Top 5 Tips to Keep Your Website And Network Secure

Every day, innocent websites are compromised by malicious hackers. Google identifies almost 10,000 malware-infected websites each day, and half of those are genuine websites belonging to legitimate companies. These companies haven’t done anything wrong, but they find themselves blacklisted by Google, and that’s only the edge of the brutal iceberg.

Hackers inject vicious malware into these sites to infect visitors. They confuse and lure users to dodgy websites and they break in and steal important and often sensitive customer information.

It’s a real and constant problem, but there are easy and simple steps you can take to guard against these attacks and keep your site, your network, and your customers safe and sound.

1. Use strong passwords, keep them secure and change them frequently

We all know that we should choose complex passwords, but sometimes laziness takes over and we slack off. This is a crucial mistake. Obviously, you want to choose exceptionally strong passwords for your server and website admin area, because a vulnerable password here is a free ticket for hackers to cripple your site and do untold amounts of damage.

It can be inconvenient to remember frequently changing passwords, but in the end, it’s a simple solution that can save a lot of headaches in the future. It’s also imperative that you enforce good password practices for your users.

Compromised user accounts are a special hell of their own. Demanding that minimum password requirements are met for registration will force users to make smart choices. Insist on eight characters, at least an uppercase letter and a number or special character. It’s a bit of a hassle, but it’s worth it.

Make sure that any passwords are stored as encrypted values. Ideally, you’ll use a one way hashing algorithm like SHA. This method means that during authentication, only encrypted values are ever compared. In a worst-case scenario, if someone hacks in and steals passwords, this will limit the damage.

They can’t decrypt them, and they will be reduced to attempting dictionary or brute force attacks, trying every single combination until a match comes up. It’s time consuming and computationally expensive and just not worth the effort for most people.

Your wireless network password should be seriously strong, and the network should be protected by Wi-Fi Protected Access 2 (WPA2) rather than WEP (Wired Equivalent Privacy). WEP encryption is brittle and hackable in minutes these days and should never be relied upon.

It’s also imperative to ensure that your PCs are well protected against viruses at all times to prevent password theft.

2. Be discreet with your error messages

Make sure your error messages aren’t giving away too much information. If your website requires a login, you should pay attention to how your error messages deliver the message that their login attempt has failed. A quick-and-simple, very generic message such as “incorrect login information” is your best bet.

It doesn’t tell the user if half the query is right (especially not which half!) When a hacker is attempting brute force attacks to gain access to usernames and passwords and the error message identifies one field as correct, that’s valuable information for him. He then knows that he’s halfway there and can concentrate all his attention and effort on the remaining field. Don’t make it easy for them!

3. Keep software up to date

Make sure that you’re consistently and quickly applying security updates to all of your software. From your personal PC’s virus protection, to your server operating system, and website software like content management systems, blogging, forums, and blogging platforms.

Hackers are quick to exploit any known holes and bugs, and you want to get there first. Sign up to the mailing lists and RSS feeds of all your software vendors. They’ll be the first to alert you to any security issues and their solutions. Find out and follow it up.

4. Limit Use of your Administrator Account

Keep your computer’s admin account for installing updates and software, or for reconfiguring the host when you have to. Don’t go online while logged into your admin account. Non-privileged user accounts are not just for guests and visitors: you should have one yourself for everyday use. If you browse the web and read your email with an admin account, you leave yourself open for an attacker to gain entry and access to your host.

5. Ask the experts

You don’t have to do it all on your own. There are good tools out there for monitoring your own website, but not everyone has the time or inclination to stay on top of security 24/7.

It’s possible to find monitoring services for very reasonable prices. These companies will check for malicious activity, give you an alert if your website shows up on a blacklist, scan your site for vulnerabilities, and be there for support and repairs if you do fall prey to a hack.

If you’re dealing with databases of sensitive customer information that are attached to your site, it’s probably worth it to get an expert in from the start, sweeping your code for bugs and building in extra lines of defense from the ground up. For small businesses, companies such as SiteLock and Stop the Hacker offer packages for under $100 a year.

This guest post was provided by Amanda Gareis on behalf of Drexel University Online. Drexel expanded into the online learning sector in 1996 and now offers its recognized curricula to a worldwide audience. Drexel Online offers degrees in Information Science, Information Technology, and Computing and Security Technology. The university also provides an Information Technology Career and Salary Guide resource for those looking to enter the industry.

How To Avoid Online Scams – PC Tools Lays Out A Plan

From this morning’s Tech Thoughts Daily Net News column – “Some of these campaigns consist of emails that are so effectively crafted that they could fool even some of the more advance users, while others look so obviously fake that they are spotted by all but the most inexperienced ones.”

Does this sound like “new” news to you? If, you’re a long time reader here – I suspect, not. Still, at the risk of sounding like a broken record – I’m reposting one of the most read posts from 2012, that can help users (especially less aware users), avoid being scammed online.

Yes, it’s repetitive – Yes, it’s repetitive – Yes, it’s repetitive! But that’s the point. In order to achieve a change in behavior (and, average users must change their online behavior) – repetition of the correct behavior, is fundamental to achieving that goal.

_______________________________________________________

Cyber crooks and scam emails – a natural fit – aimed at the significant number of Internet users who remain unaware of the very real dangers that scam emails  hold for their safety, security, identity – and, their wallet.

Cyber criminals are experts at crafting “attention grabbers” designed to reel in the unwary and undereducated Internet surfer. Here’s a few attention grabbers that consistently pay off – targeted towards the blissfully unaware Internet user. Especially those users who seem to have a natural tendency to “just click”.

Online shopping offers e.g. bargains from unknown stores.

Get rich quick schemes/work from home offers.

Offers to download mobile protection software.

Offers to download antivirus software.

Offers to win a prize e.g. answer this survey ‘for your chance to win’…

Movie offers e.g. search for a popular movie such as Twilight and an offer comes up to download the movie for free.

Online donations.

Occasionally, I’ll post an article directed at the “just click” crowd and, I can say without any hesitation – users who fall into this category of Internet user are ripe for the taking – it’s like picking apples from a tree. It couldn’t be easier.

Here’s a couple of past articles which continue to draw huge numbers of the “just click” crowd.

Kate Middleton Nude – As If!

Nude Pics Of Your Wife/Girlfriend Attached – Click Here

Frankly, I fail to understand how anyone with a lick of common sense, would be drawn in by those nonsense article titles. On the other hand, maybe common sense has nothing to do with it.

It could just as easily be that innate sense of overconfidence that seems to have infected society as a whole – most particularly the “tech savvy” generation.

Mark Twain had it right, I think, when he said – “It aint what we don’t know that hurts us. It’s what we do know that ain’t so – that does.” The “tech savvy” generation in a nutshell – maybe.

My friends over a PC Tools, recognizing the continuing need to educate users, have put together a Top Tips article – How to Outsmart Online Scammers – designed to help the unwary (overconfident) Internet user, to identify online scams.

Richard Clooke, PC Tools online security expert reveals in this article – how to avoid being scammed online:

1. ASK – is this too good to be true?

$50 here, a holiday there, unlimited online offers from the world’s biggest brands – if you’re tempted by any of these free offers, then the answer is probably yes.

Many online scams trick us into revealing our personal information to secure something in return. It’s important to be aware of ‘fake offers’ to avoid being lured by savvy scammers.

2. DON’T – dish your details unless the site is secure.

Never provide personal or financial information in exchange for online offers.  Details such as your mobile number, address, and credit card or banking details should never be entered on a non-secure site. When in doubt:

• Double check the URL before typing a link into your browser.
• Check there is a padlock icon in your browser before using your credit card online.
• Check you’re on a secure site and that the address starts with ‘HTTPS’.

3. THINK – it can happen to me.

Many of us think we are savvy online, but the reality is cybercriminals are cashing in on relaxed attitudes to sharing personal details online. Results from the PC Tools study also showed that most people think scams are more likely to happen to others, rather than themselves.

We need to educate ourselves about online scams and be aware of the risk.

4. DO – invest in scam protection software.

What most of us don’t realize is some online scams don’t involve malware and while traditional Internet security is still essential, we now require additional protection to prevent cybercriminals gaining personal information via other methods.

Regular readers here are familiar with this old request – still, it’s as pertinent as ever.

Be kind to your friends, relatives, and associates, particularly those who are inexperienced Internet users – let them know that there is an epidemic of this types of scam on the Internet. In doing so, you help raise the level of protection for all of us.

Voter Database Security Is A Myth

In this post, guest author David Maman, CTO and founder of GreenSQL – the database security company – questions the security reliability of voter databases.

Some of us spend days and months of indecision, hours in front of the TV watching campaign commercials and presidential debates, researching on the Net, mulling the options with family and friends, all ultimately to go to the polls to exercise our constitutional right to vote. For millions among us, this is a final decision and a terminal point.

Not for me.

As an information security specialist and database security researcher, I wonder where my vote goes, in what database it’s maintained, and, of course, how secure it is.

Hard experience has taught me that right now, somewhere, a hacker is trying to penetrate the voter databases “just for fun,” “to prove something,” or if I really want to be paranoid, “because he’s part of a powerful, international organization that seeks to dictate our political process by determining elections.”

Paranoia? I wish. One only has to read the news… last year, the databases of major companies were hacked: LinkedIn, Visa, KT Mobile, Sony, Zappos, etc. Of course, that tally doesn’t include the organizations who don’t know they were hacked.

Want news on voter databases being hacked in the last few years? Take a look at the list below, the result of a two-minute Google search:

July 15, 2012: Florida Allowed to Access Citizen Database for Voter Purge

July 27, 2012: Obama Administration to Open Voter Database

March 26, 2012: GOP’s Voter Vault Database Hacked, Candidates’ Identity Altered

August 2011: No Personal Information Compromised After Voter Database Hacked

At a time when databases are being constantly penetrated by unauthorized users and personal information is being stolen, misused or just maliciously exposed, the question remains: How secure are voter databases?

As if selecting a candidate isn’t vexing enough, now, I have a bigger concern: “How can I be sure my vote ultimately goes to the candidate of my choice?” “Will my vote be manipulated in any way, whether by foreign or domestic entities?” “Will my voter information be used to make it easier to have my identity stolen? (Even the FBI says identity theft represents a more serious threat than drugs.)”

About GreenSQL:

GreenSQL, the Database Security Company, delivers out-of-the-box database security solutions for small and mid-sized organizations. Started as an open source project back in 2006, GreenSQL became the no. 1 database security solution for MySQL with 100,000 users worldwide. In 2009, in response to market needs, GreenSQL LTD developed a commercial version, bringing a fresh approach to protecting databases of small- and medium-sized businesses.

GreenSQL provides database security solutions that are affordable and easy to install and maintain. GreenSQL supports Microsoft Azure, SQL Server (all versions including SQL Server 2012), MySQL and PostgreSQL.

What to Do When You Find Yourself a Victim of Identity Theft

Guest writer Marcia Cleighbourne lays out a step-by-step recovery process should you fall victim to identity theft.

Being a victim of identity theft can be an intensely painful experience. Not only does it cost the victim financially, but they also have a lot of work to do to fix the situation.

Identities can be stolen because of bad luck, or because of carelessness. Typically when someone’s identity is stolen, the thief will open up credit cards and other accounts in their name. Even with the most careful planning, one’s identity can be stolen with ease. Here, are 5 things you need to do when you find yourself a victim of identity theft.

Credit Report

The first thing that should be done is to get a credit report. This can show the victim what damage has been done so far. They then should immediately put a fraud report on all of their credit reports. This will prevent more accounts from being opened. By calling one the credit agencies, by law are required to contact the other two. By placing an alert on one’s credit report, it becomes virtually impossible to open an account in their name.

Contact FTC

Though it is unlikely that a case will be prosecuted, the FTC should be contacted. They do pursue cases when they have the ability to do so. At the very least, by contacting the FTC, they will be able to identify trends, and possibly catch larger rings. There is a convenient online complaint form that can be used.

Closures

Now that, the updated credit report has been obtained, it is time to close accounts. This would entail calling each company individually and explaining the situation. Large credit card companies have departments for just this purpose. Fill out fraud dispute reports for the fraudulent transactions. A police report can also be filed to help the process along as well as protecting the victim. Once the issue is resolved, get confirmation in writing.

Follow-Up

After 3-6 months of fixing the situation, follow up and get a copy of all three credit reports. Sometimes they are slow to remove items, or new accounts may have appeared. If the credit agencies did their job correctly, it should be free of any fraudulent accounts. This is so crucial because a credit score can suffer tremendously when contains incorrect information. One should also leave the fraud alerts on their account open for a few more months. The inconvenience when opening an account, will be well worth it.

Prevent Again

Once an identity has been stolen, the damage has been done. It is vital to take steps to ensure this does not happen again. Make sure that all paperwork is shredded, and the computer is not vulnerable. Update all anti- virus software on the computer. In addition, passwords to bank accounts and credit card accounts should be changed. A shredder should be purchased so all sensitive information can be destroyed safely.

Identity theft is more of a pain than anything. Though, it can have serious implications if not taken care of thoroughly. It is necessary to keep notes of every phone call, and to send all mail via certified mail. There are a lot of resources online that can help anyone who has had their identity stolen. Do remember that taking a few steps to prevent identity theft will go a long way.

Marcia Cleighbourne writes about law, personal finance & more at www.dentalinsurance.net.

Scan a QR code – Expose yourself to mobile malware

Guest post by David Maman – CTO & Founder of GreenSQL.

A single poisoned link is all it takes to expose an entire organization to a full-scale attack.

Hackers write sophisticated browser-based attacks that operate quite stealthily. Now, they’re going after our mobile phones, which are soon to be the number one way we access the web.

As QR codes have evolved, they now can offer users – and thieves – unlimited information within seconds of scanning.

And we scan them voluntarily.

We’ve already been trained to think twice before entering an unknown link we get from a stranger or even a friend, but almost anyone will scan an unknown QR code with a smartphone or a tablet, if the offer it’s embedded in looks tempting enough.

The Experiment:

Over a three-day security conference in London, I created a small poster featuring a big security company’s logo and the sentence “Just Scan to Win an iPAD.” Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.

The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers.

Remember, this was a conference for security professionals.

As I’m a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated…

To make a long story short: QR codes are becoming more and more prevalent. And most of us don’t have the same AV or URL filtering technology on our phones or tablets that we have on our PCs.

The question is: Can we really fully trust the QR codes we see on the streets, in restaurants, or in ads? Regretfully, the answer is no.

Any attacker can take advantage of QR codes. And remember, unlike computers, most mobile devices do not include antivirus solutions to protect us against mobile malware.

Think before you scan.

· Does this QR code seem to come from a reliable source?

· After scanning the QR code and seeing the link, is the link really from whom it claimed to be?

· Would I click on this link if it came through my email?

Even if you miss out on the iPAD or the free ice cream cone, you’re probably better off.

Author bio:

David Maman is CTO & Founder of GreenSQL, the database security company.

About GreenSQL:

GreenSQL, the Database Security Company, delivers out-of-the-box database security solutions for small and mid-sized organizations. Started as an open source project back in 2006, GreenSQL became the no. 1 database security solution for MySQL with 100,000 users worldwide. In 2009, in response to market needs, GreenSQL LTD developed a commercial version, bringing a fresh approach to protecting databases of small- and medium-sized businesses.

GreenSQL provides database security solutions that are affordable and easy to install and maintain. GreenSQL supports Microsoft Azure, SQL Server (all versions including SQL Server 2012), MySQL and PostgreSQL.

The Right Way To Respond To A Fake “Confirm PayPal Account” Phishing Email

Regular readers here are smart people – very smart people. Over the last few years I’ve come to know many of them. And, none better than John Bent – my good buddy from the UK. In fact, John is the third leading commenter on this site.

I don’t mind saying, that I look forward with some anticipation to John’s comments – he is, in a sense, a writer in disguise. And, a good one at that. But, best of all, John’s comments invariable hold more than a nugget of cyber wisdom.

The following comment (from earlier today), sets out how John – a super user – responded to a PayPal account phishing email. There’s a strong lesson to be learned here – for all of us.

Hi Bill,

Re:https: Fake “confirm PayPal Account” email leads to phishing.

The version I received told me that my account had been changed to “limited” status, because of “suspected invalid use by a third party”. The cheek of these people!

I have to say it was a very good imitation, so I took it seriously enough to open a new browser window to check my account directly, NOT via the link in the email. Surprise, surprise – no mention of my account being limited.

While I was on their site, I found the address to forward suspected phishing emails to; I know, I ended a sentence with a preposition, so sue me. I always make a point of forwarding these emails to the appropriate address; a link to this can usually be found on the home page, not always easily.

I guess they do not want to highlight this problem too clearly, probably regarding it as the customer’s problem rather than theirs; how’s that for customer service?

If I still had any doubts, the sender’s email address was a complete giveaway; no mention of PayPal anywhere. One final thing, if this kind of email is genuine, it usually addresses the account holder by name and will NEVER ask you to click on a link and input sensitive information.

Kind regards
John

The sidebar on this site sets out the following – “Comments are an important feature of this Blog.” John’s comment is a perfect example of how one reader’s comment can be a teaching moment for others.

Thank you John for taking time to fill in the blanks.

Updated – July 30, 2012.

Heads up on another attempted PayPal scam. This one was confirmation of a supposed payment to Skype of £46.49 gbp. Thoughtfully a link was provided so that I can raise a dispute if I have “issues” with the payment. This is, of course, a devious way to harvest your login details so that the scamscum can actually take money from your account

Of course I know I’ve never paid anything for Skype and a quick check on my account confirmed this.

 

 

 

An IT Professional’s Internet Privacy Tips – Simple And Effective

Internet privacy tips are often complex and mind numbing and, generally promote an overblown reliance on technology. In this guest article, IT professional Robert Coulter, cuts through the knarly knot of the usual wooden security tips with a range of suggestions designed to keep hackers and other nefarious types away from your important private data while online.

As revealed in Wired Magazine, every piece of electronic communication is able to be intercepted by someone, somewhere. Even Internet giants like LinkedIn can be compromised, as an estimated 6.5 million password were hacked earlier this month. With that in mind, the only real way to guarantee complete online security is to never go online at all. Since this is neither practical nor desirable, by most people, there are still steps you can take to protect your online security and protect your personal information while enjoying the benefits of the Web.

Don’t overshare.

This first tip is simply common sense. Don’t share more than is necessary on the Web, especially on social networking sites such as Facebook and Twitter. While it can be fun, consider the risks from sharing every last detail of your life with the world, such as birth date, where you go (check-ins), pictures of your children, details of your job and relationships.

All of these details make social engineering hacks easy to perform and open you up to identity theft. Do your bank accounts have common security questions like “Mother’s Maiden Name?” or “City of Birth?” protecting your passwords in the event you need to reset them? Well, chances are this information is easily found by snooping around your social media profiles, making it an easy matter to reset passwords on sensitive accounts.

If you do insist on sharing, at least tighten up your Facebook privacy settings and keep your circle of friends small and limited to those you actually know. Also, disable the most invasive features, like check-ins and photo tagging.

Use a cloud-based antivirus rather than a signature-based one.

Cloud-based antivirus solutions, such as those offered by Webroot and Symantec, do away with large signature file downloads, which eat up bandwidth and can take up to several gigabytes of hard drive space. Instead, all of the signatures reside in “the cloud” and every file and Web request gets run against this ever-growing, real time database using the provider’s resources rather than your computer’s, speeding things up greatly and providing the most up-to-date protection.

Set stronger passwords.

ElcomSoft recently did a study that estimates just 25% of people regularly change their password. Setting a strong password, and changing it frequently, is key to protect your identity. Many experts suggest using long strings of random gibberish with special characters for greatest safety, but these can become nearly impossible to remember, leading to the insecure solution of storing them in an unprotected spreadsheet or on little bits of paper which can get lost.

One way to get a strong password that is easy to remember is to use a four word phrase, such as “kayaking beats drudge work” and substituting the spaces for a special character, such as “#” or “_.” The length and randomness will take a hacker more time than it is worth to figure out, while also being easy to commit to your own memory.

Use a Mailinator account on potential spam sites.

Mailinator is a great tool for signing up for web offers without actually providing your real email address. Mailinator works by allowing you to invent a disposable email address, which you can check without a password and which keeps messages for only 24 hours before being automatically erased. This is great when signing up for a site which seems to offer something enticing, but which might be spammy or even a hacker site, as your real email address is never revealed.

Deactivate old or unnecessary accounts.

Old accounts might leave your information scattered across the Internet for anyone to mine, especially on sites past their prime and maintained very irregularly by their administrators, as they tend to have lax security measures. The answer is to delete these old accounts. Even Facebook now has a “delete” feature, rather than just the “deactivate” one, so take advantage of this to clean up your online traces and reduce the temptation for hackers to learn more about you in an unwholesome way.

In conclusion, online threats are constantly evolving, and the best guardian of personal data is truly the individual user himself. Be smart and be skeptical when online it just might save you thousands of dollars and countless hours of heartache.

Guest author Bio: Robert Coulter works in the security industry at authentify.com which offers two-factor verification solutions for companies who need increased security protection for their clients.

My Days Are Numbered – Someone Wants Me Dead!

I sometimes wonder if it isn’t a prerequisite that Nigerian scammer wannabes are required to graduate “comedy school”, before they get their scammers license, and are set free to practice their newfound skills on the marginally intelligent.

In an updated twist on an old theme (the infamous 419 scam), Nigerian scammers have upped the ante in a variant of their usual email scam nonsense – the hitman, “I’m gonna kill you” email. These fear-provoking emails (at least they’re intended to be scary), contain a threat that the recipient will be murdered.

Hitman emails are not a new threat – they’ve  been circulating on the Internet since at least early in 2007. They come; they go, and come and go again.

There are many variations of this email, here’s one example received here yesterday. In this particular email, the scammer has bcc’d (blind carbon copied) any number of upcoming murder victims. Seems as if the murder/assassination business is a growth industry.  

You have been betrayed!!! It’s a pity that this how your life is going to come to an end as your death had already been paid for by someone who is very close to you from all investigations.

I have ordered 3 (three) of my men to monitor every move of you and make sure you are not out of sight till the date of your assassination. According to the report I gets, you seem to be innocent about what you have been accuse but I have no business with that, so that’s why am contacting you to know if truly you are innocent and how much you value your life.

Get back to me if you sure want to live on, ignore this mail only if you feel it’s a joke or just a threat. Don’t forget your days on earth are numbered, so you have the chance to live if only you will comply with me.

WARNING: Tell no one about this mail to you because he or she might just be the person who wants you dead, and if that happens, I will be aware and am going to make sure you DIE instantly.

I will give you every detail of where to be and how to take any actions be it legal or illegal, that’s only when I read from you. You need to stay calm and act unaware of this situation and follow instructions because any move you make that is suspicious; you will DIE as your days are numbered.

On a more serious note:

This scam illustrates the lengths to which these crooks will go to entrap the unwary and gullible. Unfortunately, the description “unwary and gullible”, is easily applied to substantial numbers of Internet users.

As an experienced and cautious Internet user, it’s safe to say that you will not be deceived by this type of clumsy attempt to defraud but, you might be surprised how often reasonably intelligent people are.

So, be kind to your friends, relatives, and associates, particularly those who are new Internet users, and let them know that there is an epidemic of 419 scams on the Internet. In doing so, you help raise the level of protection for all of us.

Am I Dead? Investigation.org Wants to Know

I woke up this morning to find that I wasn’t dead. That’s kind of a bonus, since there have been mornings when I wasn’t entirely convinced –  if you know what I mean. But, I’m getting ahead of myself.

Assuming, one is still alive – I suspect that there might be a certain sense of urgency in refuting a rumor that one has passed on to bigger and better things (hopefully, bigger and better things, but……).

In the latest craziness on the spamming scene – Investigation.org (now there’s a catchy name), has crafted a phishing email – loaded with power words – in an effort to provoke the need to act.

First, to prove you’re not DEAD – and subconsciously, who doesn’t have a need to do that? Second, in the happy event you’re not DEAD – the good news is – you’re in line to “receive and confirm your funds without any more stress”. Good news – no?

In an attempt to show the proper degree of sincerity (just in case you’re DEAD, as you read the email), Investigation.org goes that extra mile – “MAY YOUR SOUL REST IN PERFECT PEACE – YOUR JOY AND SUCCESS REMAINS OUR GOAL.”

Text of this unintentionally hilarious email –

URGENT CONFIRMATION NEEDED TODAY/CALL FOR DETAILS

Investigation Bureau office@investigation.org

8:48 AM (5 hours ago)

Attn: Sir/Madame (don’t know if I’m a man or a woman – what gives?)

We are writhing to know if it’s true that you are DEAD? Because we received a notification from one MR. GERSHON SHAPIRO of USA stating that you are DEAD and that you have giving him the right to claim your funds.

He stated you died in a CAR accident. He has been calling us regarding this issue, but we cannot proceed with him until we confirm this within after 7 days of no respond.

Be advised that we have made all arrangements for you to receive and confirm your funds without any more stress, and without any further delay.

All we need to confirm now is you been DEAD Or still Alive. Because this MAN’S message brought shock to our minds. And we just can’t proceed with him until we confirm if this is a reality OR not.

But if it happened we did not hear from you after 7 days, then we say: “MAY YOUR SOUL REST IN PERFECT PEACE” YOUR JOY AND SUCCESS REMAINS OUR GOAL. May the peace of the Lord be with you wherever you may be now.

Your Faithfully,
Mrs. Vivian Martins
Tel: +123-806-731-6969

Email: investigation_departtt1@hotmail.com

OK, I will admit, that to be taken in by a scam email like this, or any scam email for that matter, one would have to be the type of person whose antenna doesn’t pick up all the channels.

Still, when you consider that 90% of all emails are spam – and scams are a big part of that percentage – it’s fair to say – more than a few unlucky souls who’ve lost contact with the mother ship, will fall for this type of scam email.

What a sad reflection on the state of the Internet.

Online Paperless Billing – The New Attack Vector For Cyber Crime

I’m very much in favor of online paperless billing and, virtually all of my reoccurring monthly bills are delivered this way – directly to my inbox. For example (shown below), is a snapshot of the regular monthly email notice from my natural gas supplier.

A simple click on the embedded link, and …..

there’s the bill – which is identical, I might add, to the bill delivered by regular mail.

A couple of extra clicks to reach my online banking and, the bill is paid.

No stacking up bills to be dealt with (along with all the other bills), at a later date. Done – fini – terminado!

I like it and, I’m sure my utilities suppliers love it – since, in most cases, they get paid far in advance of the required payment date. A perfect system it seems – except, this is the Internet.

Ah, the Internet – the playground of every scumbag cyber criminal from Moscow to Montreal – and, beyond. So, it’s hardly surprising to see online paperless billing come under attack.

Yesterday, Commtouch let me know of an ongoing attack – directed at AT&T  customers – which automatically embeds malware onto the targeted machine, once the user clicks on the embedded link in the  billing notice.

Since the billing email shows an outrageous balance (in the following screen capture, $943.01), theoretically, the response ratio should be significantly higher than it might otherwise be.

Several months back, I received a billing notice from my cable supplier totaling $650 – versus the normal $150 – and, I can assure you, I clicked on the embedded link, immediately.

It was, of course, a massive screw up at their end. Never the less, I instinctively (and, without thinking) clicked on the link . Being frustratingly annoyed is often a powerful call to action. Cyber criminals know exactly how to wind us up –increasing the odds that we’ll respond inappropriately.

Graphic courtesy of Commtouch.

According to Commtouch, who generously shared their research –

The pattern to be aware of in this case is: <legitimate domain>/<recurring set of random letters>/<index.html>

The index.html file tries to exploit at least the following known vulnerabilities:

·Libtiff integer overflow in Adobe Reader and Acrobat       CVE-2010-0188

·Help Center URL Validation Vulnerability       CVE-2010-1885

Every link in the email (there are 9 links), leads to a different compromised site with malware hidden inside. Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy), should mouse-over the links.

Genuine emails from AT&T will include AT&T website links.  For example the “att.com link will be the same in both places that it appears in the email – unlike the malicious version which uses two very different URLs.

I might add, that I use the WOT Browser add-on and, you’ll notice in the first graphic (at the top of this page), the green circle indicated the embedded link is safe. I strongly suggest that if you currently do not have WOT installed, that you consider doing so. As well, I use the Redirect Remover add-on which removes any redirect links in Firefox. An appropriate way to become aware of redirected links.

Four years ago, when I stated writing this Blog, I was hopeful that the cyber criminal threat to Internet users would be actively addressed. That at some point, governments and law enforcement would step up and actively seek out, and punish, the criminals who have turned the Internet into a minefield.

Governments, (the U.K, the U.S., Canada, Australia, India …) it seems, don’t give a fiddler’s f*ck – they appear to be much more interested in passing regressive Internet legislation directed at you – not cyber criminals. Legislation designed to massively infringe on individual personal privacy, and individual human rights. In the meantime, cyber criminals continue to roam freely.

As for law enforcement agencies – just try reporting a cyber crime to your local police department and, you’ll find that they couldn’t care less. Their focus is on low level behavioral crimes, like busting teenage Pot smokers. Just how much safer does that make you feel on the Internet?

Unless, there is a concerted effort on the part of all of us – and yes, that means you need to get involved – demanding a responsible approach to this outrageous criminality on the Internet – we will all, at some point, become a victim of cyber crime.

Do I sound angry? You bet I am.