to trick people into opening the attachment. Here’s what the it says,

Hey [name removed],

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
The Facebook Team

There’s another version some people have received that is similar but has a different introduction and sign off,

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
Your Facebook

Both of these emails come with a virus attached. And neither of these emails were actually sent from Facebook. In fact, Facebook had absolutely nothing to do with it, the scammers just mention the word to encourage people to open the attachment.

So as always, be suspicious of unsolicited emails, and be suspicious of attachments you didn’t ask for.

If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised. There was a targeted attack on these systems on the 9th April 2010.

These are services used by developers, most “normal” people would not have accounts on these services. If you do use these services please read the full incident report here.

Here’s a combined hoax and malware. Let’s start from the beginning.

People have been posting notes on Facebook about something called “un named app”. It tells you to remove something from Facebook. It’s a hoax. Don’t believe what it says, don’t follow the instructions, and don’t pass it on.

Below are some quotes of the hoax:

ALERT >>>>> Has your facebook been running slow lately? Go to “Settings” and select “application settings”, change the dropdown box to “added to profile”. If you see one in there called “un named app” delete it… It’s an internal spybot. Pass it on

this is real.. i checked and found this app and deleted it… hopefully, my facebook will run better now.

Cannot believe how much quicker mine is running after doing this….

I don’t have this app on my Facebook account but if you do, don’t worry. It’s a normal part of Facebook and you shouldn’t delete it.

Now the second part of this hoax is a real trojan. If you go to Google and search for “facebook unnamed app” you’ll see quite a few results. Some of these results are fake antivirus programs.

A fake antivirus program is actually a trojan. It pretends to scan your PC and quietly installs malware in the background. It goes under the name of Security Tool, it has a fancy detection screen and everything. But it’s definitely bad.

The rule of thumb is that if a web page tells you that your PC might be infected, don’t trust it. Go and get your own antivirus program, not something that pops up on your screen (see here for a good free antivirus program).

There’s a lot to learn here. Basically, be careful who you trust. These days scammers have to trick you into installing malware and they’re good at it (it’s called social engineering).

Security companies sometimes get to analyse real people’s passwords and create interesting reports. Imperva has just done that, analysing 32 million passwords used on the Rockyou.com site (which was recently hacked).

Below is a summary of their findings. Why is this important to you? Because it means that statistically, you probably have a weak password that can be guessed.

• 41% of passwords only use lower case letters (weak)
• 15% of passwords only user numerals (even weaker)
• Nearly 50% of people used names, slang words, dictionary words or trivial words as their passwords. These can be guessed in seconds by a “brute force” program.

The ten most common passwords were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

If you use any of these as your password then change it now, it’s too easy to guess, especially now that everyone can see this list.

For tips on how to choose a good password read our previous article. And here are some tips on testing how good your password is.

Imperva’s complete report is here. It’s full of interesting technical details on what they found and what the risks are.

Internet Explorer 6 is still used in many large organisations. It’s because large organisations invest heavily in technology then expect to keep using it for many years to increase their returns on investment. Usually their internal programs won’t work on newer browsers, and it’s a major task to upgrade them.

But Internet Explorer 6 (IE6) is quite old and very vulnerable to being hacked. It’s so vulnerable that it’s the main (technical) cause of the recent hack attack by China against Google (read here). In short, it seems that the Chinese government (or agents working on their behalf) hacked certain people’s Google accounts. They were able to do this because these people weren’t using the latest version of Internet Explorer.

So any organisation that refuses to upgrade to the latest version of Internet Explorer is also at risk.

Microsoft have made an official statement that IE6 is vulnerable and they want everyone to upgrade to the latest version.

Update: The Australian Government has also asked people to stop using IE6.

Update 2: Microsoft has made a patch available to all IE6 users to fix the problem. Download it from here.

Microsoft make an encryption system called BitLocker, it encrypts hard drives so that it’s impossible to access any files without the key. Top level security.

That was true until now. Passware are a company that recently released new tool that cracks this BitLocker security. The way it works is complicated and someone would need physical access to the computer.

So if you rely on Passware for security life is suddenly more complicated. The best you could do is to also concentrate on the physical security of your computers.

More details here and here.

A lot has happened in the past week with iPhones. First let me explain what “jail breaking” means.

iPhones have some security built-in, courtesy of Apple. This security’s main purpose is to let Apple decide what you can and can’t do with the phone. For example, you can buy and install an approved program, you can’t install a hacked program.

Now there are plenty of people in the world who want to use their iPhones in ways not sanctioned by Apple, such as using it on a non approved network or running non approved programs. So these people remove this layer of security. This is known as “jail breaking”.

Now for a summary of what’s happened recently:

First, there was a practical joke called “rickrolling” – some people found their phone’s wallpaper (background image) changed to a photo of the singer Rick Astley. It was a practical joke, harmless.

How were these phones hacked? Someone wrote a program that looks on the internet for vulnerable iPhones and installs this wallpaper, then the program copies itself to that phone and does the same thing to others. (More details here)

It only affected some jail broken phones. People were told that it’s nothing to worry about.

Then a couple of days later someone else took this idea and wrote a malicious version that works the same way. Again, only some jail broken phones are vulnerable. Except this time instead of being a practical joke it steals personal data.

It connects to a server in Lithuania and lets hackers connect to the phone and do what they want (such as stealing passwords and reading SMS’s). This is bad.

How can you protect your iPhone?

• Firstly, if you don’t jailbreak your phone you have nothing to worry about.
• If you do jailbreak your phone you need to change a special password that’s built into the phone. The password is usually “alpine” – you can’t see this password unless you know what you’re doing but it’s there and it needs to be changed. There are instructions here on how to do this.

Summary

An iPhone is a “smartphone”, meaning that it basically works like a computer and it has an internet connection just like a computer. And like computers it can be hacked and can get viruses. Apple goes to a lot of trouble to make sure everything works well (it’s in their best interest to deliver a quality product) so people who go about circumventing the device’s security are taking a great risk.

There’s an interesting news article here about someone who stole 130 million credit card numbers and was later arrested for it. The interesting points are:

• 130 million is a large number. How many people like in your city? Or country? He operated in the USA, and I don’t have any stats on how many credit cards there are in USA but it’d be somewhere around half of all credit cards. The more you think about this the less secure you’ll feel about your own credit card number.
• All this data was sold to hackers in various cities countries (California, Illinois, Latvia, the Netherlands and Ukraine). So even though he was arrested the data’s been compromised already.
• There’s nothing you or I could have done to protect ourselves from people like this. He stole the numbers from businesses (such as restaurants) that store the numbers on their databases, not from people’s home computers.
• He wasn’t a sophisticated hacker, he just looked for businesses with wireless networks and weak security (read here on how to secure a wireless network the right way) and installed malware to do the work.

Businesses should be doing more to keep their data safe. A lot of the time they just don’t have the skills or budget to spend on network security (especially non-technology businesses such as restaurants). Yet there’s a moral obligation to do so. What can we do about that?

You should also be watching your own credit card accounts regularly.  Internet banking makes it easy to check your account details every couple of nights from home. By doing so you’ll notice compromised accounts early and can get the card cancelled. Just make sure your computer is safe when you log onto internet banking sites (read here and here for some good tips).

The full article on this incident is here. It’s a bit long but an interesting read.

Accounts are often hacked, including Facebook accounts. Too many times people fall for scam emails telling them to (urgently) click on a link and type in their password. Too many times people don’t know how to tell the difference between the real Facebook login page and one made by a scammer (read here for some hints).

And when an account does become compromised and hacked, the scammers usually use it to send out spam. Then it can be difficult for people like you to get that account back.

Facebook has given this problem some thought and added a way to recover a compromised account. They will send you an email and ask you to verify your account. Then on their web site they’ll ask you some security questions and ask you to change your password.

There’s more info here.

A while back I wrote about wireless network security, click here to see the article. Basically you have 4 ways to set up a wireless network (at home or at the office):

1. No wireless security
2. WEP
3. WPA
4. WPA2

No wireless security means just that, anyone can connect to it and use your internet. If you’re wondering why this is a problem have a quick read of this article.

WEP is a very old security system. It doesn’t work.

WPA and WPA2 are still good, as long as you use a long (20 character) password. Read here to learn more about WPA.

Below is a tutorial video that has step by step instructions on how to hack into a WEP protected network. The point is: it’s easy to hack into a wireless network protected with WEP. WEP doesn’t work.

Would you be comfortable knowing that people can “listen in” to your wireless keyboard and watch what you type? It would be a great way to capture passwords, and that’s not a good thing.

I’ve written about how vulnerable wireless keyboards are. It used to take a lot of skill to hack into a wireless keyboard but now someone’s made it so much simpler. Here are instructions on how to build a wireless keyboard hacking device, complete with the software necessary. This model only works with 27MHz keyboards, which are the older and cheaper kind. It’s quite easy to build this device and to use it.

With a good enough aerial these type of hacks could be done from your neighbouring unit, house, office, or probably from a vehicle parked outside. You won’t know your wireless keyboard’s been hacked.

More modern and expensive keyboards can also be hacked, even those that have stickers on them saying how secure they are. But they take a bit more effort and skill.

I don’t believe in using wireless keyboards, they’re not secure. If you’re using one, it only costs $10 or so to upgrade to a wired one.

Social web sites are all the rage these days, such as Facebook, MySpace, Twitter, and there are hundreds of less popular ones as well. The idea with them is that all your friends and family can join and you can share aspects of your life such as photos and comments.

Often these same sites will ask for other passwords, in an effort to help you find more of your friends and family. For example, when you sign up to Badoo.com it asks you for your MSN username and password. They do this so they can log into MSN with your account, get a list of your contacts, and invite them to join Badoo. Facebook can do this too only on a grander scale.

It’s good in theory but there are some large risks involved. When you sign up and are prompted to enter your MSN details (or any other account), consider these questions:

• Who runs Badoo? Is it some guy sitting at home with no one to answer to?
• Do you trust the company (such as Badoo) and all of their employees?
• What is their privacy policy? Who are they accountable to if they breach their privacy policy?
• Do they store your MSN password? (You have no way of knowing this for sure)
• Have their servers been hacked and is someone else also capturing your password? (Again you have no way of knowing this, web sites get hacked every day)

You can see where this is leading. If you enter your other passwords into someone’s web site you’ve lost control and put yourself at some risk.

So when you sign up to a new site and it asks you for other passwords you already have, your initial reaction should be to refuse. Then consider if the benefits of doing so are worth the risk.

I’d like to thank our regular reader Nick for bringing this issue up.

There is a competition where people try to hack web browsers (they call it Pwn2own) , the winners get thousands of dollars in cash and prizes. Below are the results of the competition. It says a lot about which web browsers are safer than others:

• Safari running on Mac OS X – hacked in 10 seconds
• FireFox running on Windows – hacked
• IE 8 running on Windows – hacked
• Chrome running on Windows – was not hacked

When a web browser is hacked (like in this competition), it means someone out there in the real world can do things on your computer, such as installing a virus or taking control of your PC.

You can see photos of the winners here. These are talented people that are using their skills to help developers fix their browsers. There are many more people who use their hacking skills to install malware and steal money from people’s bank accounts (this isn’t just about winning competitions).

The best thing you can do right now is:

• Stop using Internet Explorer (IE) for everything.
• Use Google’s Chrome as much as possible, at the moment it seems to be the most secure browser
• Keep updating your web browser – the latest updates are there to fix up bugs and security vulnerabilities
• Keep updating Windows (or Mac OS X or Linux) whenever a new update is released.
• Install a good anti-virus package that blocks web sites that have malware on them. This might cost you a bit of money (you usually have to pay a yearly subscription fee) and it’s a good investment.
• Don’t be ignorant and assume it won’t happen to you.
• Keep reading Fraudo to learn about online fraud and what you can do to prevent it.

Passports these days have a small chip inside called an RFID. Governments who issue these passports say they’re secure and safe to use. And for years hackers have been saying they’re not secure. So who’s right?

Chris Paget, a white hat hacker (the good kind of hacker), recently did an experiment to see how many passports he could copy using some very simple tools. His aim was to see if he could read the RFID inside someone’s passport. The results?

In 20 minutes he managed to find 2 people carrying a new RFID passport, and was able to copy the contents of the RFID chip.

He did this from his car while driving around San Francisco. The people carrying the passports have no idea this happened. There’s no way for them to know. He made a video of his experiment that you can watch here:

(If the video above doesn’t play click here)

So what can we learn from this?

• The RFID chip inside passports are not secure
• The RFID chip inside passports can be copied from a distance

What can you do?

• If your governments wants to tag people using RFID, e.g. by embedding RFID chips in drivers licenses, be aware of the ramifications.
• It’s technically possible to shield your RFID passport by using a metal film. Some companies have started selling passport wallets that can block radio signals, stopping people reading the chip remotely.

Below are some passport wallets that can shield RFID signals (Click here to view in a full page)

If your phone uses Symbian S60 (see the list below) then it’s vulnerable to a new threat some people are calling the curse of silence.

It happens when someone sends you a specially formatted SMS. Some phones that receive this special SMS stop working properly – they won’t receive any more SMSs (it crashes the SMS messaging system inside the phone).

On some phones this means it just doesn’t receive any more messages and it won’t tell you there’s anything wrong. On other phones there will be a message that says:

Not enough memory to receive message(s). Delete some data first

The SMS that causes this to happen can’t be seen in the phone’s inbox, so you can’t delete it.

Turning the phone off and on sometimes lets you receive one message before it stops working again – this seems to vary depending on the phone model.

It’s also good to know that making and receiving calls still works.

What can you do?

It’s not a common problem yet and hopefully it won’t become one. For now it requires someone to send you the special SMS – it doesn’t spread by itself like viruses do.

It’s also a good idea to make a backup of your phone’s data now before anything bad happens. Some phones have an option to do this easily. Consult your phone’s instruction manual for more info.

If your phone is affected your choices are fairly limited at the moment.

• You can perform a hardware reset on the phone. You will lose all data on the phone if you do this (phone book, messages, most probably photos, etc). Think carefully before doing this.
• Phone manufacturers might release a firmware fix soon. Nobody’s promised anything yet.
• Contact the company you bought the phone from, they might be able to help.
• A security company called F-Secure has an antivirus package for mobile phones that they say can fix the problem. They also have a 7 day free trial that you could try. Apparently you need to download their program directly from the phone. Link here: http://mobile.f-secure.com/downloads/trial/index.html

More Info:

There’s a video on YouTube that demonstrates how it works. Link here.

Phones at risk:

Nokia: E63, 5800, N85, N79, E66, E71, 5320, 6220, N78, N96, 6210, N82, E51, N81, N95, 6121, 6120, 5700, N77, E90, E61i, E65, 6110, N76, N93i, 6290, N75, E62, E50, 5500, N93, N73, N72, N92, N71, N80, E70, E61, E60, 3250, N91, N70, N90, 6682, 6681, 6680, 3230, 6670, 6630, 6260, N-Gage QD, 7610, 6620, 3660, 3620, 6600, 3600, N-Gage, 3650, 7650

LG: KT615, KT610, KS10

Samsung: I7110, INNOV8, SGH-L870, SGH-G810, SGH-i560, SGH-i550, SGH-i450, SGH-i400, SGH-i520, SGH-D730, SGH-D720

Panasonic: X800, X700

Lenovo: P930

Siemens: SX1

Recently people have been receiving a message in Twitter that says something like

hey! check out this funny blog about you…
hxxp://t w i tter.access-logins..com

The link takes you to a page that looks a lot like the Twitter login page. If you try typing in your Twitter username and password it records it in a private database. Later someone will log into your Twitter account using your password and start sending out message like the one above.

Many people have one password for many sites, so once they have your Twitter account they could later try other services (e.g. Facebook).

If you use Twitter and see the above message just ignore it. Don’t click on the link.

Some web browsers (such as the latest version of FireFox and the latest version of Opera) will now detect this fake site and show you a large warning. A good antivirus package will also detect these sites and block them.

And if you think you’ve already fallen for this change your passwords.

This one of those legal spyware programs I mentioned recently. Mobile Spy is used to secretly record SMS and calling data on a phone. It already existed for Symbian and Windows Mobile phones – now it’s available for iPhones.

They claim it runs in a stealth mode to make it difficult to detect. It silently records all SMS text messages and information about all calls. It then uploads this information to a private account on the web.

Apparently future versions of this program will also capture GPS information and details of any emails sent or received.

Why is this legal?

I can’t really comment on the legal side, and it would be different in each country. The company that makes it, Retina-X Studios, is selling this product to worried parents or employers to monitor their children/staff.

How is it installed?

Someone has to have physical access to the iPhone to install it. They need to purchase the program (US$99), and it seems the phone needs to be "jailbroken" – a hack that voids the phone’s warranty.

How can you prevent it?

Firstly, don’t lend your iPhone to people or leave it lying around.

I’m not aware of any anti-virus programs for the iPhone that detects this yet but I have my bets on F-Secure, they’re fully aware of what’s happening here. I’ll post an update when something new comes up.

Microsoft’s Internet Explorer is used by over 500 million people (all Windows PCs have this). A vulnerability was recently discovered and today Microsoft has released a patch to fix it.

It’s important for everyone to apply this patch (Windows users only). Run Windows Update to receive the new patch, or if your PC is configured to update automatically just follow the prompts that will appear today.

The vulnerability is activated when you visit a web site that’s been hacked. So far 10,000 hacked web sites have been discovered that will use this vulnerability to install malware on the PC viewing it.

The odds of infecting your PC from browsing innocent web pages are fairly high so apply the patch now. If you need help Microsoft’s security page has some useful links, http://www.microsoft.com/australia/security/default.mspx

Can you get a virus by opening a .DOC file? How about .RTF or .WRI? Yes, even if you don’t have Word installed.

On Windows these files are traditionally opened by Microsoft Word, and if you don’t have Word installed Windows uses WordPad to open these files.

A new exploit has been found that attacks WordPad. This affects most Windows users, in particular those who don’t have Word or Office installed.

How it works:

• You see a link to open a document, or you receive an email with a document attached.
• You open the file (the file name ends with .doc, .rtf, or .wri)
• It opens a connection across the internet for a hacker to log onto your computer
• The malicious hacker can do anything from your computer, such as installing more malware, using your computer to commit other crimes, or just watching what you do on your PC.

What you can do to avoid this:

• Perform regular Windows updates. Microsoft will be publishing a patch to fix this problem soon.
• Use a good anti virus package. This attempts to prevent you from downloading infected files.

Microsoft has published a document on this vulnerability here.

Anti-Malware Toolkit is a package produced by Lunarsoft. It helps you download 37 different tools you can use to protect your PC from all kinds of malware. A few of the tools it can install are quite useful, such as:

Spyware Blaster, CCleaner, RogueRemover, SUPERAntiSpyware, Malwarebytes, Spybot, Hijack This

I’d recommend this to more experienced PC users. General users are better off investing in commercial products, such as Trend Internet Security (there are a few good packages out there, Trend is just one). I say this because commercial products do most of the thinking for you and for a lot of people security is better this way.

The Anti-Malware toolkit can be downloaded from Lunarsoft’s site: http://www.lunarsoft.net/downloads

Note that it’s for Windows computers only.

One of the best things you can do to avoid falling victim to malware is to use an alternative browser.

Microsoft’s Internet Explorer (IE) is very popular. Not long ago almost everyone used IE, it comes setup with almost every new PC sold (Windows PCs). And malware writers targeted IE because they could attack a majority of users just by concentrating on exploiting one browser. You could call it tall poppy syndrome.

Today Firefox is extremely popular. It’s gone from a small minority of people using it to an amazing 44% (depending on which statistics you read – I used this one). This makes for a fairly large demographic, and malware writers are taking notice.

There’s a new trojan that hides in a Firefox add-on. Once installed it waits for you to go to an online banking site. When it detects that you’re using online banking it starts recording your actions (account details, your password). Then it sends this off to cyber criminals who auction off your details and eventually someone can log into your online banking and transfer money. This isn’t good.

There are a few things you can do to avoid this:

• If you want to install an add-on for Firefox, make sure you get it from a well known site. This is the official Mozilla site for Firefox add-ons: https://addons.mozilla.org/en-US/firefox/
• Use a good anti-virus package (it’s a small investment you make to protect your PC). Make sure it’s kept up to date.
• Once a web browser becomes too popular it’s time to start looking at less mainstream alternatives. At the moment you should consider Opera, Safari and Chrome (these are available for all the popular platforms)

In summary, Firefox is a very secure browser. It’s also fast and powerful, explaining why it’s become so popular. You just shouldn’t take its security for granted. Most malware infections happen when users are tricked into clicking something they shouldn’t have.

A keylogger is a small program that sits on your PC quietly capturing each key you press on your keyboard. It either logs each keystroke to a file, or sends it off somewhere on the internet.

It’s used to spy on people. By capturing keystrokes your login and password can be revealed, as well as other confidential information. And usually they’re what’s known as “stealthy” programs – most of the time you wouldn’t know it’s there.

Where do they come from?

There are quite a few keyloggers available. Most are written by hackers (the bad kind). A few are written by commercial software companies (more on that below). 

Are they legal?

Usually no. They’re used as spyware to capture your passwords which is illegal in most places.

How can you detect them?

Use a good anti-spyware program. Most antivirus packages come with this feature these days, others are available separately. There are free ones too. Search Google for current a list.

But there’s another kind of keylogger that you can’t detect this way. You can buy a little plastic device that plugs in between your keyboard and your PC. Since it’s directly connected to the cable hanging off your keyboard it can detect every key stroke and record it. Someone has to have physical access to your PC to install it (and to later remove it). You need to look at the back of your PC where the kayboard plugs in to detect it. Search here for a list of these devices.

News

Recently a US court has looked at a commercial keylogging company called CyberSpy and decided it’s illegal. They’ve ordered CyberSpy to stop selling their software (called RemoteSpy). Unfortunately there are too many alternatives for people keen on spying and stealing passwords. More on this here.

Here’s an interesting use of technology to copy someone’s keys (the metal kind that opens doors). It works with someone taking a hi res photo of your keys, then enhancing the image enough to make a template for someone to cut a copy of a the key.

What kind of photos will work?

Useful photos can be found on photo sharing web sites (such as Facebook or Flickr). This is a passive way for someone to find an image of your keys.

Another tactic is for someone to target you with a camera phone, taking photos of your keys while you hold them. Or with a camera and a telescopic lens, from 200 feet away as the article below suggests.

This isn’t really a new trick, but the software to do all the hard work is new. Technology like this only gets better so it’s time to learn how to protect yourself.

Some tips:

• If you upload photos showing your keys then take the time to blur the keys first. This is similar to how you would blur your car number plate, or a credit card
• Don’t display any keys in public. It wouldn’t be hard to obscure them with your hands
• If you have a choice (such as when purchasing a car) opt for something that uses RFID chips embedded in the keys (many cars have this these days)

Read more about the technique here, and read the full paper here.

There was a media announcement recently from a Russian company called Elcomsoft claiming to be able to crack WPA encryption. What’s this about and how does it affect you?

WPA is the preferred encryption for wireless networks, the kind you probably have at home or in the office. Here’s a quick recap of where WPA fits in:

• WEP – the old wireless security option. This is useless, it provides no real security.
• WPA – this replaced WEP. Some old devices didn’t support it but most new ones do. WPA is good, highly recommended.
• WPA2 – this is better than WPA

So what did Elcomsoft do?
They developed a way to speed up the time it takes to crack WPA and  WPA2 encryption. Here’s a short summary:

• If you use a short password, say 10 letters long, it used to take 579,000 years to crack. With this new technology it would now take 5793 years, or 5 years if they purchase 1000 of these machines dedicated to hacking into your wireless network (at a cost of over $1m of hardware).
• If you use a good password, e.g. 20 characters long, will now take 10,000,000,000,000 years to crack, or shorter if you have thousands of computers working together on this.

In other words the article is mostly hype. Making something 100 faster doesn’t mean much when we’re talking about trillions of years.

The short version is: use WPA/WPA2 and a long password when configuring your wireless network. Use at least 20 characters.

Further:
What I’ve written above applies to small networks such as home or small offices. For large networks you should be using a technology called Radius together with WPA, this is much more secure, extremely hard to crack, and of course more complicated and expensive to install and maintain.

Tuesdays are when Microsoft publishes patches to their software, and today they’ve published quite a few (if you use Windows then you should be installing the patches today). 

However today there’s a malicious email being sent around that looks like it came from Microsoft (it’s actually fake). The email tells people about the patches and has a file attached. 

The attachment isn’t really a Microsoft update, it’s actually a trojan that installs something on your PC that lets hackers log into it, without you ever finding out. You really don’t want this kind of thing installed on your PC.

The email has a few features designed to convince people that it’s genuine, such as a PGP signature at the end, and the fake sender address.

The subject of the email is:

Security Update for OS Microsoft Windows

If you see this just delete it. You should also have a good spam filter for your inbox – email services such as Gmail do a good job of this. For businesses it’s a little more complicated and even more important. You should also invest in a good antivirus package, one that checks everything and downloads updates at least once a day.

And remember to never trust attachments you unexpectadly receive(you didn’t ask Microsoft to send you an attachment, so why would they really do this?)

A rather serious exploit has recently been discovered.

It’s called ClickJacking. The problem is in Adobe’s Flash player, which just about everyone in the world has installed (sometimes without even knowing it). 

The vulnerability makes it possible for someone to control your computer’s webcam or microphone, lettting other people spy on you. It’s a serious problem.

Who’s at risk?

Anyone who has Flash version 9.0.124.0 or earlier is at risk. This includes Windows, Mac, and Linux users, and FireFox, IE, Safari, Chrome, and Opera users (does this list include you?)

What can you do to protect yourself?

Adobe is publishing a fix very soon and the best thing to do is to upgrade to the latest version of  Flash. Flash should prompt you to download an update – say yes to this. Otherwise download the latest version from Adobe’s web site.

If for some reason you can’t update Flash on your PC there’s another way to protect yourself (this is a last resort tactic, updating Flash is much safer). The workaround is to set the Always Deny option, as detailed here on Adobe’s site.

Further info:

Someone has gone to the trouble of setting up a sample of how the exploit works and recorded a video to demonstrate. Play the YouTube video in this article.

Here’s what happens when you don’t take proactive steps to secure your wireless router (or wireless network). Recently there were a series terrorist bomb attacks in India, and threat emails were sent by the terrorists. 

The source of the emails were traced and they came from the home of an innocent family in Mumbai (India). The terrorists had used their unsecure wireless network to gain access to the internet and do their thing. The residents said,

“We did not feel the need to secure or password-protect our internet connection. But now it has become a necessity for all citizens to secure their connections”

This stuff really happens, read the full article here.

So how do you secure your wireless router? What other consequences can you face for leaving it unsecure? Read our previous article. In fact, use the search box on the top right of this site and search for “wireless” – there’s a lot to learn about wireless security at home and in the office.

Keep in mind that when you buy new (or old) wireless equipment such as a wireless router, the security settings are almost always set to the most insecure options. That’s crazy, but manufacturers think that turning on security by default makes it too hard for people to install these things. Maybe, but most people are lazy and don’t turn on the security features, putting them at risk of being hacked or involved in serious crime.

A lot of web sites these days have a question & answer system as a backup to your password. The idea is that if you forget your password you’ll be prompted to answer a private question.  Assuming you’re the only one who knows the answer to this private question it’ll give you a password to log into the website.

It’s really a second password in case you forget the main password. And it’s not very secure. Let’s look at why.

Your web site password could be anything. If you use a common word then there’s approx 1 in 100,000 chance of someone guessing it (this is actually pretty poor). If  you make up a password that couldn’t possibly exist in the dictionary, e.g. by adding a random number at the end, misspelling words, etc, then the chances of guessing the password are much lower, one in millions or billions. This is good.

Now if you have to provide the name of your pet, school, or mother’s name as a password, the choices are very limited. There aren’t billions of popular pet names, there’s only a handful.

For someone to guess the answer to this question is much easier than guessing a real password. And if someone was to do a little research on you it could be possible to find this out. 

My suggestion is that you don’t use these password recovery options. When signing up to a service and you’re prompted to enter some personal details, enter random characters instead. Go crazy bashing keys on the keyboard, use something like iojxcnmvaioasflseqq. The idea is that no one could possibly guess the answer, including yourself. Then write down your real password and keep it safe.

I’d also like to add a bit about someone that recently had her private question (backup password) guessed by a random stranger.

Her name is Sarah Palin. Someone wanted to read Sarah’s Yahoo email and instead of trying to guess a password they just tried guessing a private question, and got in. This was recently publicised. It isn’t really hacking, someone just did some research and guessed correctly.

The results were disastrous – Sarah Palin is a US governor hoping to be a vice president, and there were sensitive documents in her emails that were then leaked to the internet. 

There’s a lesson here for everyone, including web site developers. Don’t use these private password questions, it’s the weakest link into web services.

The current version of the iPhone has a little security flaw. The password feature that’s built into the device can be easily bypassed by following a few steps. Apple has confirmed the problem and promised to fix it in September.

This affects iPhones version 2.0.2 (the ones available today).

Here’s how it works:

1. Password protect the phone and lock it
2. Slide to unlock it
3. Tap the emergency call button
4. Double tap the home button

Done, anyone can now access the favourites list in the phone, the full address book, and dial any number including voicemail. It also lets anyone see private information stored against a contact, full access to the email client, and they can gain access to the Safari web browser (if there’s a web address stored against a contact).

For iPhone owners there’s a way to prevent this from happening, protecting the phone from being used if it’s lost while locked:

1. Go to the Home page on the iPhone
2. Go to Settings
3. Click on General
4. Click on the Home button
5. Click on either Home or iPod

ZoneAlarm has been making security products for a number of years and they have a good reputation. I don’t have the resources to review or evaluate security products so I tend not to make specific recommendations (but I do recommend that you should invest in a good antivirus package).

For one day only ZoneAlarm has made their ForceField product free to use for one year. It blocks phishing sites (this is a good thing), blocks keyloggers, and has a host of other interesting security features.

If you don’t already have a security package that does everything (and why not?) then try this one out. As I said, ZoneAlarm has a good reputation for this kind of thing and “free” is a good price. Note that they ask for your name and email address.

Link: http://download.zonealarm.com/bin/free/sum/index.html – click on the red button.

More info about ForceField here.

Update: This offer has expired. Good computer security is very important (read some of the pages on this site to find out why) and it’s definitely worth paying for good software that keeps you safe. You should be using a package that constantly scans your PC for malware (viruses, trojans, etc), scans all web pages and updates itself daily. It’s a very good investment.

Trend Micro make some good anti-virus and anti-spyware tools. One of their tools is called iClean. Unfortunately someone has created a fake copy of one of their websites that will install malicious code on your computer (in this case they’ve copied the Taiwan version of their site).

So which is the real one and which are the fake ones?

Real Trend Micro Site:

• Anything that ends with .trendmicro.com, e.g.

• http://tw.trendmicro.com/tw/products/enterprise/wtp/index.html
• http://www.trendmicro.com/

Fake (malicious) sites:

• hxxp://www.update-windows-microsoft.com/

These tips will help you avoid this problem, and similar threats:

• Companies don’t usually send free applications directly by email. You would normally go to their web site to download it.
• Have a good anti-virus / anti-spyware installed, one that is updated daily so it can protect you from new threats.
• Pay close attention to a web page’s address.

Virus writers have been sending emails with a story that use the following words, hoping to get people interested enough to click on the links:

• Facebook
• Terrorists
• FBI

The exact story they came up with doesn’t really matter. If you click on the link it tries to download a file called fbi_facebook.exe. This is the part that installs the virus on your PC.

Always be wary of sensational stories arriving by email (they’re almost always malicious). And be extremely wary of any links that try to download something that ends with .exe

Gmail has a new feature to always encrypt connections. It’s always been possible but not everyone uses it.

What’s encryption? Say you’re at work (or at school, or at a library or an internet cafe) and using a computer to read Gmail – it’s technically possible for someone to monitor everything going out to the internet. Encryption protects your privacy in this situation, making it difficult for someone to monitor your internet usage.

How do you use it? Inside Gmail go to the Settings menu. You get the following options:

1. Always use https (select this option to use encryption)
2. Don’t always use https

Pros:

• It provides a good level of privacy, especially if you’re using someone else’s network. This is great for public networks (e.g. libraries), offices, and internet cafes.
• It’s easy to use. Just turn it on, never think about it again.

Cons:

• It slows Gmail down a bit (every single part of your Gmail emails needs to be encrypted then decrypted, this takes a small amount of time).

I strongly encourage you to use this feature. Every little bit of additional security helps, especially when it’s so easy to use.

Note that using this form of encryption only protects your privacy between the computer you’re using and Gmail. Emails were never meant to be secure or private.

In December last year I wrote about Germany’s police wanting to install spyware on people’s computers when they deem it necessary. The legislation has now been approved, at least  in the German state of Bavaria.

What this means to you:

If you live in Bavaria, either as a resident or as a visitor, keep in mind that authorities can now legally install spyware on any computer you use if they suspect you of being a terrorist, or posing other serious criminal threats. This sounds fairly general and could apply to a lot of situations.

If the police can’t install spyware on your computer remotely they also have the authority to enter your premises and install the spyware directly onto any computers you use.

No judicial warrants are required.

So if you have any data you wish to keep private (assuming you have a perfectly legitimate reason to do so) you’ll have to start being creative. You could take your business elsewhere, be paranoid about what computer or operating systems you use (hint: popular systems are usually easier targets), and keep informed on the latest computer spying and hacking techniques.

This article’s aim is to raise awareness that governments can and do spy on people’s computers.

More information here.

Some emails have been seen with headlines such as:

• World War III has started
• US has invaded Iran

The email looks like it has a link to a video.

In the background it installs a variant of the Storm trojan, probably the most widely spread and malicious trojan to date. Your PC will then be under the control of others without your knowledge. It’s bad. Estimates vary but there are between 1 million and 10 million PCs in the world that are currently under the control of Storm.

So don’t open this email. At this time Iran has not been invaded (and hopefully no country ever will be). Delete it, and let others know.

Yahoo owns some technology called DomainKeys that can verify the sender of some emails. One thing it can do is recognise real and fake emails from eBay and PayPal. This is good because quite a few phishing emails claim to be from eBay or PayPal, intended to trick people into providing their login details.

Google has just implemented the technology for Gmail. So if safe email is of concern to you, your best bets are to use either Yahoo or Gmail for your emailing.

More technical information here.

TrueCrypt is an encryption program we wrote about earlier. It lets you do things like "whole disk encryption" (good for people who carry around laptops full of confidential files), and other encryption functions.

Version 6.0 came out a few days ago. It’s open source, meaning everyone is free to review the source code. It’s available for Windows (Vista, XP, 2000), Mac OS X, and Linux.

http://www.truecrypt.org/

Gmail has a new security feature. If you log into Gmail more than once (at the same time) it now tells you. Then it’s up to you to decide if you did this intentionally or if someone has stolen your account details.

At the bottom of your inbox is a summary of the last activity and whether it’s open from another location. Then clicking on the Details link shows more details on all your connections.

Another amazing statistic – across 46 states in USA there were more than 630,000 laptop computers reported lost in the past year. That’s more than 12,000 a week. And when you consider that most people still keep documents on their laptop computer when they travel they haven’t just lost a piece of hardware, they’ve potentially lost control of private and confidential documents.

What can you do?

Laptops can be insured. Anyone who carries a laptop around for work would have it insured, it’s just a cost of doing business. Nothing new here.

As for the documents stored on them, delete them before you travel!. If this sounds extreme then you need to wake up and realise what’s happening in the world.

At many airport security checkpoints customs officers now have the authority to look at the contents of your laptop’s hard drive before they let you board the plane or enter a country. And they don’t always just "look" – sometimes they make a copy of your hard drive so they can look more closely at a later time. Is this legal? Yes, in some places (including most US airports today). Read more about this in this article.

So you now have two reasons to delete all documents from a laptop before travelling:

1. You could lose your laptop (like 630,000 other people each year in one country alone).
2. You could be asked to hand over your laptop’s data to customs officers.

What a lot of large organisations do these days is hand their employees "clean" laptops that have no documents on them. Employees are given VPN access, so when they arrive at their destination they can access their office network and carry on with their regular work. If you’re new to the concept of a VPN read our previous article on its benefits. Another trick is to carry your files on a USB flash drive, and hide it in your wallet or luggage. This could be encrypted as well for security, in case you lose it.

Whole disk encryption is another technology that can help you with lost laptops. Whole disk encryption makes the entire contents of the laptop useless without a password. There’s no known way to recover the data. There are still two risks with this method:

• You need the support of your IT department to ensure your organisation can restore your data in case you lose the password. Encryption management is not difficult for IT departments. For individuals it can be a burden.
• If customs officers insist on seeing the contents of your laptop’s files you need to hand over the password, and they get to read and even copy your files. This is legal in most western countries, it’s not enough to tell them you forgot the password.

Now if you’re thinking that your laptop needs a password to startup and that this is enough to stop people, remember that the files on your laptop’s hard drive can be copied without a password. You just need to pull out the hard drive (easy to do with laptops). Whole disk encryption is the only effective password protection for laptops.

And while we’re talking about travelling now’s a good time to remind you not to trust free or hotel wireless networks. You never know who’s monitoring the network traffic (read our previous article on this).

Read the study on lost laptops here, sponsored by Dell.

So in summary:

• Insure your laptop to recover the cost of the hardware and software
• Delete all files from the laptop before you travel. Use another technique to gain access to them when you arrive (either a VPN or a hidden and encrypted USB flash drive).

If you use Window XP or Windows Vista, Microsoft has a tool that could be useful to some people. It’s meant more for shared computers, or for any PC that’s at greater risk of infection.

What it does is fairly simple. Every time you reboot the PC, Steady State will restore it to how it was before. So no matter how many viruses, spyware and adware you end up accidentally installing. it becomes fresh and anew.

You need to install it and set it up correctly, and for most people it might be a good idea to get some advice from someone who’s IT savvy, just to make sure you take full advantage of this great tool.

Best of all is that it’s free, as long as you have a genuine Windows XP or Vista license.

While you should still be responsible with how you use a computer, what you download and which web sites you visit, this tool is great tool for certain people.

More info and a download link here.

Microsoft has just released June’s lot of Windows patches for XP and Vista. Among the latest patches is one to fix a vulnerability in the Bluetooth stack.

If your computer uses Windows XP or Vista and it has Bluetooth then you need this patch. If your computer doesn’t automatically download and install patches you’ll need to go to Internet Explorer, go to the Tools menu and select Windows Update. Until then you should turn off Bluetooth, otherwise someone could take control of your computer.

Bluetooth has always had security problems from the start. There have been a few fixes along the way but overall it’s an insecure technology.

Technical details about this patch here.

Recruitment companies receive a lot of resumes in Word format, as you’d expect. But it seems that there’s a growing trend of these Word files being infected with some type of malware. Often there is automated software at recruitment companies to forward the resumes to their clients without scanning them for malware.

Hackers have caught onto this and are targeting these companies. They’ve been sending resumes (probably not their own) with backdoor trojans embedded in the document. This gives them a chance to gain access to these networks.

If your work involves receiving many Word documents from the general public put in place a plan to screen these for known malware, and to limit the damage they can do if a new (unknown) trojan gets through. Most security specialists can help with this.

This week everyone’s been talking about a new flaw in Flash that can be exploited to run malicious code on your computer. After a few days of media frenzy Adobe has released a fix for it.

If you use Windows then download the update (this includes users of FireFox, Opera and Internet Explorer). Link here.

The fixed version is 9.0.124.0. If you’re keen you can read more about the vulnerability here.

An interesting study on orphaned accounts has found some serious security holes.

An orphaned account is when someone leaves an organisation and their network account remains active, instead of being disabled (locked). In a lot of cases those people who have left could still log onto their previous employer’s network and access files and services.

The study found that 27 percent of people reported that they had more than 20 orphaned accounts on their system. If everyone did their job well ideally it would be 0.

38 percent of people said they had no way of knowing if a terminated employee had logged into their system. Security auditing is very important and not very difficult, without it IT managers won’t know who’s doing what on their network.

In other words, in about 27% of companies if someone left they could still log in from home, copy files, send emails, and otherwise use the system the same as when they were officially employed. And in 38% of cases nobody would ever find out.

So how long should it take to terminate an account? Accounts should be disabled at the end of the employee’s last day and not a moment later. In some companies there’s so much bureaucratic admin that, according to the above article, it ends up taking 3 days to a month to do this. Shocking.

It’ an organisation it should be everybody’s responsibility to protect the network and all private data. If your organisation is slacking in this area say something about it.

SSH is used to establish secure connections across the internet. For example a lot of people use SSH to connect to their servers because of the good security it provides. Lots of people trust it and rely on it.

In the past week there has been a large increase in the number of brute force attacks against SSH. What’s a brute force attack? It’s when someone writes a program that starts guessing passwords. It’ll keep trying to guess passwords all day and all night without rest until it finds something that works. The smarter brute force attacks do this slowly so that servers don’t lock the account in defense.

To increase a hacker’s chances of finding the right password these brute force programs use a dictionary and try to guess common words first. Then they try combinations such as replacing o’s with zeros, or putting a 1 at the end (have you ever done this with passwords?). So if your password is based on a word found in the dictionary it’ll be amongst the first ones tried.

The best defence against brute force attacks is to use a complicated password. Complicated passwords can take years to guess, simple passwords can take seconds to guess. Read here about how to evaluate the complexity of a password. And if remembering complicated passwords is a challenge then you might need a password safe.

So back to SSH. If you manage a server and use SSH to connect to it, have a look at the logs. Other people have reported a 5-10 times increase in the number of SSH attempts on their servers. Make sure your passwords are complicated enough to resist brute force attacks. Consider editing firewall rules to limit the entry points into your network. And make sure everything is patched including routers and firewalls. See this article for further information on these attacks.

And for everything that’s still wondering what SSH is, don’t worry about the jargon. Just realise that people can and do try to guess passwords.

Some companies have started testing their employees on how they respond to phishing attacks.

A company called Intrepidus Group has a system whereby they basically send your company’s staff spam, testing them on how they respond to it. The system can even concentrate spam on people who are ore susceptible to clicking on links.

The system sends results back to the tester on who clicked on the emails, what data they entered in (e.g., their name, credit card numbers, etc).

So the next time you see an email that doesn’t look quite right, and has links to external sites, think hard whether it’s real, spam, or this new kind of "ethical" spam.

The company’s web site explains it better, http://phishme.com/