False Microsoft Patch Emails

Tuesdays are when Microsoft publishes patches to their software, and today they’ve published quite a few (if you use Windows then you should be installing the patches today). 

However today there’s a malicious email being sent around that looks like it came from Microsoft (it’s actually fake). The email tells people about the patches and has a file attached. 

The attachment isn’t really a Microsoft update, it’s actually a trojan that installs something on your PC that lets hackers log into it, without you ever finding out. You really don’t want this kind of thing installed on your PC.

The email has a few features designed to convince people that it’s genuine, such as a PGP signature at the end, and the fake sender address.

The subject of the email is:

Security Update for OS Microsoft Windows

If you see this just delete it. You should also have a good spam filter for your inbox – email services such as Gmail do a good job of this. For businesses it’s a little more complicated and even more important. You should also invest in a good antivirus package, one that checks everything and downloads updates at least once a day.

And remember to never trust attachments you unexpectadly receive(you didn’t ask Microsoft to send you an attachment, so why would they really do this?)

ClickJacking Exploit

A rather serious exploit has recently been discovered.

It’s called ClickJacking. The problem is in Adobe’s Flash player, which just about everyone in the world has installed (sometimes without even knowing it). 

The vulnerability makes it possible for someone to control your computer’s webcam or microphone, lettting other people spy on you. It’s a serious problem.

Who’s at risk?

Anyone who has Flash version or earlier is at risk. This includes Windows, Mac, and Linux users, and FireFox, IE, Safari, Chrome, and Opera users (does this list include you?)

What can you do to protect yourself?

Adobe is publishing a fix very soon and the best thing to do is to upgrade to the latest version of  Flash. Flash should prompt you to download an update – say yes to this. Otherwise download the latest version from Adobe’s web site.

If for some reason you can’t update Flash on your PC there’s another way to protect yourself (this is a last resort tactic, updating Flash is much safer). The workaround is to set the Always Deny option, as detailed here on Adobe’s site.

Further info:

Someone has gone to the trouble of setting up a sample of how the exploit works and recorded a video to demonstrate. Play the YouTube video in this article.

Unsecured Wireless Routers

Here’s what happens when you don’t take proactive steps to secure your wireless router (or wireless network). Recently there were a series terrorist bomb attacks in India, and threat emails were sent by the terrorists. 

The source of the emails were traced and they came from the home of an innocent family in Mumbai (India). The terrorists had used their unsecure wireless network to gain access to the internet and do their thing. The residents said,

“We did not feel the need to secure or password-protect our internet connection. But now it has become a necessity for all citizens to secure their connections”

This stuff really happens, read the full article here.

So how do you secure your wireless router? What other consequences can you face for leaving it unsecure? Read our previous article. In fact, use the search box on the top right of this site and search for “wireless” – there’s a lot to learn about wireless security at home and in the office.

Keep in mind that when you buy new (or old) wireless equipment such as a wireless router, the security settings are almost always set to the most insecure options. That’s crazy, but manufacturers think that turning on security by default makes it too hard for people to install these things. Maybe, but most people are lazy and don’t turn on the security features, putting them at risk of being hacked or involved in serious crime.

Password Recovery Questions

A lot of web sites these days have a question & answer system as a backup to your password. The idea is that if you forget your password you’ll be prompted to answer a private question.  Assuming you’re the only one who knows the answer to this private question it’ll give you a password to log into the website.

It’s really a second password in case you forget the main password. And it’s not very secure. Let’s look at why.

Your web site password could be anything. If you use a common word then there’s approx 1 in 100,000 chance of someone guessing it (this is actually pretty poor). If  you make up a password that couldn’t possibly exist in the dictionary, e.g. by adding a random number at the end, misspelling words, etc, then the chances of guessing the password are much lower, one in millions or billions. This is good.

Now if you have to provide the name of your pet, school, or mother’s name as a password, the choices are very limited. There aren’t billions of popular pet names, there’s only a handful.

For someone to guess the answer to this question is much easier than guessing a real password. And if someone was to do a little research on you it could be possible to find this out. 

My suggestion is that you don’t use these password recovery options. When signing up to a service and you’re prompted to enter some personal details, enter random characters instead. Go crazy bashing keys on the keyboard, use something like iojxcnmvaioasflseqq. The idea is that no one could possibly guess the answer, including yourself. Then write down your real password and keep it safe.

I’d also like to add a bit about someone that recently had her private question (backup password) guessed by a random stranger.

Her name is Sarah Palin. Someone wanted to read Sarah’s Yahoo email and instead of trying to guess a password they just tried guessing a private question, and got in. This was recently publicised. It isn’t really hacking, someone just did some research and guessed correctly.

The results were disastrous – Sarah Palin is a US governor hoping to be a vice president, and there were sensitive documents in her emails that were then leaked to the internet. 

There’s a lesson here for everyone, including web site developers. Don’t use these private password questions, it’s the weakest link into web services.

Google Chrome

Everyone’s talking about Google Chrome today. It’s a new web browser much like IE, FireFox, Opera and Safari. Here are some things you should know about its security.

  • It’s still in "beta", meaning they’re still testing it. It’s an unfinished product. There will be bugs to be found, including security bugs.
  • There’s a debate going on about Google’s intentions on releasing a free browser. It seems Google will be collecting some information from some users on their browsing habits. It’s an opt-in service so there isn’t anything sneaking going on, and it can be turned off. But it still makes some people uncomfortable.
  • Chrome has a private mode called "Incognito". Some other browsers also have this feature. It’s a good thing. It puts you in control over which web sites save information on your computer and which don’t.
  • It uses a new programming model putting each page in its own process. This should make everything safer, but it’s new and time will tell how secure it really is.

And did I mention it’s in beta and security bugs will no doubt be found soon?

I suggest that as soon as Google are comfortable with the performance of this new product it’ll be a good alternative to Internet Explorer.

Legally Installed Spyware

In December last year I wrote about Germany’s police wanting to install spyware on people’s computers when they deem it necessary. The legislation has now been approved, at least  in the German state of Bavaria.

What this means to you:

If you live in Bavaria, either as a resident or as a visitor, keep in mind that authorities can now legally install spyware on any computer you use if they suspect you of being a terrorist, or posing other serious criminal threats. This sounds fairly general and could apply to a lot of situations.

If the police can’t install spyware on your computer remotely they also have the authority to enter your premises and install the spyware directly onto any computers you use.

No judicial warrants are required.

So if you have any data you wish to keep private (assuming you have a perfectly legitimate reason to do so) you’ll have to start being creative. You could take your business elsewhere, be paranoid about what computer or operating systems you use (hint: popular systems are usually easier targets), and keep informed on the latest computer spying and hacking techniques.

This article’s aim is to raise awareness that governments can and do spy on people’s computers.

More information here.

Skype Phishing Emails

Skype has issued a warning that people have been receiving emails that appear to be from Skype. When a user clicks on a link in the email, they’re taken to a login page that looks like Skype’s website (but in fact it’s operated by someone else). When you enter your username and password, they’re sent to someone who will then use them for some malicious purpose.

How can you tell a real Skype login page from a fake one?

According to Skype the only page that they will ask you for login details is:

https://secure.skype.com/…(anything else is ok here)…

If you’re about to enter your Skype details into a website that doesn’t exactly match the above then it’s probably fake. What if it’s just a few letters different? What if the dot’s in the wrong place?

The part after the // and before the first / needs to be an exact match. I’ve made this bold just to make it as clear as possible. The part at the end is ok.

Below is a copy of one of these Skype phishing emails. I’ve copied the contents here to help Google index this page. When you receive suspicious emails it’s a good idea to copy and paste a few lines into Google. You’ll soon be able to tell if it’s a known fake email or real.

Account blocked


We have to notice that your account is suspended because Skype major Terms are being changed.
To re-activate your account you need to agree with the new Terms here:

Follow this link to re-activate: ACTIVATE

after that, your account will be automatically re-activated.

Thank You!

Skype Administration

The word ACTIVATE has a link that goes to the fake Skype login page. In most email clients, if you hold the mouse pointer over the link you can see the real destination. If it’s not like the one shown at the top of this article then it’s fake. See this screenshot of the fake one:

Gmail and Yahoo Mail blocking fake eBay emails

keys Yahoo owns some technology called DomainKeys that can verify the sender of some emails. One thing it can do is recognise real and fake emails from eBay and PayPal. This is good because quite a few phishing emails claim to be from eBay or PayPal, intended to trick people into providing their login details.

Google has just implemented the technology for Gmail. So if safe email is of concern to you, your best bets are to use either Yahoo or Gmail for your emailing.

More technical information here.

New Gmail security feature

Gmail has a new security feature. If you log into Gmail more than once (at the same time) it now tells you. Then it’s up to you to decide if you did this intentionally or if someone has stolen your account details.

At the bottom of your inbox is a summary of the last activity and whether it’s open from another location. Then clicking on the Details link shows more details on all your connections.