Cloud Storage – Great Idea or Security Risk?

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

---

“On no, we’ve lost all of little Johnny’s birthday snaps”, the woman cries as she holds her smashed smartphone aloft. With a knowing smile, her husband responds, “Don’t fret dear, they’re all in the cloud”. All is well, peace and harmony reign again.

Even less than a decade ago, any mention of “cloud storage” or “data in the cloud” would have almost certainly elicited a puzzled response. Today though, I’d imagine just about everyone would be familiar with the concept. “The cloud”, it’s a rather exotic term which simply means your data is uploaded to and stored on somebody else’s server, essentially on an internet connected hard disk owned and operated by the cloud service provider.

There is no doubt that the advantage of being able to access data from anywhere on any device creates a massive appeal factor, especially for multiple device users. Not to mention the automatic backup element which is clearly demonstrated in the opening paragraph.

It all sounds like a great idea, that is until you start considering what might and can go wrong. Of course, cloud storage providers take the utmost care with your data, at least according to them. They apply top notch security measures including encrypted data transfers. Trouble is, the encryption key is also stored on their machines, which means any of their staff can access those files as can any hacker who manages to break into the system.

I realize every method is susceptible to hackers, whether the data is stored locally or in the cloud. However, which do you think would represent the most desirable target – a local disk containing only your own personal data or a mega database containing data uploaded from thousands (if not millions) of users, all in one place?

Another concern involves the future viability of a chosen cloud storage provider – just ask those who entrusted their data to Kim Dotcom’s Megaupload. What happens to your data if the company is sold, goes bankrupt, or just closes down? Then there’s the scenario where cloud storage providers can simply change the terms of their plans, exactly as Microsoft did recently when the company drastically reduced the amount of data storage available under its free OneDrive plan.

I guess though, when it comes to data in the cloud, the greatest concern for most people is privacy. While Microsoft OneDrive openly scans all your files – for illegal content of course, most providers will collect data to share with “trusted third parties”. Naturally, many of these providers need to process sensitive information, such as your name, email address, phone number, credit card details and mailing address, in order to “improve their services”. And Santa Claus visits once a year around Christmas.

Despite the cynicism, I do believe that cloud storage can be decidedly useful and I’m certainly not dismissing the practice out of hand. However, as is the case with many situations… everything within reason.

I would not, for example, store any sensitive data in the cloud, whether encrypted locally beforehand or not. Family photos, life-memories, items which are valuable only to the user and serve no purpose for anyone else… sure, no problem.

Regardless, the important thing to remember is that any backup is preferable to no backup at all. If you don’t fancy storing your data in the cloud, dust off that external drive and use that instead. Works for me.

McDonalds “Fillet O’ Phishing” Survey Scam

Would you fill out an email survey, sponsored by McDonalds – if they paid you 250 dollars for completing it? I’ll go out on a limb here and say – yes you would. Just like most offers that sound overly attractive though – this offer is a scam.

This scam is not only plausible, but in appearance, it could easily pass for the real thing. Jump into this one though, and you’ll stand a good chance of losing your credit card information. So, no 250 dollars; just a real messy credit cleanup to look forward to.

Filling out the survey form really isn’t the hook – that comes later.

Clicking on the “proceed” link (this is where you supposedly get the 250 bucks), opens the following screen. All you have to do is provide your credit card details and additional personal information.

If, at this point, you don’t hear a loud warning bell resonating in your head – you’re about to become a cyber crime victim.

To add credibility (and reduce suspicion), victims of this scam are automatically redirected to the official McDonalds site – once the victim’s credit card details have been scooped by the crooks.

In August of 2010, when I first reported on this scam, which was then being “test marketed” by the cyber crooks in New Zealand and Australia, I made the following point –

The rest of us (non Australian or New Zealanders), shouldn’t be complacent because, for the moment, this scam is appearing only in that part of the world. If this scam works there, and I suspect it will work very well, there’s little doubt it will soon be on it’s way to you’re inbox.

Well, here it is in North America and according to the chat on the Net, this time out, the graphics on the survey and phishing pages are loaded directly from McDonald’s own website. You can rightfully accuse cyber crooks of being the lowest form of pond scum imaginable – but you can’t accuse them of not being technically sophisticated.

It’s the same old, same old, though – the first time I came across this scam was in 2006. This type of scam is recycled repeatedly – because it works. Reasonably intelligent people do get trapped by sophisticated scams. Due, in large part, to their failure to take minimum common sense security precautions. Don’t be one of them.

Advice worth repeating:

If you have any doubts about the legitimacy of any email message, or its attachment, delete it.

Better yet, take a look at the email’s headers. Check the initial “Received from” field in the header, since this field is difficult to forge. Additionally, the mail headers indicate the mail servers involved in transmitting the email – by name and by IP address.

It may take a little practice to realize the benefits in adding this precaution to your SOP, but it’s worth the extra effort if you have any concerns.

f you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

SMB Social Media Risk Index – Panda Security’s Surprising Findings

The success of the email delivered “Here you have” worm that clogged email systems on Thursday, despite the usual misspelling, grammatical, and punctuation errors, seemed to bewilder many in the security community. Frankly, I’m surprised that the community was surprised.

It seems to me, that any security honcho worth his salt (someone who makes a point of getting out in the field occasionally to observe user behavior), would be more than aware, that despite constant warnings NOT to click on embedded links, the majority of users blithely ignore this critical advice.

The following are a few comments I heard at a meeting over the weekend, during which “here you have”, was a topic of much discussion.

“Social scientists need to sit down with a group of these dumb dicks who clicked on the link in this email, and study their behavior.”

“Most users continually show that they are morons. They can’t follow the most basic instruction – DON’T CLICK ON EMBEDDED LINKS!”

“Users who fell for this, and who caused so much disruption in their organization, should be restricted to a pocket calculator on the job.”

The comments might sound slightly edgy, but when perceived stupidity cost money, “edgy” might be at the lower end of the spectrum. And, there are costs –direct monetary costs that a company will be forced to deal with, following penetration of a company system caused by irresponsible employee behavior.

So, what do you think the costs to an organization might be, where employees fail to follow common sense rules when interacting with the Internet, particularly social networking sites?

Panda Security, which released the results of its 1st Annual Social Media Risk Index today, for small and medium sized businesses, may well have one answer.

In this survey of 315 US small and medium businesses (up to 1,000 employees), which focused on the month of July, 2010, Panda found that more than a third of surveyed  companies which had been infected through employee interaction with social networking sites, reported losses in excess of $5,000.

I was not at all surprised to see that Panda found that Facebook was cited as the top culprit for companies that experienced malware infection (71.6 percent) and privacy violations (73.2 percent).

I was however, surprised to see this – “we were pleased to see that the majority of companies already have formal governance and education programs in place. These types of policies combined with up to date network security solutions are required to minimize risk and ultimately prevent loss.”

A confused observation in my view, given that the facts show – these “education programs”, are NOT working.

Additional survey facts:

Thirty-three percent of SMBs have been infected by malware propagated via social networks; 23 percent cited employee privacy violations on popular social media sites.

Thirty-five percent of SMBs infected by malware from social networks have suffered financial loss.

Facebook takes top spot for social networking-related malware infections, followed by YouTube and Twitter.

You can find the complete survey here. Or, you can view a slideshow on the study’s results here.

About Panda Security;

Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions with products available in more than 23 languages and millions of users located in 195 countries around the world.

Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology.

For more information, visit Panda US.

Panda Security’s Latest Survey Shows Small Business Fails At Data Security

I’ve been working on an article for some time, investigation whether small business is up to the task of protecting your personal information; particularly your financial data (credit card, debit card, details), following a consumer transaction.

The background research has revealed a sobering reality – many small and medium sized businesses really suck at protecting their customers’ critical financial information.

So, when I had the opportunity to read Panda Security’s study (released yesterday), of security in SMBs (including 1,500 US SMBs), which showed that a startling percentage of US based SMBs just don’t get the security equation, I was not in the least bit surprised.

Look at these stats from the survey:

The infection ratio at U.S. companies has slightly increased since last year (46 percent in 2010 compared to 44 percent in 2009). It has dropped in Europe (49 percent in 2010 compared to 58 percent in 2009).

Viruses are the most popular threat SMBs are encountering (45 percent), followed by spyware (23 percent).

Thirty-six percent of US SMBs use free consumer security applications.

Unbelievably, 13 percent have no security in place!

Thirty-one percent of businesses are operating without anti-spam

Twenty three percent have no anti-spyware.

Fifteen percent have no firewall.

Participants: The survey consisted of companies with between 2 and 1,000 computers. 1,532 in the United States participated in the survey, and nearly 10,000 in total across the U.S., Europe, Latin America and North America.

The next time you use your credit/debit card at your local Butcher, Baker, or Candlestick Maker, consider carefully the risks involved. It might be prudent to inquire whether the business operates in a twenty first century security environment.

Yes, I know, you might see this as an overreaction – but it’s hardly that. Unless we, as consumers, force the issue, many SMBs will continue to operate with their heads up their in the cloud – unfortunately, not in the security cloud.

I’ll tell you a little secret – I never use my credit, or debit card, when transacting business with a small local merchant. It’s not the small monetary loss that concerns me, since the card issuer sets my liability limit at $50. Instead, it’s the more critical information that can be stolen and used in identity theft.

About Panda Security;

Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions with products available in more than 23 languages and millions of users located in 195 countries around the world.

Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology.

For more information, visit Panda US.

A PDF version of the full report is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

PandaLabs Trojan Warning – FakeWindows.A, and UrlDistract.A

Courtesy of Panda Security: This week’s PandaLabs report looks at two new Trojans (FakeWindows.A, and UrlDistract.A), that try to trick users in order to steal their data.

FakeWindows.A is a Trojan that resembles a Windows XP activation process.

This malware can reach computers through email, or can be downloaded from a malicious Web page.

It tries to get users to believe that the operating system is requesting their data to activate the account.

In addition to personal data, the Trojan also requests bank details. On entering them, the program displays an error screen indicating it was impossible to
connect to the server. Consequently, in addition to making data theft
easier, users’ computers are blocked.

The UrlDistract.A Trojan, reaches computers through emails with an icon that resembles a video. When run, the Trojan silently steals users’ information, while it distracts them by opening a YouTube video called “Little Superstar” where an actor dances to the music.

The Trojan then connects to an address in Atlanta, and sends all the data
stolen from the computer.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Public Proxy Server Danger – Web Site Spoofing

In the article immediately following this article, “OperaTor and XeroBank – Surf the Internet Anonymously”, I stated, “You have a number of choices when it comes to anonymous surfing. You can use a free proxy server service; not my personal first choice – but that’s fodder for another article!”

Well, there’s no time like the present, so here is that article.

In some cases public proxy DNS’s, the database that associates numeric IP addresses, e.g. (206.4.XX.XXX) with URLs, have been known to have been modified.

The modification consists of changing the legitimate association for a fraudulent one, so that when users type a specific URL, they are redirected to a fraudulent page. For example, if users try to log onto their banking web site, the server could redirect them to a phishing site which resembles the legitimate page, but which is designed to steal their bank details.

The following graphic shows a spoofed banking site.

(Click pic for larger)

The danger of this type of attack is – even users with malware-free, up-to-date computers with a good firewall, etc. could easily fall victim to these attacks.

To reduce the risk of phishing attacks it’s important not to use anonymizer services if you’re accessing sites on which confidential data (e.g. online banks, pay platforms, etc.), is being transmitted.

It’s equally as important that you use a browser add-on such as WOT (Web of Trust), so that you have a first line of defense against this type of attack. I strongly recommend that you use WOT as your primary Internet Browser protection. For more information, read “Love WOT And It Will Love You Right Back!” on this site.

If you’re interested in learning more about web spoofing, there is an excellent article at Princeton University’s web site entitled Web Spoofing: An Internet Con Game.