Category: News/Media

Articles in the news on important security topics

When A Government Office Loses Disks.

As well as the usual advice on staying safe online it’s often useful to hear about security incidents that have made the media. And this time I’d like to point out what happens when a government loses disks containing personal data on 25 million individuals.

The two disks that were lost contained names, addresses, insurance numbers and bank account details of 25 million people. This is personal data that could be used to commit fraud or identity theft. This hasn’t been the case so far but it could still happen. Nobody seems to know where the disks are now.

How can this happen? The people handing the transport of the disks didn’t follow proper procedures. They’re human and they made mistakes. The disks were not encrypted before being shipped. The courier company lost them and have no records of where the disks might be. Then the police were involved only about 3 weeks after the incident occurred.

These kinds of accidents can and do happen every now and then. Your personal details can easily end up where you least expect it. One solution would be to make the agencies pay heavy fines for such security breaches, making it worth their time to ensure all procedures are followed.

The other lesson to be learnt here is that when you fill out a form these days you just have to assume it could one day end up in the wrong place. These days some of your personal details are no longer private. It’s just something that’s been happening slowing over the past couple of decades.

Some detailed articles can be found here.

Know Your Enemy

26 year old John Kenneth Schiefer from Los Angeles is facing 60 years in prison and a US$1.75m fine for infecting 250,000 computers with the intention of stealing information. This is exactly the kind of person I’ve been writing here about in the hope everyone can avoid being a victim. It would be useful to know how serious and widespread these crimes are, and how serious it all is.

ManaclesHe ran what’s known as a botnet. This is when malware (viruses, trojans, etc) is installed on a large number of victim’s computers and controlled from one central location. 250,000 infected computers makes a large botnet. That’s a lot of victims, real people who didn’t know someone else was remotely using their computer and stealing their money.

In this case he allegedly stole money from people’s Paypal accounts. It’s not a problem with Paypal’s system, the problem lies in people using compromised computers.

One lesson to be learnt is that you should never shop or bank online on a computer you don’t trust. And a large part of that trust in a computer comes from using an up to date internet security package (an antivirus program).

Another import lesson for everyone is that these criminals are real, and their operations are large and widespread.

Read some articles on his case here.

Virtual Theft

Toy FurnitureThe emergence of a new kind of crime is an interesting thing. We’ve had virtual worlds for quite a few years and as their popularity grows so too do crimes such as fraud, or in this case theft.

There’s a game called Habbo Hotel, it’s an online game where people have online characters. Like a few other online games they can pay real money to decorate their characters and the rooms they occupy. Effectively they buy virtual items to enhance their game.

So when some teenagers are accused of stealing username and passwords of other players, logging in with these accounts and transferring items to their own accounts, it becomes theft. The current buzzword is Virtual Theft. A 17 year old Dutch teenager has been arrested over this allegation, and five other 15 year olds are being questioned. What makes the “theft” significant is that the value of the virtual items is around US$5000.

A spokesman for Sulake, Habbo Hotel’s operator, said:

“It is a theft because the furniture is paid for with real money. But the only way to be a thief in Habbo is to get people’s usernames and passwords and then log in and take the furniture.”

The full article is here. It’s important to note that this isn’t an isolated case. Virtual worlds (in the form of online games) have been a growing trend and like most things that can happen in the real world most forms of crime can carry across to virtual worlds.

The Need For Strong Passwords

Combination LockPasswords have been an everyday part of life with computers, and they won’t be replaced any time soon. It’s a form of authentication, granting you access to a system or service.

When security is based on passwords two pieces of information are required:

1. A username
2. A password

Often it’s not difficult to guess a username. Some computers keep this information easily available to anyone who cares to look, and other times it’s just a matter of guessing.

Passwords are more difficult. The “strength” of a password is critical to keeping out unauthorised people. “Strength” is a measure of how easily it can be guessed. And if you’re wondering who really sits there trying to guess passwords you’re in for a surprise.

Passwords can be made stronger by using a combination of the following tips:

  • Make your password long. Tip: join 2 or 3 words together
  • Have at least one letter in uppercase
  • Don’t put a 1 at the end of your password (it doesn’t help at all)
  • Use a made-up word if you can think of one, or spell a real word incorrectly
  • Try not to use the same password on every website (more on this another day)

If you under the impression that no one will bother trying to guess your password then you’re definitely need to continue reading. Hackers don’t sit there trying to guess passwords (what could be more boring than that?). They write programs that do all the hard work of guessing programs. Then they maliciously install this program on other people’s computers (sometimes tens of thousands of hacked computers) to do lots of hard work for them. They just sit back and wait for the results to come in.

Protecting systems with passwords is a tough battle for the good guys (like you and me). As the progress of technology marches on we have faster computers which means hacking passwords becomes easier.

Now the really interesting part. There’s been some development on all this password guessing technology – where it used to take one computer months to crack a Windows Vista password, by utilising the untapped power of a modern computer’s graphics processor it’s now possible to do the same work with the same computer in 3 – 5 days. That’s 25 times faster just from some clever programming (see this article for the details on how).

So in the real world we have programs running on tens of thousands of computers, guessing billions of password combinations relentlessly, with the expectation that soon they’ll find all the easy ones.

So be smart about passwords. Make it very difficult to guess. And remember that there really are people out there trying to hack into your accounts so always be careful.

Maxtor External Drives With A Free Virus

Some Maxtor external drives have been found to contain a virus. These are brand new units straight from the factory. The unit with this problem is a Maxtor Basics Personal Storage 3200, shipping between August 2007 and November. If you’ve recently purchased one of these you need to call Seagate’s technical support and quote the serial number on the drive.

What is Search Jacking?

Post No BillsWhat is Search Jacking? And how is it bad?

The term Search Jacking is used when a program or network takes you to a search engine when you type an incorrect address into your web browser (e.g. Internet Explorer). For example, if you enter ffraudo.com into the address bar of your web browser it is supposed to show you an error. The address doesn’t exist (at the time of writing this article). At least that’s how it’s meant to work in theory.

Some people with large marketing ambitions decided that if you enter an address that doesn’t exist it should take you to a search engine that can suggest some websites for you. One prominent company that did this is Microsoft. Microsoft’s Internet Explorer takes you to a search engine and suggests some other sites, and not necessarily the site you really wanted to see.

There have been a few companies that have taken it upon themselves to redirect the general internet user to their search engine of choice. And their choice is decided by whoever’s paying them the most. The technique is similar to domain squatting, where mistyping a web site takes you somewhere unexpected. Cox and Earthlink have also used this technique before.

The latest in search jacking attempts comes from Verizon (an American telecommunications company). If your internet is connected through Verizon and you try going to an invalid web site, you might land on Verizon’s search website (for the moment it’s active on one of their fibre network).

Is there a danger to you? For now there’s no real danger, it’s more of a nuisance. Soon they’ll most probably start putting ads on this search site. It’s a little deceptive, and is called by some as “accidental content delivery”. You accidentally type in an incorrect address, they deliver content of their choice. And of course they’ll make money from it.

It’s more of a nuisance for now, and if it works out for them other companies are likely to follow. If your network has already adopted this search jacking system you could complain to your internet provider. After all, someone’s paying for your internet connection and you shouldn’t expect your internet provider to fill it with ads for you.

Downloading Codecs

Should you download new codecs when a website tells you to?

What’s a codec anyway?

Your computer needs video codecs to play videos. And like everything else there are quite a few different codecs to choose from. Your computer came with a set of the most popular codecs so you can watch videos, both online and from DVDs.

VHS Video TapeVHS Video TapeThere are some websites that encode their videos with unusual codecs then ask you to install a new codec to view it. In particular, some pornographic websites have been tricking people into downloading a new codec. Unfortunately in some cases the codec is a trojan that makes very dangerous changes to your computer (allowing attackers to redirect your web browser to wherever they want).

There’s been a reportof some websites tricking Mac users into installing a bad codec like the one mentioned above. In the past Macs have been considered more safe than Windows computers but as they become more popular they also become targets to malware such as this. This particular attack doesn’t work very well because it asks the user to carry out a number of steps. Over time attackers get more sophisticated so it’s best to learn about it as early as possible.

The lessons to be learnt here are:

  • Don’t install anything a website tells you to, unless you completely trust the person or company operating it. Even then you need to be certain of what you’re downloading.
  • No computer is safe from malicious attacks, no matter what the ads, salesmen or zealous enthusiasts say.
  • Pornographic websites are well known to carry malicious content like viruses and trojans.
  • Attackers are creative and always find new ways to distribute viruses

SMS Authentication for Credit Cards

Credit cardCredit cardA few banks have recently introduced SMS authentication for their credit cards. Basically they’ll send an SMS (text message) to your mobile phone (cell phone, or handphone) to confirm a transaction. You reply to the SMS to approve the transaction.

It’s a security model called “Two Factor Authentication“. This means you need to be in possession of two “things” for a transaction to be approved. If someone stole your credit card details and made a transaction, e.g. online, you would receive an SMS on your phone and you’d know it was fraudulent. In this case you wouldn’t reply to the SMS and the transaction would be halted. And if you’re making the purchase yourself you can approve your own transaction.

The idea sounds good at first. And of course it has its own set of problems. More interesting is the reasons why these banks have introduced this technology.

Problems:

  • Only some transactions are protected using this method. It’s up to the banks but generally it seems that a large number of transactions will continue to function as before. 
  • For legitimate purchases it can be a nuisance
  • It’s not a foolproof system
  • As more people use the SMS option the costs to the bank will increase greatly and they would either end the service or pass on costs to their customers

Here’s an interesting comment published in this ZDNet article. Matthew Woodrow, Head of Information Security at Westpac, was quoted saying “It’s not to do with security at all… consumers have expectations of security levels while using their mobile phones to do their banking. So you’re not thinking about security at all, but you’re thinking about the product and what consumers want”. In other words a large bank’s security expert is admitting that SMS authentication is more about how customers “feel” about safety.

It seems to be a temporary fix to credit card fraud. Smart card technologies (chips embedded in the credit card) seem to be a better solution.

In summary security is often more about how it makes people “feel” rather than truly preventing crimes. It helps to see things for what they really are and not believe what you hear in ads.

A Summary On Nigerian Scams

Nigerian scams are so called because the majority of them originate from Nigeria, and they use the same tactic. Below is a brief summary on what it is, why it works, and how large the problem is.

A victim received an email (or sometimes an old fashioned letter) from someone posing as a lawyer. The text contains a story about a large amount of money locked up in a bank account, which gets the reader’s attention, and asks for help in retrieving it. In exchange the pretend lawyer promises a large reward.

The email can contain a statement such as “…In the discharge of my duty, I stumbled on this domiciliary account that has remained dormant for three years now with eight million, five hundred thousand United States dollars ($8.5M) in it…. That my purpose of contacting you is because the deceased has the same name with you…”

What happens next is an exchange of correspondence, with the scammer and victim writing to each other. The story usually becomes emotional and touching, keeping the victim’s attention. Then the victim is asked to hand over some money to help with legal fees. The scammer often sends the victim a cheque as a token of good faith that the money is there. Unfortunately the cheque is fake and the victim’s bank won’t accept it. This is often where the victim realises what’s happened.

This scam has apparently been in use for many years, even before emails became prevalent. It continues to work because the victims are tempted by a large amount of money.

How widespread is the problem? In this British articledated 4 Oct 2007 it states that 4500 fake documents were seized and that US$16.2m of fake cheques were seized. It also states that it costs the UK GBP4.5b every year, though this probably includes law enforcement costs. The problem isn’t limited to the UK either, it’s global.

What can you do? Be aware that this is a common scam and talk about it with anyone unfamiliar with the dangers present on the internet, especially older people. It would also be useful to report such emails (and letters) to your local authorities. A lot of people get arrested for taking part in these scams and any evidence you might have could be useful.

I’ve read articles describing victims that have gone to Nigeria to hunt down the scammer and reclaim their money, and they story ends tragically with murder or kidnapping. If I find these articles again I’ll post them here.