Category: General

What is TinyURL and how does it affect internet security?

TinyURL is a web redirection service. Its main purpose in life is to make long URL’s short (a URL is a web “address”). Here’s an example:

Sometimes you end up with a long URL such as: https://fraudo.com/2009/03/19/does-windows-safe-mode-protect-you-from-malware/

TinyURL can shorten this address for you. Try clicking on the following address: http://tinyurl.com/dfwohy

You’ll notice it takes you to the same page as the first link, but it’s much shorter to write. And why would someone want a short URL? Marketing people would argue that short URLs are easier on the eyes. And sometimes there are technical reasons – for example, Twitter only supports short messages so it’s normal to shorten URLs.

So what’s the risk?

dice If you receive an email from some company telling you to click on their link, and if you notice their link goes to a Chinese or Russian web site, you’ll be suspicious and you won’t click on it. And if you have a good anti-virus package installed it can detect the links and warn you before you click on them.

However, if the email’s links point to TinyURL you have no way of knowing if it’s legitimate (actually there is a way, keep reading). Maybe it goes to the company’s real site, maybe it goes to a hacker’s. You won’t know until you click (and usually once you click it’s too late).

Do legitimate companies really use TinyURL? Unfortunately yes. Marketing people write these newsletters, not their IT security people.

What about Twitter? Almost everyone on Twitter uses a service such as TinyURL to shorten addresses they share. When you click on these you’re taking a chance.

TinyURL isn’t the only redirection service. Here’s a list of the popular ones:

  • tinyurl.com
  • bit.ly
  • budurl.com
  • eweri.com
  • hex.io
  • idek.net
  • is.gd
  • poprl.com
  • snipr.com
  • twurl.nl
  • ub0.cc

Notice how many there are? Shortening URLs has become a popular thing to do. Also notice that international domain names are popular here, such as .io and .ly.

So what can you do?

  • Use a good web browser. In a recent hacking competition Google’s Chrome was not hacked, showing that at the moment it’s a good choice.
  • Use a good anti-virus package that also scans web pages.
  • Be cautious of shortened URLs, realise that you’ll be redirected to a different place
  • You could ask companies such as TinyURL to scan all their links but that’s not going to happen, they don’t see it as their job.
  • You could boycott all shortened URLs. That’s easier said than done and it’s not very realistic.
  • And finally, the best way to protect yourself from this is also the most troublesome, so I’ve left it to last. Services such as TinyURL do give you a tool to test a link before you click on it.

TinyURL’s Preview Feature:

TinyURL has a preview feature. It’s a good security decision to turn it on. It’s an inconvenience if you enjoy clicking on unknown links but it’s a smart move. Click here to turn on their Preview feature: http://tinyurl.com/preview.php?enable=1

Then when you click on an unknown TinyURL link, it will show you where you’re about to go. You still have to be careful about weird Chinese and Russian sites that might be hacked but at least you’ll have enough information to make that decision.

It’s not a foolproof system though. Even if you’ve enabled Preview there might be times where it doesn’t work. That’s just the way computers work, it’s technically complicated. And enabling Preview on TinyURL doesn’t help you with all the other services I listed above. There’s just too many of them at the moment.

If you’ve read this far you’ve done well. Being aware of the dangers gets you half way to being secure.

lottery wheel

Update (19 July 2011):

Google has a new URL shortening service called g.co . For now their plan is to use it for official Google sites and applications. So shortened URLs beginning with g.co should be considered safe and legitimate for now.

Does Windows Safe Mode Protect You From Malware?

Windows has something called "Safe Mode". You usually see it when you don’t shut down Windows properly, then when you restart you’re prompted if you want to start in safe mode.

windows safe modeSo what is safe mode? It’s basically Windows without all the frills, very simplified. It’s intended to help techies fix problems if Windows is broken.

There’s also an assumption that malware can’t hurt your computer if you start it in safe mode. This has been proven to be a false assumption. Malware can still run in safe mode.

To be protected from malware you need some common sense (you’ll get plenty of that from this site), and having a good anti-virus helps.

Twitter “Don’t Click”

Just recently something happened: people using Twitter started seeing messages saying "Don’t Click". Most people are curious so they clicked. The link had an iframe with some hidden code that sent a Twitter message using your account, telling others not to click. Technically this is a virus because it propagated through a network.

The result was that a message saying "Don’t Click" quickly spread through Twitter. No harm was done. But it could have been harmful. Whoever came up with the idea managed to get lots of people to click on an unknown link, and it could have had malicious code on it.

Twitter says they’ve fixed the problem that made this possible. But it highlights a problem with Twitter, that people are seeing links they don’t understand and are clicking on them.

More info here.

Paper Fliers Spreading Malware

Here’s something new. In North Dakota, USA, pieces of yellow paper were placed on the windshield of parked cars with the following text printed on them:

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to website ….

The website that was printed tells people they need to download a program called PictureSearchToolbar.exe. This program then downloads malware onto people’s PCs. The malware can change but at the moment it tells people their PC is infected and asks them to download more malware.

This is a new way to trick people into downloading malware.

car windshield wiperYou can avoid these tricks by being cautious on what you download. The rule of thumb is that you never need to download anything to view a picture or video on the internet, unless you either know what you’re doing or really trust the company giving you this information (e.g. if you’re using Windows you could trust Microsoft since they made the operating system you’re using).

You can also install a good anti-virus package that scans web pages. This needs to be updated daily which generally means you need a paid subscription. It’s a good investment.

Buying Free Software

Recently some people have been tricked into paying for OpenOffice.

OpenOffice is a free alternative to Microsoft Office. You can download it for free from here: http://www.openoffice.org/ . Don’t download it from anywhere else other than the official site.

If anyone asks you to pay for this then they’re trying to cheat you. There’s no reason to pay for the software, and there are no subscriptions you need to use it.

Disclaimer: while the software is free for anyone to download and use, you need to have an internet connection, and most people pay for their internet. This is just common sense. If this is a problem, sometimes computer magazines download it for you and put it on a DVD bundled with the magazine. Again the software is free but you have to pay for the magazine. This too is common sense. And it’s completely legal to copy it from someone else.

In-Session Phishing Attack

A new way of stealing internet banking passwords has been discovered. Here’s how a victim would see it:

  • You’re reading a few web pages on the internet. One of them is infected with some malicious code – you don’t know.
  • You log onto your normal internet banking site
  • The malicious code on the other site detects that you’ve logged into internet banking
  • the malicious code bring up a window asking you to type in your internet banking password again, giving you some excuse as to why you have to log in again
  • The malicious code sends your password to a 3rd party who uses it or sells it to someone who will

How can this happen?

I won’t go into the technical explanation, suffice it to say that most browsers will trust and run code under certain conditions, and hackers have discovered how to exploit those conditions.

It works because it knows what banks to look for and won’t do anything until you log into your internet banking. So to a casual person it sounds plausible that they need your password again.

What can be done to prevent this?

  • When you use internet banking close all the other tabs you might have open. Just keep the internet banking page open by itself.
  • If you get a popup window to enter your password again you need to decide if the popup window is really from your bank.
  • Does it look the same as your normal login screen?
  • Is there a good reason why you have to enter your details again? (e.g. if you don’t use the internet banking page for 10 minutes it might time out, but otherwise it shouldn’t have timed out)
  • Does it have the SSL icon? This is often a padlock icon on the top right corner, if you click on it it should identify your bank.
  • Use a good antivirus package that scans web pages. This isn’t 100% reliable but it’s will protect you from most malicious sites.
  • A more extreme measure is to walk into your bank’s branch and use their computers to do internet banking. This is ok, it’s just very inconvenient.
  • This is also a good time to remind you not to do internet banking from public computers, such as an internet cafe, a public library, etc. You need to trust the computer you’re working on.

    • The makers of web browsers (Microsoft, Mozilla, Google, etc) need to address this issue. When they do it’s up to you to update your browser to the latest version. Then this particular problem will go away.

    Below is a press release from a banking security company offering more information on this type of attack.

    http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

    Multi Function Anti Malware Toolkit

    Anti-Malware Toolkit is a package produced by Lunarsoft. It helps you download 37 different tools you can use to protect your PC from all kinds of malware. A few of the tools it can install are quite useful, such as:

    Spyware Blaster, CCleaner, RogueRemover, SUPERAntiSpyware, Malwarebytes, Spybot, Hijack This

    multi_function_knife I’d recommend this to more experienced PC users. General users are better off investing in commercial products, such as Trend Internet Security (there are a few good packages out there, Trend is just one). I say this because commercial products do most of the thinking for you and for a lot of people security is better this way.

    The Anti-Malware toolkit can be downloaded from Lunarsoft’s site: http://www.lunarsoft.net/downloads

    Note that it’s for Windows computers only.

    Keyloggers

    A keylogger is a small program that sits on your PC quietly capturing each key you press on your keyboard. It either logs each keystroke to a file, or sends it off somewhere on the internet.

    It’s used to spy on people. By capturing keystrokes your login and password can be revealed, as well as other confidential information. And usually they’re what’s known as “stealthy” programs – most of the time you wouldn’t know it’s there.

    Where do they come from?

    There are quite a few keyloggers available. Most are written by hackers (the bad kind). A few are written by commercial software companies (more on that below). 

    Are they legal?

    Usually no. They’re used as spyware to capture your passwords which is illegal in most places.

    How can you detect them?

    Use a good anti-spyware program. Most antivirus packages come with this feature these days, others are available separately. There are free ones too. Search Google for current a list.

    But there’s another kind of keylogger that you can’t detect this way. You can buy a little plastic device that plugs in between your keyboard and your PC. Since it’s directly connected to the cable hanging off your keyboard it can detect every key stroke and record it. Someone has to have physical access to your PC to install it (and to later remove it). You need to look at the back of your PC where the kayboard plugs in to detect it. Search here for a list of these devices.

    News

    Recently a US court has looked at a commercial keylogging company called CyberSpy and decided it’s illegal. They’ve ordered CyberSpy to stop selling their software (called RemoteSpy). Unfortunately there are too many alternatives for people keen on spying and stealing passwords. More on this here.

    Key Duplication

    Here’s an interesting use of technology to copy someone’s keys (the metal kind that opens doors). It works with someone taking a hi res photo of your keys, then enhancing the image enough to make a template for someone to cut a copy of a the key.

    What kind of photos will work?

    Useful photos can be found on photo sharing web sites (such as Facebook or Flickr). This is a passive way for someone to find an image of your keys.

    Another tactic is for someone to target you with a camera phone, taking photos of your keys while you hold them. Or with a camera and a telescopic lens, from 200 feet away as the article below suggests.

    This isn’t really a new trick, but the software to do all the hard work is new. Technology like this only gets better so it’s time to learn how to protect yourself.

    Some tips:

    • If you upload photos showing your keys then take the time to blur the keys first. This is similar to how you would blur your car number plate, or a credit card
    • Don’t display any keys in public. It wouldn’t be hard to obscure them with your hands
    • If you have a choice (such as when purchasing a car) opt for something that uses RFID chips embedded in the keys (many cars have this these days)

    Read more about the technique here, and read the full paper here.