Breaches, Hacks, and Lessons to be Learned

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

---

Seems every new day brings news of yet another database breach or two. There was a time when I followed news of these hacks and breaches with interest but they are now so frequent that, unless one is personally involved, it has all become rather mundane.

However, the whole situation begs a couple of important questions and, at the same time, re-enforces the critical nature of how we choose and manage our passwords.

Important Questions

1) Why are companies/site owners not treating users’ data with the utmost care?

I don’t know about you but I am fed up with the lax way in which companies and site owners treat sensitive data which is entrusted to their care.

In today’s internet world, database breaches are a matter of fact yet site owners continue protecting sensitive data using outdated and weak security protocols. Only just recently a new breach came to light involving 40 million passwords extracted from over 1000 sites associated with a Canadian company called VerticalScope. What security protocol did the sites employ to hash and encode users’ passwords… MD5… a known weak and insufficient algorithm.

2) When will governments legislate to ensure that companies/site owners are accountable?

Surely it is incumbent upon these companies/site owners to protect their patrons’ data with the best and most effective security protocols available. However, as many (if not most) seem apathetic to this most basic of duties, then perhaps it’s time for legislators to consider introducing serious punitive measures for  those who fail to do so.

By the way: in response to news of the breach mentioned earlier, VerticalScope’s vice president of corporate development Jerry Orban was quoted as saying:

“We are reviewing our security policies and practices and implementing security changes related to our forum password strength and password expiration policies across certain forum communities.”

How many times have we heard that pathetic  response – I believe it’s commonly referred to as shutting the stable door after the horse has bolted. Message to site owners: perhaps these steps might be better implemented before a breach rather than after.  Duh!

Lessons to be Learned

How many times have you read the following advice regarding passwords:

· Choose strong passwords and use a different password for each log-in/account.

· Change passwords for critical accounts, such as banking,  PayPal, etc., frequently.

· If two-factor authentication is available, use it!

If there’s one lesson to be learned from all these breaches and hacks it is the absolute need to follow these basic principles. Remember, if you use weak passwords and/or the same password across multiple accounts, if one account is hacked all the rest are at serious risk.

Too many people just glide along ignoring the dangers until it actually happens to them, however, this is surely a lesson better learned from other people’s mistakes rather than from our own.

Why Do Users Keep Falling for Scams?

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

---

*Social engineering: refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access — Wikipedia

It’s unfathomable to me why so many people still get caught out by social engineering techniques, being tricked into clicking that link or opening that attachment.

Social engineering is one of the most prevalent methods used by cybercriminals to infect a system and/or gain a user’s sensitive information. Ransomware, phishing emails, scams, all generally involve an element of social engineering. Why? Because it’s simple, effective, and lucrative. It stands to reason then that the most potent method for eradicating these types of threats would be to make them less effective and less lucrative. The question is; how to achieve that?

You’ve no doubt come across the saying “education is key” – and, when it comes to social engineering, nothing could be truer. Because of the changing nature of socially engineered exploits, security software cannot always protect users from themselves. That’s why Tech blogs are repeatedly issuing the same advice/warnings – don’t click on links in emails from unknown senders, don’t open email attachments from unknown senders, etc., etc., etc. In fact, I recently published yet another list of do’s and don’ts  “10 Golden Rules to Defeat Scammers” . Yet, despite all this, so many people are still falling victim to social engineering.

A large part of the problem I suppose is that the users who need this type of advice the most are generally not the sort of people who tend to visit and read Tech blogs.

I was recently perusing a well-known freeware site and came across a comment from someone complaining that, despite being protected by a commercial grade antivirus, his company’s computers had been infected by ransomware… twice. On both occasions the infection was initiated by an employee clicking on something he or she shouldn’t have clicked on. I suggested to him that perhaps his company needed to review and strengthen its staff training program. Education is key.

My own clientele consists largely of elderly folk and, in my experience, many are highly susceptible to phishing and scams in general. I have a theory about this; I’m sure it’s because they were brought up in an era when trust was inherent; leaving the front door to the house open, leaving the car unlocked and keys in the ignition. Do you know what I mean? It’s not so much that they are gullible, more overly trusting.

These people also tend to be not so computer/security savvy, so rather than hit them with a long list of do’s and don’ts, which might be difficult to follow, I condense it all down to just three rules for them to remember:

1. Treat each and every unsolicited phone call and/or email as highly suspicious.

2. Always be very wary about giving out sensitive personal information over the internet.

3. If it sounds too good to be true, it almost certainly is.

If the more savvy among us would only take the time to pass this type of advice around their own particular circles of family, friends, and acquaintances, I believe that we, collectively, might just make a difference.

If You Can, Steer Clear Of Free Wi-Fi Hotspots

Wi-Fi hotspots and I don’t get along. It’s not that I’m not appreciative of the free service – I am.  But, I’m far from convinced that free Wi-Fi hotspots are appropriate for most Internet users. Hotspots are a hacker’s dream come true.

Free hotspots, in many instances, are unsecured – a semi-skilled hacker, using a selection of readily available tools (often available as a free download on the Internet), can easily penetrate such a network.

Here’s the first example of what I mean:

Earlier this year, while visiting my local Library, I logged on to it’s hotspot only to have my Browser warn me of a possible fraudulent certificate – symptomatic of a “man-in-the-middle” attack. Typically, a man-in-the-middle attack is designed to eavesdrop on the traffic between a user and a website.

Since most users are unaware of the importance of certificates, it’s fair to assume that a typical user, on seeing this warning, would simply click “ignore”. In this case, that had to be so – when I approached the Library’s chief Tech, shockingly, he had no idea what I was talking about. Certificate? Huh? Which led me to believe, that no other user had brought this issue to the Tech department’s attention.

In other words, possibly thousands of users were unaware of the very real risk to their privacy and confidential data, as they happily surfed the Internet from this location.

Given, that one purpose of a certificate is to confirm that the web site being visited is indeed what the user thinks it is – effectively, whether the site can be trusted or not – I continue to be surprised at the typical user’s scant knowledge in this area.

Here’s a challenge for you – query your self described “tech savvy” friends on the current certificates installed in their Browser. Wait for the surprises – or, maybe not.

Pictured below, as an example, are the Certificate installed in my current version of Firefox.

Authorities – These are the Root Certificates that Firefox trusts.

Servers – These are the certificates that have been installed manually from a website.

The second example:

At an Art class I joined earlier this year, I happened to notice a questionable type of person sitting (on the ground) outside the building (freezing his butt off, since it was Winter), surfing on his Laptop. I knew there were no open Wi-Fi networks within range, so it was apparent that this fellow was surfing through the Art Institute’s password protected Wi-Fi.

On speaking with Institute staff, it became clear that this was a common occurrence with this fellow. The long and the short of it is (it would take an entire article to tell this tale), a series of Wi-Fi hacking tools were being used to “play” with the owner’s site. Since few of the students used the Wi-Fi hotspot, no damage had been done. But, it easily could have.

If you do use Wi-Fi Hotspots, here are some recommendations for safer surfing:

Assume your Wi-Fi connection is open to penetration.

Be certain that your security applications are up to date.

Don’t enter sensitive financial data. Online banking while connect to a hotspot is, to put it mildly – crazy.

To be sure that you don’t leave a trail of “breadcrumbs” – history, cookies, passwords – set your Browser to private browsing mode.

Log out of each logged-in site you visit – particularly, web based email sites; Facebook, Twitter, and the like.

Pay particular attention to one of the craziest default setups ever – “Remember my password”. It’s imperative that you uncheck this.

If you’re comfortable with anonymous surfing then, consider installing a VPN application. One such application worth considering is Hotspot Shield – reviewed here, a number of times.

Finally, you should consider avoiding Wi-Fi Hotspots entirely. An alternative is creating a “personal hotspot” if your smartphone is capable. Check your phone manufacturers web site for information on how to do this.

The Tech Savvy Generation Myth Hurts All Of Us

Time to beat that dead horse again. Out of habit mainly, since statistically, it’s a total waste of time for me (and others, of course) to continue to advance the position that “education” should offer significant benefits in the fight against cybercrime. Users, it seems, remain unconvinced.

Unfortunately, there’s a huge imbalance in the fight against cybercrime. On the one side we have highly motivated, and technically astute, albeit despicable human beings – intent on causing harm. On the other side – you, me, and the rest – many of whom can be classed as stupidly arrogant in assessing their own technical capabilities. Tough talk? Not nearly tough enough from where I sit.

The Ponemon Institute and PC Tools, in a recent study/survey, marked this real gap between perceptions users have in their own abilities to stay safe on the Net, versus the reality. In a few words (my words, not theirs), too many computer users are dead stupid in assessing their own capabilities.

Hardly news though, is it? We’ve discussed this issue here, over and over. Which is why, I had a bit of a chuckle when I read Richard Clooke’s  (Richard is a highly competent online security expert at PC Tools, whom I’ve corresponded with occasionally) comment imbedded in the report –

“The longer term concern is that while many of us think that we are too savvy for online scams, the research demonstrates otherwise,” said Richard Clooke, online security expert at PC Tools. “Unless consumer behavior is addressed through education, the incidence of cyber criminals seeking to cash in on consumer trust and naivety online is likely to increase exponentially.”

Sadly, I’ll take issue with Richard’s last statement – good luck with the education thing. I have yet to see any improvement in “Internet Street Smarts” where education played a role – nor do I expect to. Why would there be, when the harmful myth of the “Tech Savvy Generation” continues to be taken at face value by so many.

Some time back, I wrote an article on this issue which has proven to be very popular with educational institutions, when used as a resource. If you missed this article, you’ll find it below:

Part Of The Tech Savvy Generation? How Tech Savvy Are You Really?

You’re part of a computer literate and technically competent generation – you know, the “tech savvy generation” we hear so much about.

So, when it comes to wandering through the risky Internet neighborhood that’s arguably full of predators, you tend not to worry.

You’re convinced, that since you’re a member of this tech savvy generation, when you surf the Internet, you can handle the dangers and pitfalls that wait for the typical unsuspecting user, (the user who’s not part of your tech savvy generation).

This unsophisticated non-tech savvy group are much more likely than you, to be pounced on by the multitude of scam artists, schemers and cyber crooks lurking in the shadows, just waiting for victims. Right?

It’s entirely possible of course, that you are computer literate, and technically competent. On the other hand, simply because you are a member of that generation who have grown up with computers, does not make you tech savvy. I hate to burst your bubble, but the concept of a “tech savvy generation” is a myth.

I understand why you may have bought into this myth. People love myths. It seems that we will buy into any myth provided it agrees with, or reinforces, our already held misconceptions.

Myths of course, get their status precisely because they do reinforce our beliefs, properly held or not. This myth (masterfully propagated by the media), continues to pose serious security risks for those who believe it.

Since I’m involved in Internet and system security, I have many opportunities to deal with the “tech savvy generation”, and overall, I find them no more competent than average/typical computer users.

Unfortunately, I find that not only does the tech savvy generation not know “what they don’t know”, they don’t want to hear about it because developing knowledge is hard, and it requires time and effort. Better to just hang on to the myth.

I’ll admit, that anecdotal evidence, while interesting, does not always tell the tale. On the other hand, gather enough anecdotal evidence and one may have enough data to propose a theory, that can withstand probing and prodding.

As a tech/geek/writer, I am in touch with loads of other techs/geeks/writers from around the world, on a fairly consistent basis. One undisputed reality that we all agree on is, the lack of knowledge exhibited by typical computer users, and that members of the tech savvy generation, are no more than typical computer users.

So, if you’re a member of the so called tech savvy generation, you need to consider these realities:

Cyber criminals count on your believing the myth. It makes their job just that much easier.

There’s a major lack of knowledge and skill relating to computers/connected devices, and security, in the tech savvy generation. You really are, just an average computer user.

Common sense tips:

Stop believing the myth.

Start being proactive when it comes to your computer and connected device’s security; part of that is making sure you have adequate software based protection to reduce the chances you will fall victim to cyber crime.

Recommended reading: Principles of Security: Keeping it Simple – by guest writer Mark Schneider, and – An Anti-malware Test – Common Sense Wins.

The Fundamental Principle Of Safe Surfing – Think “Common Sense”

So what can you add to your computer’s Firewall, Security Applications, and Browser security add-ons to ensure you have the best protection available while you’re surfing the web? Well, how about something that’s free, and readily available? Something called “Common Sense”.

Common sense: sound and prudent judgment based on a simple perception of the situation or facts.

–   Merriam-Webster’s Online Dictionary

Common Sense Tip #1 – Given the virtual epidemic of malware currently circulating on the Internet, don’t run, or install programs, of unknown origin.

Internet users’ continue to be bombarded with rogue security software which has reached epidemic proportions. There seems to be no end to the release of new rogue security software threats. Rogue software will often install and use a Trojan horse to download a trial version, or it will perform other actions on a machine that are detrimental such as slowing down the computer drastically.

Download applications, particularly free programs, only from verifiably safe sites (sites that guarantee malware free downloads), such as Download.com, MajorGeeks, Softpedia, and the like.

There are many more safe download sites available, but be sure you investigate the site thoroughly before you download anything. Googling the site, while not always entirely reliable, is a good place to start. A recommendation from friends as to a site’s safety is often a more appropriate choice.

Common Sense Tip #2 – Don’t open emails that come from untrusted sources. It’s been estimated that 96% of emails are spam. While not all spam is unsafe, common sense dictates that you treat it as if it is.

Common Sense Tip #3 – Don’t run files that you receive via email without making sure of their origin. If the link has been sent to you in a forwarded email from a friend, be particularly cautious. Forwarded emails are notorious for containing dangerous elements, and links.

Common Sense Tip #4 – Don’t click links in emails. If they come from a known source, type them in the browser’s address bar. If they come from an untrusted source, simply ignore them, as they could take you to a web designed to download malware onto your computer.

Common Sense Tip #5 – If you do not use a web based email service then be sure your anti-virus software scans all incoming e-mail and attachments.

Common Sense Tip #6 – Be proactive when it comes to your computer’s security; make sure you have adequate software based protection to reduce the chances that your machine will become infected.

Be proactive when it comes to your computer’s security; make sure you have adequate software based protection to reduce the chances that your machine will become infected.

Most of all, understand that you are your own best protection.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

PC Tools Predicts New Breeds of Social Media Cyber Scams

PC Tools, the company which brings you PC Tools Firewall Plus (free), ThreatFire (free), and of course a complete line of award-winning commercial grade security offerings, is issuing this consumer alert advising the rollout of new social media sites and features, are leading to a fresh crop of online scams and threats.

PC Tools Top Three Social Network Threat Predictions

Email alerts for “tagged” photos where YOU might appear online.

Social networks are developing increased intelligence for facial recognition to assist with tagging photos. When you’re tagged in a photo or at a location in your photo album, you can often expect an email or notification letting you know where to view it online. Watch out!

Cybercriminals may be using this as a tactic to get you to click on malicious links asking for information – possibly even prompting you to click on a link leading to a fake login and password entry form posing as your social network.

Online robots or “bots” on social networking sites will be more sophisticated

We believe within the next few months that social media “bots” will become more advanced, effectively creating human-looking profiles and personalities. Cybercriminals rely on bots because they are the fastest and most cost-effective way to spread malware, spyware and scams through social network sites.

Through these bots, criminals can auto-create bogus personalities on social networks, which can in turn link to fake companies that sell phony products – all to trick users into buying merchandise that isn’t real or spreading news that doesn’t actually exist.

An increase in fake invites to join “new” or “exclusive” social networks or social groups

New social networks are popping up every day, some of which are “invite only” making them more appealing. Cybercriminals could use this appeal as a method to lure users into clicking on fake invites for exclusive networks. Upon clicking on these invites, users could be asked to provide personal details such as name, login, password or birthdates which should not be released.

“If you’re looking to join the hottest new social network, be careful where you click – your personal life may be at risk,” said Mike Chen, Product Marketing Manager at PC Tools. “Cybercriminals are taking advantage of the buzz surrounding these new social networks and features by tricking unsuspecting users to divulge personal information or download malware.”

Chen added that today’s malware looks legitimate, but what may seem like a harmless email or link can actually result in a person’s stolen identity or credit card data theft. And according to Pew Research, 46% of internet users agree that “most people can be trusted” – a prime reason why cybercriminals are so successful at duping consumers.

About PC Tools:

With offices located in Australia, Ireland, United States, United Kingdom and the Ukraine. PC Tools is a fast-growing brand with dedicated Research and Development teams that ensure PC Tools maintains a competitive edge. With registered customers in over 180 countries and millions of downloads to date, PC Tools’ products continue to win awards and gain recommendations from respected reviewers and independent testing labs around the world.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Returnil System Safe 2011 Free –Virtualization With Added Antimalware Protection

System virtualization is a very cool technology which, if used correctly, has the power to control malware intrusion through the use of a ‘”virtual” environment, rather than operating in a “real” environment.

Running virtualized while surfing the Internet makes sense, and since it does, we’ve reviewed a number of these applications in the last year or two, including -Shadow Defender, Returnil Virtual System (a previous version of the application currently being reviewed), Sandboxie, GeSWall, Wondershare Time Freeze, Free BufferZone Pro, and more – including virtualized Browser add-ons.

A quick overview of Returnil System Safe 2011 Free:

Returnil System Safe clones your computer’s System Partition and boots the PC into a controlled virtual environment, rather than native Windows. Since the OS operates virtually, the “real” OS cannot be compromised by malware, malicious software, etc. Should the virtual OS become compromised, a simple restart will return the machine to its original state.

Returnil System Safe 2011 Free is compatible with both 32 bit and 64 bit Windows systems. As a value added bonus, Returnil System Safe 2011 Free incorporates an Anti-malware and Anti-spyware component.

Installation is uncomplicated and should run error free. All of the following screen captures can be expanded to the original size, by clicking on the graphic.

Pay particular attention to the registration screen. Should you choose not to register the application, certain product features will not be available past 30 days.

If you plan on continuing to run the application past the 30 day mark, it seems sensible to register. Registration will be confirmed as per the following screen shot.

Setting the Virus Guard real-time protection is simple and straightforward.

You will have the option of automatically starting the application on Windows startup but, I caution against this. Once the application is running, any changes (including downloads, for example, cannot be saved). You will, of course, be guided by your own needs.

The following screen capture explains this restriction.

Instead of an autostart, launch the application manually as needed – surfing the Web, for example.

Fast facts:

  Overall Product

• New an improved interface
• Clear protection status of your system
• Manage main features from one screen

Virus Guard (Anti-malware and Anti-spyware)

• Real-time protection – define your own shield sensitivity
• Quick Scan – light on resources and effective
• Full Scan – thorough scan of pre-defined areas on your computer
• Scan is dynamically adjustable to user workload (less resource intensive)

Virtual Mode

• Protect your system – Virtualize it!
• Virtual Mode Always On or just in current session
• Ability to save files via File Manager (paid version only)
• Powerful anti-execute protection

System Restore (System Rollback)

• Repair infections with ease
• Restore your system to a previously known/clean state
• Recover individual infected files
• Do not ever worry about losing your data

System Requirements: Windows XP, Vista, Server 2003, Server 2008,  Windows 7 (all – 32 and 64-bit).

Supported Languages: English, German, Japanese, Korean, Chinese (Simplified), Russian, Portuguese (Brazil), Dutch, Polish, Bulgarian, Finnish.

Download at: Download.com

Overall assessment:

Compared to previous free versions of Returnil, this version suffers from a major lack of functionality – with the focus primarily directed towards a user upgrade. There’s nothing intrinsically wrong with that of course – that’s marketing. But, this market driven position ignores the fact that free competitive products offer more substantial features and benefits.

If you’re looking for a free virtualization application that offers a reasonably complete solution, then you should consider Free BufferZone Pro. You can read a full review here – Free BufferZone Pro – Maybe The Best Surfing Virtualization Application At Any Price

Update: July 1, 2011

Mike Wood, from Returnil, has clarified a number of issues in the response which follows:

Thanks for the review and write up. All feedback is welcomed and yours has been taken into account for future versions. Some feedback on a couple of things in the article:

1. “… this version suffers from a major lack of functionality “: In the older RVS 2010 versions, the Virus Guard was limited to Quick Scans only. We changed this in the 3.2x versions to include Full System scans in RSS Free. We also provide updates via the Cloud feature that are based on the unknown/malicious file and behavior data collection and server side analysis in our own engine/AI tech. RSS Free does have some limitations as far as premium features are concerned, but that is actually only for the System Restore and File Manager/Access Real disk features. The latter centers around being able to save content to the real System partition while in Virtual Mode and the former is centered on the additional tools we provide to the native Windows Shadow Copy service used for the SR feature.

Those using the Free version can still save content and data to disk; the key is in where that data is stored. In the free version you can still save content to non-system disks/partitions and also have access to the Virtual Disk which can be used as a convenience for those with single partition rigs (only a C:\ drive for example).

The features in the System Restore in the paid versions includes automatic antimalware scanning of restore points and backups prior to implementation as well as the ability to recover files from the previous machine state following a restore. Another feature of the SR is that it can monitor all forms of backups and will list them in the Full Restore option when activated so they can be scanned for malicious content as described above.

2. The discussion of layered security approaches: RSS Pro was designed from the outset to be a vertical layered security approach in a single application where each component part works to not only provide its core functionality, but also to cover the weaknesses in the other component parts. As the free version does have some feature limitations, it is more appropriately placed as a team player in a larger layered strategy that the user is implementing with an ability to cover System level virtualization (as opposed to BZ’s application layer approach), complimentary antimalware, and anti-execute so you can reduce the overall number of other security applications you need to make said strategy work.

The paid version takes this a step further and allows the user to have a layered strategy in a one-stop package that can reduce the need for additional programs in the mix other than a good firewall solution.

With Kind regards,

Mike

Returnil Support

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Scareware Is Everywhere – As Mac Users Just Found Out

The success cyber criminals have had with the recent Mac scareware attack (MacDefender, which has already morphed into a new variant – MacGuard), emphasizes the following point – given the opportunity, Mac users may be just as likely as Windows users to say “Yes” to an invitation to download a rogue security application.

Considering Apple’s marketing style, which reinforces the myth that Macs are inherently more resistant to malware infections than Windows PCs (bolstered by the cachet that Mac users are somehow smarter than PC users), I suspect that Mac users are in for a rough ride in the coming months. Undoubtedly, Mac users will learn that cyber criminals use of social engineering is not platform specific.

Hopefully, this reality check will put a stop to nonsensical forum comments like the following.

“Well this is why I’m glad to have a Mac just saying”

“If Windows didn’t exist these things wouldn’t happen to people”

Since myths tend to die a slow and painful death however, I somehow doubt it.

Early last year, I posted an article – Say “Yes” on the Internet and Malware’s Gotcha! – which pointed out the potential consequences to those Internet users who instinctively, and unthinkingly, click on “Yes” or “OK”. Given the unprecedented rise in the number of malicious scareware applications in the interim (often, but not exclusively, promoted through poisoned Google search results), that article is worth reposting.

The following is an edited version of that earlier article.

Virtually every computer user, at both the home user level (my friends), and at the corporate level, whom I come into contact with, tends to downplay personal responsibility for a malware infection.

I hear a lot of – “I don’t know what happened”; “it must have been one of the kids”; “all I did was download a free app that told me I was infected”; “no, I never visit porn sites” or, Bart Simpson’s famous line “it wasn’t me”. Sort of like “the dog ate my homework”, response. But we old timers, (sorry, seasoned pros), know the reality is somewhat different, and here’s why.

Cybercriminals overwhelmingly rely on social engineering to create an opportunity designed to drop malicious code, including rootkits, password stealers, Trojan horses, and spam bots, on Internet connected computers.

In other words, cybercriminals rely on the user/potential victim saying – “YES”.

Yes to:

Downloading that security app that told you your machine was infected. Thereby, infecting your computer with a rogue security application.

Opening that email attachment despite the fact it has a .exe .vbs, or .lnk.extension, virtually guaranteeing an infection.

Downloading that media player codec to play a  porno clip, which still won’t play, but your computer is now infected.

Clicking on links in instant messaging (IM) that have no context, or are composed of only general text, which will result in your computer becoming part of a botnet.

Downloading executable software from web sites without ensuring that the site is reputable. Software that may contain a Browser Hijacker as part of the payload.

Opening email attachments from people you don’t know. At a minimum, you will now get inundated with Spam mail which will increase the changes of a malware infection.

There are many more opportunities for you to say “yes”, while connected to the Internet, but those listed above are some of the the most common.

The Internet is full of traps for the unwary – that’s a sad fact, and that’s not going to change any time soon. Cyber criminals are winning this game, and unless you learn to say “NO”, it’s only a matter of time until you have to deal with a malware infected machine.

Here’s an example of a rogue security application getting ready to pounce. A progressively more common occurrence on the Internet.

I can’t say this often enough. Ensure you have adequate knowledge to protect yourself and stay ahead of the cybercrime curve. Make a commitment to acquire the knowledge necessary to ensure your personal safety on the Internet. In a word, become  “educated”.

If you lack this knowledge the answer is simple – you can get it. The Internet is loaded with sites (including this one), dedicated to educating computer users on computer security – including providing application reviews, and links to appropriate security software solutions.

It’s important to be aware however, that security applications alone, will not ensure your safety on the Internet. You really do need to become proactive to your Internet safety and security. And that does mean becoming educated.

Internet users who are aware of significant changes in the Internet security landscape, will react accordingly. Unfortunately, experience has taught me that you can’t fix stupid.

Before you say “yes”

Stop – consider where you’re action might lead

Think – consider the consequences to your security

Click – only after making an educated decision to proceed

Consider this from Robert Brault:

“The ultimate folly is to think that something crucial to your welfare is being taken care of for you”.

I’ll put it more bluntly – If you get a malware infection; it’s virtually certain it’s your fault. You might think – here’s this smug, cynical guy, sitting in his office, pointing undeserved critical fingers. Don’t believe it.

If users followed advice posted here, and advice from other security pros, and high level users, the Internet could be a vastly different experience for many. At the very least, we might have half a chance of dealing more effectively with the cybercriminal element. To this point, we’re losing rather magnificently.

Computer users would be vastly better off if they considered Internet security advice, as a form of inoculation. It’s a relatively painless way to develop immunization. While inoculations can be mildly painful, the alternative can be a very painful experience.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Firefox and Chrome Add-ons For The Paranoid Internet Surfer

Two of the most popular readers questions I get here are: Which Browser add-ons do I really need? Which add-ons do I (meaning me), use? Not a surprising question really; with the huge number of Browser extensions available, it can be difficult for users to determine which ones to consider adding – the choices seem unlimited.

I could sit down and write an article on those Browser add-ons that I wouldn’t be without. But, let’s try something a little different today.

Regular reader Georg L., an IT Professional from Vienna, Austria, who’s experience ranges from the days of DOS to the present, has laid out a list of Browser extensions (for Firefox and Chrome), which he has installed to boost Browser security, and in some cases, to increase Browser functionality.

This list of Browser add-ons will resonate with readers who recognize the need to elevate Browser security. Not surprisingly, both Georg and I have installed essentially the same add-ons. Particularly those add-ons designed to increase Browser security.

Firefox:

Adblock Plus 1.2.2

Better Privacy

BitDefender QuickScan

Flagfox

Flashblock

FoxyProxy Standard

Ghostery

GoogleSharing

HTTPS-Everywhere

NoScript

PDF Download

Perspectives

Qualys BrowserCheck

Search Engine Security

SkipScreen

Chrome:

AdBlock

AntiAds

BitDefender QuickScan

ChromeFlags

FastestChrome – Browse Faster

FlashBlock

Ghostery

Google Analytics Opt-out

Google Dictionary

Mini Google Maps

Secbrowsing

SmoothScroll 

Ultimate Google Docs Viewer

Wikipedia Companion

Just to be clear – it’s not paranoia if they really are after you? I can assure you, if you’re connected to the Internet, they (cyber criminals) really are after you!

This article is an edited version of the original article which was published August 30, 2010.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Kate Middleton Scam – Working Like A Charm!

If you’re a regular reader here, I don’t have to belabor the point and remind you, that significant numbers of Internet users are often unaware of the very real dangers that search engine results hold for their safety, security and identity.    You’re well aware that many are blissfully unaware of the hidden dangers on the Internet, and seem to have a natural tendency to “just click”.

Here’s a perfect example.

Several days ago, I posted an article – Kate Middleton Nude – As If! – knowing full well, that the article would draw scores of careless users to it – all looking for a titillating experience. A perfect opportunity to teach an Internet safety lesson. I wasn’t disappointed, as the following screen shot of search engine stats from this site, illustrates.

Hundreds of additional search terms (too many to show), included – catherine middleton nude, kate middleton revealing pictures, william and kate nude, kate middleton naked, kate middleton naughty photos, a picture of kate meddliston naked, kate middleton sextape ……..”kate middleton” nude or breast or bikini – I think you get the picture.

By the end of the day, yesterday – 2,000+ potential victims visited this post…

and an additional 900+ so far, today.

All of this reminds me of an article I wrote in July 2009 – Hey Sucker – Read This! Michael Jackson’s Not Dead! – which drew 1,000s of visitors. Most of whom were unaware that the events surrounding Jackson’s death were being leveraged by cyber crooks to drop malware on unsuspecting surfers machines.

A similar scenario is being played out here. Cyber crooks are using, as they always have, a provocative and tempting attention grabber as a hook to reel in the unwary and undereducated Internet surfer.

Since this site has a high Google Page Rank rating, the search string “kate middleton nude”, is in second place in Google search results out of 3 Million plus. I’d like to think, that those lucky few, who clicked on – Kate Middleton Nude – As If! – have a developed a heightened sense of awareness of cyber criminal manipulation of current events.

I’d like to think that – but, I doubt it. I’m convinced that the potential victims who clicked on this article, went on clicking elsewhere in their hunt for the non-existent. Without a doubt, some are now dealing with malware infections.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.