Breaches, Hacks, and Lessons to be Learned

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

---

Seems every new day brings news of yet another database breach or two. There was a time when I followed news of these hacks and breaches with interest but they are now so frequent that, unless one is personally involved, it has all become rather mundane.

However, the whole situation begs a couple of important questions and, at the same time, re-enforces the critical nature of how we choose and manage our passwords.

Important Questions

1) Why are companies/site owners not treating users’ data with the utmost care?

I don’t know about you but I am fed up with the lax way in which companies and site owners treat sensitive data which is entrusted to their care.

In today’s internet world, database breaches are a matter of fact yet site owners continue protecting sensitive data using outdated and weak security protocols. Only just recently a new breach came to light involving 40 million passwords extracted from over 1000 sites associated with a Canadian company called VerticalScope. What security protocol did the sites employ to hash and encode users’ passwords… MD5… a known weak and insufficient algorithm.

2) When will governments legislate to ensure that companies/site owners are accountable?

Surely it is incumbent upon these companies/site owners to protect their patrons’ data with the best and most effective security protocols available. However, as many (if not most) seem apathetic to this most basic of duties, then perhaps it’s time for legislators to consider introducing serious punitive measures for  those who fail to do so.

By the way: in response to news of the breach mentioned earlier, VerticalScope’s vice president of corporate development Jerry Orban was quoted as saying:

“We are reviewing our security policies and practices and implementing security changes related to our forum password strength and password expiration policies across certain forum communities.”

How many times have we heard that pathetic  response – I believe it’s commonly referred to as shutting the stable door after the horse has bolted. Message to site owners: perhaps these steps might be better implemented before a breach rather than after.  Duh!

Lessons to be Learned

How many times have you read the following advice regarding passwords:

· Choose strong passwords and use a different password for each log-in/account.

· Change passwords for critical accounts, such as banking,  PayPal, etc., frequently.

· If two-factor authentication is available, use it!

If there’s one lesson to be learned from all these breaches and hacks it is the absolute need to follow these basic principles. Remember, if you use weak passwords and/or the same password across multiple accounts, if one account is hacked all the rest are at serious risk.

Too many people just glide along ignoring the dangers until it actually happens to them, however, this is surely a lesson better learned from other people’s mistakes rather than from our own.

Cloud Storage – Great Idea or Security Risk?

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

---

“On no, we’ve lost all of little Johnny’s birthday snaps”, the woman cries as she holds her smashed smartphone aloft. With a knowing smile, her husband responds, “Don’t fret dear, they’re all in the cloud”. All is well, peace and harmony reign again.

Even less than a decade ago, any mention of “cloud storage” or “data in the cloud” would have almost certainly elicited a puzzled response. Today though, I’d imagine just about everyone would be familiar with the concept. “The cloud”, it’s a rather exotic term which simply means your data is uploaded to and stored on somebody else’s server, essentially on an internet connected hard disk owned and operated by the cloud service provider.

There is no doubt that the advantage of being able to access data from anywhere on any device creates a massive appeal factor, especially for multiple device users. Not to mention the automatic backup element which is clearly demonstrated in the opening paragraph.

It all sounds like a great idea, that is until you start considering what might and can go wrong. Of course, cloud storage providers take the utmost care with your data, at least according to them. They apply top notch security measures including encrypted data transfers. Trouble is, the encryption key is also stored on their machines, which means any of their staff can access those files as can any hacker who manages to break into the system.

I realize every method is susceptible to hackers, whether the data is stored locally or in the cloud. However, which do you think would represent the most desirable target – a local disk containing only your own personal data or a mega database containing data uploaded from thousands (if not millions) of users, all in one place?

Another concern involves the future viability of a chosen cloud storage provider – just ask those who entrusted their data to Kim Dotcom’s Megaupload. What happens to your data if the company is sold, goes bankrupt, or just closes down? Then there’s the scenario where cloud storage providers can simply change the terms of their plans, exactly as Microsoft did recently when the company drastically reduced the amount of data storage available under its free OneDrive plan.

I guess though, when it comes to data in the cloud, the greatest concern for most people is privacy. While Microsoft OneDrive openly scans all your files – for illegal content of course, most providers will collect data to share with “trusted third parties”. Naturally, many of these providers need to process sensitive information, such as your name, email address, phone number, credit card details and mailing address, in order to “improve their services”. And Santa Claus visits once a year around Christmas.

Despite the cynicism, I do believe that cloud storage can be decidedly useful and I’m certainly not dismissing the practice out of hand. However, as is the case with many situations… everything within reason.

I would not, for example, store any sensitive data in the cloud, whether encrypted locally beforehand or not. Family photos, life-memories, items which are valuable only to the user and serve no purpose for anyone else… sure, no problem.

Regardless, the important thing to remember is that any backup is preferable to no backup at all. If you don’t fancy storing your data in the cloud, dust off that external drive and use that instead. Works for me.

Why Do Users Keep Falling for Scams?

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

---

*Social engineering: refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access — Wikipedia

It’s unfathomable to me why so many people still get caught out by social engineering techniques, being tricked into clicking that link or opening that attachment.

Social engineering is one of the most prevalent methods used by cybercriminals to infect a system and/or gain a user’s sensitive information. Ransomware, phishing emails, scams, all generally involve an element of social engineering. Why? Because it’s simple, effective, and lucrative. It stands to reason then that the most potent method for eradicating these types of threats would be to make them less effective and less lucrative. The question is; how to achieve that?

You’ve no doubt come across the saying “education is key” – and, when it comes to social engineering, nothing could be truer. Because of the changing nature of socially engineered exploits, security software cannot always protect users from themselves. That’s why Tech blogs are repeatedly issuing the same advice/warnings – don’t click on links in emails from unknown senders, don’t open email attachments from unknown senders, etc., etc., etc. In fact, I recently published yet another list of do’s and don’ts  “10 Golden Rules to Defeat Scammers” . Yet, despite all this, so many people are still falling victim to social engineering.

A large part of the problem I suppose is that the users who need this type of advice the most are generally not the sort of people who tend to visit and read Tech blogs.

I was recently perusing a well-known freeware site and came across a comment from someone complaining that, despite being protected by a commercial grade antivirus, his company’s computers had been infected by ransomware… twice. On both occasions the infection was initiated by an employee clicking on something he or she shouldn’t have clicked on. I suggested to him that perhaps his company needed to review and strengthen its staff training program. Education is key.

My own clientele consists largely of elderly folk and, in my experience, many are highly susceptible to phishing and scams in general. I have a theory about this; I’m sure it’s because they were brought up in an era when trust was inherent; leaving the front door to the house open, leaving the car unlocked and keys in the ignition. Do you know what I mean? It’s not so much that they are gullible, more overly trusting.

These people also tend to be not so computer/security savvy, so rather than hit them with a long list of do’s and don’ts, which might be difficult to follow, I condense it all down to just three rules for them to remember:

1. Treat each and every unsolicited phone call and/or email as highly suspicious.

2. Always be very wary about giving out sensitive personal information over the internet.

3. If it sounds too good to be true, it almost certainly is.

If the more savvy among us would only take the time to pass this type of advice around their own particular circles of family, friends, and acquaintances, I believe that we, collectively, might just make a difference.

Tech Thoughts Daily Net News – July 18, 2012

Five must-have open source productivity tools – Takeaway: You don’t have to turn to proprietary software to get your work done. Here are five feature-rich open source alternatives.

Google Nexus 7 Tablets Selling on eBay With Premiums Added to Their Prices – The Google tablets on eBay sell for more than they do in the GooglePlay store, but they may arrive faster. A recent search of the auction site revealed new 8GB Nexus 7 tablets for sale with prices starting at around $255. For the 16GB models, the prices start at $329.99.

Google goes private in new Firefox – The release of Firefox 14 will make sure no one can spy on your Google searches. Meanwhile, the location bar just got a tad easier to use.

Gain greater control of your firewall in Windows 7 and Vista – Microsoft Security Essentials for Windows 7 and Vista is a great, free security package that is almost perfectly transparent. If you want to use it with an added layer of control, TinyWall is a terrific add-on.

10 Online Reputation Management Tips for Job Seekers – Don’t let questionable Facebook photos or Tweets, a bare-bones LinkedIn profile or negative posts beyond your control derail an otherwise smooth job interview process. Use these 10 tips to improve your personal Google search results and help land the job you want.

Reset Windows passwords with the help of Linux – One cost-effective and reliable way to reset a Windows password is to keep a copy of Linux with you and use the chntpw application.

Why the Linux desktop doesn’t shine in business: A perspective – Jack Wallen has drawn a fairly simple conclusion as to why Linux isn’t making any headway on the business desktop front. Read on and sound off whether you agree or disagree.

Extra protection for Windows PCs with EMET – It’s becoming increasingly common to hear about vulnerabilities that are being actively exploited without a patch available for the affected product. At the same time, there are organizations that for a myriad of reasons (compatibility, budget, support or numerous other issues) have to rely on software that cannot be upgraded/patched, does not follow secure coding practices, or does not apply security features. To protect Windows PCs in these scenarios, Microsoft developed the free Enhanced Mitigation Experience Toolkit (EMET).

How to Build a PC for Photographers – The ideal PC for digital photography minimizes workflow hassles while maximizing performance and capacity. Here’s what to look for.

Create Beautiful Star-Trail Photos With Almost Any Camera – You have a lot of ways to capture the beauty of the night sky with a camera, but shooting star trails is among the easiest, mainly because you can do it with almost any camera. There’s something magical about these kinds of photos, because they reveal the mathematical precision of the cosmos generally hidden from the naked eye–it’s easy to see that the earth spins under a blanket of stationary stars.

How to boot into safe mode in Windows 8 – Whenever you get a blue screen of death on your PC, the first port of call is always the trusty safe mode. Unfortunately, when I had to use it shortly after installing the latest Windows 8 Release Preview, I had no idea how to actually get to it as the old F8 shortcut has changed. The good news is that you can still access safe mode through a shortcut, but it’s now Shift+F8. The alternative solution is to create a second safe mode instance of your machine that you can boot from, although it’s a little more involved. Here’s how to do it.

Current Version of the Google Update plugin: How to remove – The Google Update plugin is one of those mysterious plugins that you may find listed in the plugins listing of the Firefox web browser without really knowing what it does or how it got there. This article tries to shed some light on how it gets installed, what it is used for, how you can update it to the current version, and how you can get rid of it again either by disabling or uninstalling completely. (recommended by Michael F.)

Security:

Malware spread as Facebook photo tag notification – Be wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph. Malicious hackers are once again using the Blackhole exploit kit to infect the computers of unsuspecting internet users.

Skype Admits Bug Sends Messages to Wrong Contacts – Skype says it isn’t sure how many users are affected, but it estimates that the number is small. The company is working on a fix.

How PDFs can infect your computer via Adobe Reader vulnerabilities [VIDEO] – Adobe PDF vulnerability exploitation caught on camera. Sophos security expert Chet WIsniewski demonstrates how malicious PDFs can infect your computer.

Android’s Jelly Bean aims to be hard to hack – Google’s latest Android mobile OS comes with features to divert hackers from installing malware that leads to information leakage, buffer overflows, and memory vulnerabilities.

Google will block Chrome add-ons from third-party sites – Google has instituted a new rule that should keep Chrome users safe from malicious add-ons: starting with version 21.0.1180.41 (currently in beta), the browser will block all third-party extensions, apps, and user scripts that are not hosted on the Chrome Web Store. The move is aimed at preventing the all-too-popular attacks mounted through booby-trapped websites that automatically trigger the installation of malicious extensions. These extensions often keep tabs on what pages the user is visiting.

Dropbox users get spammed via personal e-mail accounts – Some European users of the online file storage service are receiving junk e-mail from online casinos — this may be due to a Dropbox address leak or some type of malware.

IPv6 and click fraud – The good news: To accommodate the ever-increasing demand for IP Addresses around the world, every network will eventually transition to IPv6 from IPv4. The bad news: Spammers are already spoofing IPv6 addresses because it is easy for them to bypass mail spam filters and launch phishing attacks on a new protocol.

Cyber espionage campaign in the Middle East – Kaspersky Lab researchers announced the results of a joint-investigation with Seculert regarding Madi, an active cyber-espionage campaign targeting victims in the Middle East. Madi is a computer network infiltration campaign that involves a malicious Trojan which is delivered via social engineering schemes to carefully selected targets.

Company News:

Motorola Says Smartphones Will Be Available in US Despite Ban – Motorola Mobility said Tuesday that it has taken “proactive measures” to ensure that its smartphones remain available to consumers in the U.S., despite a U.S. International Trade Commission ban on its phones that comes into effect on Wednesday.

Facebook stock drops on news of decline in user base – The social network’s stock goes down 3.9 percent after investment firm Capstone reported a decline in users over the last six months.

Yahoo Reports Lackluster Sales as Mayer Takes Reins – Marissa Mayer has her work cut out for her at Yahoo. The fading Internet star reported its second-quarter financial results Tuesday, in which revenue and profit both dipped slightly from a year earlier.

Google discontinues old version of Google Analytics – Web giant supported old version of the statistic service after releasing a version that focused on real-time results. That support will end tomorrow.

Lots of Windows 8 touch-screen ultrabooks coming, says Intel – The era of the touch-screen laptop is upon us, according to Intel’s CEO. The Metro-based Windows 8 interface is driving this mini explosion of touch-enabled products.

PayPal buys Card.io, maker of mobile credit card scanning tech – Acquisition of San Francisco-based startup is an apparent move to bolster its mobile-payment position against upstart Square.

Webopedia Daily:

Nvidia Kepler – A graphical processing unit that holds the distinction of being the first GPU designed for the cloud. Graphics cards powered by Nvidia Kepler processors are tuned to efficiently serve virtualized desktops, providing auto-scaling to the necessary performance level. Nvidia Kepler processors are the latest in an enterprise move towards virtualization, joining servers, network components and more.

Off Topic (Sort of):

Lifehacker: Is Everything I Do Actually Killing Me? – It seems that nowadays there’s a study saying that everything I do is slowly killing me. I can’t sit down, I can’t eat the foods I like, and I’ll have an early heart attack if I live in a big city. If so many things are bad for me, how can I change my life without giving up so much that I lose my mind?

Tech skills: The problem’s not the staff, it’s the bozos in charge – Evidence is mounting that technologically illiterate managers are causing more damage to corporate productivity than a shortage of IT skills among staff.

Musical glove could improve mobility after spinal cord injury – The wireless device is helping tetraplegic study participants learn songs on a keyboard while improving sensation in their hands.

Nexus 7: Finally, validation for the smaller tablet – The Nexus 7 by Google is not the first small tablet, but so many are seeing it for the first time that you’d think there had never been such a beast. For those of us who have been enjoying small tablets for a while, the Nexus 7 may finally validate the smaller form factor.

Techies: Overfed, overworked and overtired – Techies are eating too much, working into the night and not getting enough sleep, according to a recent survey. Is a job in IT incompatible with a healthly lifestyle?

Moore’s Law: the end is near-ish! – Every year manufacturers put out a new line of more powerful products – twice as powerful, in fact, every 18 months. And, if we can believe Michio Kaku, in his book the Physics of the Future, this is about to come to an end.

Today’s Quote:

“I once said cynically of a politician, ‘He’ll doublecross that bridge when he comes to it.’ ”

–    Oscar Levant

Today’s Free Downloads:

Foobar2000 1.1.14 – Foobar2000 is an advanced audio player for the Windows platform. Some of the basic features include ReplayGain support, low memory footprint and native support for several popular audio formats.

Advanced SystemCare 6 Beta – Advanced SystemCare Free is a comprehensive PC care utility that takes an one-click approach to help protect, repair and optimize your computer. Advanced SystemCare is a very useful system tweak application. This is the last beta before final release.

OMG! Mark Zuckerberg Sent ME An Email!

What a rush! Mark Zuckerberg knows I exist and, even better than that – he just gave me $200. Yes! $200! Thanks Mark; I’ll get right on that.  

You don’t believe me I hear you saying – then, take a peek at this email from my Gmail spam box. Oops, I’ve just given myself away – haven’t I? The email is in my SPAM box. With good reason, of course.

While it’s true, that in this particular case, spam filters have isolated this email as both spam and a probable fraud – do not rely on filters as the ultimate safeguard. That’s your job – you are your own best protection.

Click to expand.

As an experience and educated surfer, you’re quite use to navigating over the rough trails of the “Wild West” Internet. You know, that this email is just too preposterous to be taken seriously. Although, as difficult as it is to believe, there are those who are gullible enough to  respond.

If you’re a regular reader here, please forgive me for repeating the following same old – same old – advice.

Be kind to your friends, relatives, and associates, particularly those who are new Internet users, and let them know that there is an epidemic of this type of scam on the Internet. In doing so, you help raise the level of protection for all of us.

A technical approach to protecting yourself against fraudsters:

Check whether the email was authenticated by the sending domain. Click on the ‘show details’ link in the right hand corner of the email, and make sure the domain you see next to the ‘mailed-by’ or ‘signed-by’ lines matches the sender’s email address.

Make sure the URL domain on the given page is correct, and click on any images and links to verify that you are directed to proper pages within the site.

Always look for the closed lock icon in the status bar at the bottom of your browser window whenever you enter any private information, including your password.

Check the message headers. The ‘From:’ field is easily manipulated to show a false sender name. Learn how to view headers.

If you’re still uncertain, contact the organization from which the message appears to be sent. Don’t use the reply address in the message, since it can be forged. Instead, visit the official website of the company in question, and find a different contact address.

How gullible can people be? When Michael Jackson passed, I wrote a piece entitled “Hey Sucker – Read This! Michael Jackson’s Not Dead!”, simply as a test of “curiosity exploitation”.

The results that followed were astonishing – within days, this article was getting thousands of daily hits. Even today, this article continues to get hits. Talk about gullible people!

Think BEFORE You Click! – How Hard Is That?

HARD, apparently.

I recently repeated a small experiment (for the third year in a row), with a group of “average computer user” friends, (12 this time around), and I was disappointed to see (once again), that the conditioned response issue to “just click” while surfing the web, was still there.

Still, I’m always hopeful that reinforcing the point that clicking haphazardly, without considering the consequences – the installation of malicious code that can cause identity theft and the theft of passwords, bank account numbers, and other personal information – would have had some impact. Apparently not.

But, I haven’t given up. I’m prepared to hammer them repeatedly until such time as I can make some progress. In the meantime, I expect that curiously browsing the web blissfully unaware of the considerable malware dangers, will continue to be the modus operandi for my friends.

They’re not alone in their “clicking haphazardly” bad habits. Many of us have learned to satisfy our curiosity simply by a mouse click here, and a mouse click there. Arguable, we have developed a conditioned response (without involving conscious thought), to – “just click”.

It can be argued, that our “just click” mindset poses the biggest risk to our online safety and security. In fact, security experts argue, that a significant number of malware infections could be avoided if users stopped “just clicking haphazardly”, or opening the types of files that are clearly dangerous. However, this type of dangerous behavior continues despite the warnings.

Most visitors to this site are above average users (I’m assuming that you are too), so, I have a challenge for you.

Take every appropriate opportunity to inform your friends, your relatives, and associates, that “just clicking haphazardly” without considering the consequences, can lead to the installation of malicious code that can cause identity theft and the theft of passwords, bank account numbers, and other personal information.

Help them realize that “just clicking”, can expose them to:

• Trojan horse programs
• Back door and remote administration programs
• Denial of service attacks
• Being an intermediary for another attack
• Mobile code (Java, JavaScript, and ActiveX)
• Cross-site scripting
• Email spoofing
• Email-borne viruses
• Packet sniffing

They’ll be glad that you took an interest in their online safety. And, best of all, by doing this, you will have helped raise the level of security for all of us.

A point to ponder:

Since it’s proven to be difficult to get “buy-in” on this – “think before you click safety strategy” – I generally ask the question – do you buy lottery tickets? Not surprisingly, the answer is often – yes. The obvious next question is – why?

The answers generally run along these lines – I could win; somebody has to win;……. It doesn’t take much effort to point out that the odds of a malware infection caused by poor Internet surfing habits are ENORMOUSLY higher than winning the lottery and, that there’s a virtual certainty that poor habits will lead to a malware infection.

The last question I ask before I walk away shaking my head is – if you believe you have a chance of winning the lottery – despite the odds – why do you have a problem believing that you’re in danger on the Internet because of your behavior, despite the available stats that prove otherwise?

URL Shortening Sites Target Email Weakness

Sites like Tinyurl.com and Bitly.com are the go-to places for Tweeters who do not want long URLs to eat up their typing space. However, shortened URLs have a second, more insidious use. They allow spammers and hackers past the old email filters and into your inbox.

Most email anti-spam engines were created before the use of embedded URLs in emails, not to mention shortened ones. Most anti-spam programs try to trace back the URL to see if the site is dangerous. However, a shortened URL can be used by hackers two ways.

The first way is simple. They plug the site they want you to get directed to into one of the known and trusted URL shortening sites available for free to the public. Because the URL shortening site is trusted, the link is trusted. However, the link does not take you to the URL shortening site; it takes you where it was originally directed.

Secondly, hackers get even more creative. Once the anti-spam filters get around the URL shortening sites, as some have done, hackers create their own URL shortening sites. Essentially, they shorten a site that’s already shortened. So, when you click on the link, you get redirected not once, but twice. The first redirection is safe, the next is a hackers.

This was “yet another example” of cyber-criminals adopting new technology to bypass traditional security measures, said Bradley Anstis, vice-president of technical strategy at M86.

“A lot of the traditional anti-spam engines were developed before Twitter, so they are not geared up to recognize embedded URLs as seen in blended email threats in spam, let alone shortened URLs that link to malicious, or compromised Web pages,” Anstis said.

Some frightening statistics:

In May 2011, the global ratio of spam in email traffic from new and previously unknown bad sources increased by 2.9 percentage points since April 2011 to 75.8% (1 in 1.32 emails).
The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 222.3 emails (0.450 percent) in May, a decrease of 0.143 percentage points since April. (From Net-security.org)

So, what can you do to protect yourself? For one, never click on an email link if you do not trust the sender. Two, even if you do trust the sender, try to get to the link organically, meaning follow the normal method. If you are checking on a shipment, go through the main website instead of clicking on the link. These simple tricks will help to keep your computer and information safe from hackers.

Author Bio

This Guest post is by Christine Kane from internet service providers. She is a graduate of Communication and Journalism. She enjoys writing about a wide-variety of subjects for different blogs. She can be reached via email at: Christi.Kane00 @ gmail.com.

Update:

Here’s a super tip from anarchy4ever – “Some people may call me paranoid but I NEVER click on shortened url links. People should use url enlarger sites such as this one:
http://url-enlarger.appspot.com/

Just a personal observation – anarchy4ever is far from being paranoid – sounds like a very sensible solution.

Are You A Sixty-Nine Percenter?

Hopefully, you are not a member of the sixty-nine percent club. If you’re not, then you have not been a victim of cyber criminals – unlike the two thirds of online adults (69 percent), who have been a victim of cybercrime in their lifetime.

According to the United Nations telecommunications agency (January 2011), the number of Internet users now exceeds the two Billion mark, worldwide. It’s easy to see then, that cyber criminals have a virtually unlimited playground in which to ply their trade. And, they do just that – with a vengeance.

Symantec, in it’s recently released Norton Cybercrime Report 2011, makes the point that every second 14 adults become a victim of cyber crime – which translates into one Million+ Internet users who are duped by the detestable sleazebag members of the cyber criminal community – every day. Let’s take it a step further – if we annualize this number, we end up with a shocking 431 Million cyber crime victims.

Graphic courtesy of Symantec

The sheer number of victims is appalling, but the hard monetary costs involved are stunning.

Global cost of cybercrime – from Symantec:

With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).

At $388 Billion, cybercrime is more than 100 times the annual expenditure of UNICEF ($3.65 billion).

I’ll borrow a concept from the Real Estate industry for a moment, and that is – the concept of, “highest and best use”. The use of money can also be described in this way, and the following graphic illustrate how cybercrime can impact this concept at a societal level. It’s rather telling, what those diverted dollars, if employed elsewhere, could accomplish.

Graphic courtesy of Symantec

It’s important to understand that cyber criminals are not selective – it doesn’t matter where you reside – the entire Internet community is fair game.

Graphic courtesy of Symantec

While an installed Internet security suite (or a stand-alone AV application), won’t eliminate all cyber crime risks, it is effective in reducing risk exposure to manageable, and acceptable levels. One has to wonder why 41 % of those surveyed (as illustrated in the following graphic), connect to the Internet while running out-of-date security software.

Graphic courtesy of Symantec

It’s common practice for members of my group to query clients on the state of Internet security, the protective measures they have instituted to ensure both their own safety, and the safety of their systems, while connected to the Web – so, I’ll not take issue with the statistics in this graphic. Except to say – they may be underestimated.

Within my group, we find that a significant percentage of polled clients have little interest in Internet security, and fail to understand the vulnerabilities and issues that surround computer system security.

Common responses to queries include:

Security applications are too confusing and hinder my “fun” by slowing down system response time.

I didn’t know I shouldn’t click the ‘YOU ARE A WINNER!!!!’ banner.

My anti-malware application has let me down – how was I supposed to know I was downloading a bad program!

I’m not sure how my machine got infected – it just happened.

I like to download from Crack sites and Peer-2-Peer networks. So what?

I got a popup saying I was infected, so I clicked on it. What else was I supposed to do!

I didn’t know I was supposed to read the End User License Agreement – I don’t even know what that is.

I thought I had Windows update activated.

What do you mean I should update ALL my applications?

What’s a Firewall – never heard of it?

On the face of it, it might appear as if these types of responses are somehow not very typical. Unfortunately, these responses are not only typical, but characteristic of the majority of the home computer users’ my group comes into contact with every day.

Given this abysmal performance  the following is worth considering –  “In the past, the Internet consisted, mostly, of smart people in front of dumb terminals. Now, the reverse situation dominates”. It may seem a little facetious – but is it, really?

More and more it’s obvious to me, that relying on computer users taking responsibility for their own security and safety, is a non-starter. It’s just not happening. Personally, I hold out little hope that this will ever happen.

In the circumstances, it’s well past time that the “controlling interests” develop a rational approach to the underlying security issues surrounding the Internet – failing which, cyber crime will continue to flourish, and successful attacks on computers over the Internet will continue to proliferate.

Equally as important, in my view – we need a concerted effort from law enforcement, at every level, to actively pursue those who continue to cause havoc on the Internet.

Despite the fact that cyber crime could not be a more pressing problem – one which gives rise to significant human and financial costs – the naysayers, and the “can’t be done” proponents have the field, for the moment. But, only because we, as a society, allow it.

It’s time you demanded a much more aggressive response to cyber crime from those who are charged with ensuring your safety and security – whether it be in the “real” world, or the “virtual” world of the Internet. It’s time that you let your voice be heard. It’s time to emulate Peter Finch and state – “I’m as mad as hell and I’m not going to take it anymore!”

If you’re interested in the full Norton Cybercrime Report 2011, it’s available here in multiple languages.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Gmail Scammers Still On The Make

Email spammers/scammers are masters of the well worn “carrot or stick” school of motivation. They seem to bounce from “this is what you’ll get” versus, “this is what you’ll lose” – with some regularity.

Some samples of each motivational technique taken from my spam honeypot Gmail account in the last few days.

The carrot:

Hi
It`s Kerri again. Will you ever contact me?
I made those nude pictures especially for you and I won’t write to you again!
If you wanna see them just drop me a line at – – – – – – –

and the following heavily edited example.

Robert S.Mueller
FBI Director

Check: To be deposited in your bank for it to be cleared within three working days. Your payment would be sent to you via any of your preferred option and would be mailed to you via UPS. Because we have signed a contract with UPS which should expire by August 20th you will only need to pay $150 instead of $420 saving you $270 So if you pay before August 20th, 2011 you save $270.

Oh yeah, don’t forget to send us your name/address; sex/age; cell number; and –  a scanned copy of your driver’s license.

Yes, I’ll get right on that  

Both of the above are just too preposterous to be taken seriously. Although, as difficult as it is to believe, there are those who are laughably loony enough to  respond.

The stick is a little different, and a good example of this is the various forms of the “Your Gmail account needs verification to avoid being shut down ” phishing attack.

Unaware webmail users are much more likely to respond to the threat of losing their email privileges than you might imagine. If the notice looks convincing enough (and, they often do), some Gmail users are bound to be taken in.

The stick:

If you expand this graphic to its original size, you’ll notice the sender is googleemail.com – close, but no cigar. As well, if you’re a WOT (Web of Trust) user, you’ll see that WOT has cleared the “Sign in” link as being safe.

A rather confusing mixed message. Googlee is not Google, but WOT marks the link as safe.

Unfortunately, this “green light” is a shortcoming in WOT’s reputation assessment since the rating reflects the reputation of the the principal domain, and not a subdomain – which, in this case, the link resolves to.

Sadly, average users are generally unaware that Gmail provides a simple tool to view message headers which contain tracking information for an individual email.

In this case, checking the headers (as shown in the following screen capture) reveals this email actually came from prajim.siaminterhost.com – obviously, not Google.

Of course, I didn’t response to this password phishing attempt and click on the enclosed link. But, those users who fall for this type of crafty scam, are often redirected to a forged version of Gmail’s login page where they can happily provided the requested information.

Advice worth repeating:

If you have any doubts about the legitimacy of any email message, or its attachment, delete it.

Better yet, take a look at the email’s headers. Check the initial “Received from” field in the header, since this field is difficult to forge. Additionally, the mail headers indicate the mail servers involved in transmitting the email – by name and by IP address.

It may take a little practice to realize the benefits in adding this precaution to your SOP, but it’s worth the extra effort if you have any concerns.

If you have a webmail account other than Gmail, check out this page for instructions on finding headers for your specific provider.

Google provides excellent advice on their page – Messages asking for personal information, from which the following has been taken.

Here’s what you can do to protect yourself and stop fraudsters:

Check the email address of the sender of the message by hovering your mouse cursor over the sender name and verifying that it matches the sender name.

Check whether the email was authenticated by the sending domain. Click on the ‘show details’ link in the right hand corner of the email, and make sure the domain you see next to the ‘mailed-by’ or ‘signed-by’ lines matches the sender’s email address.

Make sure the URL domain on the given page is correct, and click on any images and links to verify that you are directed to proper pages within the site. Although some links may appear to contain ‘gmail.com,’ you may be redirected to another site after entering such addresses into your browser.

Always look for the closed lock icon in the status bar at the bottom of your browser window whenever you enter any private information, including your password.

Check the message headers. The ‘From:’ field is easily manipulated to show a false sender name. Learn how to view headers.

If you’re still uncertain, contact the organization from which the message appears to be sent. Don’t use the reply address in the message, since it can be forged. Instead, visit the official website of the company in question, and find a different contact address.

If you enter your Google account or personal information as the result of a spoof or phishing message, take action quickly. Send a copy of the message header and the entire text of the message to the Federal Trade Commission at spam@uce.gov. If you entered credit card or bank account numbers, contact your financial institution. If you think you may be the victim of identity theft, contact your local police.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

“Swatting” – Are You A Potential Victim?

In both Canada and the United States, calling 911 (999 in the UK), will put the caller in contact with emergency services including – Police – Fire – Ambulance. In fact, where I live, all these services are dispatched in response to a 911 call.

Luckily, even if the call is interrupted, emergency personnel with access to Automatic Number Identification, coupled with an Automatic Location Identification (ALI) database, can still dispatch emergency response units to the location generated by the system.

In other words, the location from which the emergency call originated is known, and not subject to mistake. Or is it?

Imagine opening your front door – only to be greeted by this.

Not very likely to happen to you, you’re thinking. Perhaps not – but it does happen to innocent victims and, more to the point, it’s happening with increased frequency. The culprits?  Evil lowlifes who misuse call spoofing technology.

Phone phreaking has a long history – those of us who’ve been around since the 1970s should remember these hackers and their free long-distance calls hacks. Fast forward to today, and what was once a victimless crime (though not entirely so), has taken on ominous overtones.

Call spoofing (showing a phone number in caller ID, other than the real originating number) in it’s most vicious form – “swatting” – can have potentially lethal consequences. The twisted idea behind swatting is – faking an emergency of such a magnitude that the response from law enforcement is the deployment of a  SWAT team to the location generated by the spoofed phone number.

You can well imagine the chaos such an incidence is sure to cause.

From the FBI website:

Needless to say, these calls are dangerous to first responders and to the victims. The callers often tell tales of hostages about to be executed or bombs about to go off. The community is placed in danger as responders rush to the scene, taking them away from real emergencies. And the officers are placed in danger as unsuspecting residents may try to defend themselves.

I must admit; I’ve been completely out of the loop on this one and, until I read the following two newspaper stories this past week, I had no idea of the potential danger.

Toronto man ‘swatted’ by hacker who summoned police

Hacker’s swatting attack calls police to Langley home

Why did they do it?

According to FBI Assistant Special Agent in Charge Kevin Kolbye:

Individuals did it for the bragging rights and ego, versus any monetary gain. Basically, they did it because they could.

It’s not my intention, in this article, to describe just how easily a phone number can be spoofed – but, I was hardly surprised to see roughly 2 Million Google search results covering this.

It’s an unfortunate fact that laws impacting technology issues are seemingly destined to always be in catch up mode. In my view though, this perversion should be addressed with some senses of urgency.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.