Technology Tip Archive
Care About Privacy? Google Doesn’t
Google recently rolled out a new product called Google Buzz. The problem is that if you have Gmail then Buzz was already turned on and potentially sharing information that you did not choose to share or, perhaps even want to share.
The idea behind Buzz was for Google to create a social network without people choosing to be a part of it. Google added Buzz to all Gmail accounts and automatically had you start following people. Google also linked Buzz to their Picasso and Reader products.
An example of the privacy problems Google’s arrogance created can be found at http://gizmodo.com/5470696/fck-you-google
A broader perspective can be found at http://www.nytimes.com/2010/02/13/technology/internet/13google.html
Initially Google made some very, very minor changes, but now is revising the auto-follow to auto-suggest, where they will suggest people you might want to follow. Still, it isn’t all about who you follow, they also show the world who you follow. There are some privacy settings, but on initial roll out your information was already shared unless you didn’t create a public profile.
If you care about privacy it is extremely difficult to maintain it with Google products.
My suggestion is that if you have a Google profile, public or private, you delete it. Then I suggest you delete all of your contacts. You might first with to make a list with their email addresses, etc., but I would delete all contacts. You never know how Google will choose to share this information without your permission. This does mean that you will not be able to use Google Chat, but there are many other free chat programs that pose less risk to privacy than Google does.
My thought is that the next Google product will be Google Gossip, where Google will scan your Gmail messages for juicy sentences, take them out of context, and then send them to all of your contacts. For example, I might write to a friend that “Right before leaving my last job I decided it is time to look for a new job.” The next think I know Google will send a message on my behalf to all of my contacts saying “Randy says ‘it is time to look for a new job’”. Of course this would get back to my boss and guess what happens at review time :) OK, perhaps exaggerated a bit, but Google does not think about basic privacy when they launch a product.
If you have a Gmail account and have not logged in recently, I recommend you log in and turn off Buzz at least until Google has fixed their mistakes and there has been time to test it.
You can see Google’s apology at http://gmailblog.blogspot.com/2010/02/new-buzz-start-up-experience-based-on.html
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Does This Ring a Bell?
Regardless of our practices, we all know that it is important to use security software on our computers and to back up our data, but do you think the same about your phone?
Smart phones are becoming more and more like computers. We store extensive lists of contacts, email, music, and other data on the devices. Smart phones are being used more and more to conduct business and that leads to some security concerns, so here are some tips to help you with a safer smart phone.
Perhaps one of the most important things is to get into a habit of backing up your data. Millions of cell phones are lost, stolen, or yes, even dropped in the toilet each year. One report I saw claimed that 1 out of every 4 iPhones is lost or stolen. It is bad enough to have to replace the device, but sometimes the data is worth even more. If you back up your data regularly then if your phone is lost, stolen or damaged you will have far fewer worries.
Smart phones come with the ability to lock the device when you are not using it. Locking your phone helps to protect your data if your phone is lost. Locking your smart phone is important if you have intellectual property on the device, but it can also help to prevent identity theft. Smart phones often have enough personal information stored on them to make identity theft easy if a bad person is the one who finds the device.
Encrypt your passwords. Many people store a lot of passwords on their smart phone. Smart phones generally have the ability to encrypt the passwords, but that is not usually the default. If your smart phone is lost will it give someone access to your email accounts and social networking sites? Perhaps you have online banking or other financially related passwords on your smart phone?
Consider Antivirus software. Actually, this is not an option for the iPhone, and Blackberries have had very few problems, although there is commercial spyware for the Blackberry. For many other types of smart phones there is antivirus software available and this adds a layer of defense. The smart phone is gaining popularity with the criminal element since these devices are more frequently being used for a variety of activities which can profit criminal organizations. Yes, even access to your Facebook or MySpace account can be of value to a criminal. Malicious software can steal information off of your smart phone without you knowing it. Unfortunately, Apple will not allow antivirus for the iPhone as their marketing is far more important to them than end user security.
Speaking of Apple security, just as you patch/update your operating system, you need to keep your smart phone’s operating system up to date. It is worth taking a little time to find out how to do this for your specific device. An iPhone has to be connected to a PC with iTunes running in order to update the operating system, and Apple just fixed some serious vulnerabilities on the iPhone. Most all devices have had some security updates at some point, so save yourself a hassle and make sure you are up to date.
Now for the easy one… Put a label on your smart phone. Believe it or not, there are a lot of honest people out there and if you lose your smart phone there’s a decent chance a person will return it if they know how to. The label should include at least a first name and an alternate number to call if the device is lost. If you lock the phone a person may not be able to find anything out to help them return the phone, but a label can help you get the device back faster. Yes, there is a concern that the label gives away some information about you, but you have to weigh the risk and potential benefit for yourself.
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Stubborn, OK… Mule NO!
One of the big scams involves what we call money mules. A money mule is a person who is used to transfer money for the criminals. The way the scam typically works is a person receives an email telling them that they can work from home. The work involves transferring money in and out of their account and they get to keep a percentage of the money. In reality the money is being stolen from someone else’s account. When the first victim becomes aware of the theft and notifies the bank then the mule becomes responsible for all of the money, not just the percentage they were told they could keep.
For example, the mule may be told they get to keep 10%. A transfer of $10,000 is made into their account and they transfer $9,000 to another account or via Western Union. When the bank catches up the mule becomes responsible for all $10,000.
Sometimes the “job offers” appear to come from well known companies like Texaco. Other times the bogus offers come from companies that claim to be financial services organizations. One scam I received claimed I would be a secret shopper to report on the customer service of Western Union and another financial institution.
In a rather humorous blog, Brian Krebs, formerly of the Washington post, tells of the top 10 ways to get fired as a money mule http://www.krebsonsecurity.com/2010/01/top-10-ways-to-get-fired-as-a-money-mule/. Of interest, Krebs reports that the money mules get used for one transfer and then the criminals ditch them. This makes sense since the crooks know they just stung the mule as well as the person who initially got ripped off.
Oftentimes the criminals target people looking for jobs at websites like Monster.com and Careerbuilder.com. They know these people are sometimes desperate for a job, so the job they offer has very tempting wages. Probably just as often, the bogus job offers come through untargeted spam runs.
Evidently there are a lot of very gullible people as the FBI reported that money mule scams topped $100 million last year, and that is only in the US.
The biggest sign that a communications is a scam is that it looks too good to be true. The wages I have seen offer range from about $2000 a month for a couple of hours work to about $17,000 per month. Most of the mules don’t have any experience in the financial transaction industry. A very high paying job for a person with no experience is too good to be true.
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Where Do You Get Your News?
I read a story today about a hoax that Johnny Depp had died in a car accident. The story is bogus but “sensational” news is a magnet for malicious attacks.
It seems the rumor started on Twitter and supposedly CNN had news about it as well. People who pay attention to details would know that the “CNN” story was not on CNN, but if you don’t pay attention to the details you will be easily fooled.
I recommend you take a look at this video produced by Graham Cluely, a friend of mine. http://www.youtube.com/watch?v=LPBhaVduF-Q
The video does a great job showing how the criminals trick people into installing malicious software by making some quite believable news. While social networking sites can be used to share breaking news, such as the landing of a jet in the Hudson River, you should be very, very cautious about clicking on links to news stories. If the story is legitimate you can type in www.cnn.com or www.msnbc.com, or whatever your favorite web site is. If the story is that big and it is real, you’ll find a link to it right on the front page.
The thing to remember about the internet is that anything can be spoofed. Be very wary. It is one thing if you and I are talking face to face, but quite a different thing if we are exchanging email or instant messages. If my account get hacked then it does appear that I am the one saying things to you.
Recently 32 million social networking site accounts were compromised by poor security practices and an exploit. Rockyou.com, the developer of applications for social networking sites like FaceBook, MySpace, and many others had their entire database stolen. The database included email addresses and passwords for over 32 million people. It would be trivial for the attacker to impersonate any one of those users and send an email with some sort of sensational news and a link to the story.
Whenever you are dealing with a computer it is a good idea to step back for a moment and realize that email and instant messages are not at all the same thing as speaking with a person face to face. A bit of skepticism is healthy.
When someone sends you a news story it makes a lot of sense to independently verify the facts. Type in the website of your favorite news organization. Check out www.snopes.com for hoaxes before you pass along the “big story”.
In some ways the Internet is not all that much different than driving a car. You have to be alert at all times or bad things will happen.
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Webmail Privacy
Google recently announced that it has changed the default setting on Gmail to always read email through https, which means if you are at a coffee shop reading your email, and you have the new Gmail default setting, your communications will almost certainly be private.
This setting is not automatically changed for existing users though. If you already have a Gmail account in order to help make sure your email is private when you read your email form Gmail, log into your account, go to the settings page and under general settings where it says “Browser Connection” make sure that you have checked “Always use https”
Google has had several issues with respect to security and privacy, but with this move they completely show other webmail providers, such as hotmail, Live, Yahoo, and even large ISPs, such as Comcast, as the privacy apathetic corporations that they are.
Google was the first major webmail provider to offer the option of having an encrypted email session. The other providers only encrypt your log on.
If you use webmail for sensitive communications, you might consider a Gmail account for the privacy considerations that no other major webmail provider cares enough to offer.
You can read about the Gmail change at http://www.theregister.co.uk/2010/01/13/gmail_default_encryption/
Please feel free to email me at askeset@eset.com if you have any security related questions.
Randy Abrams
Director of Technical Education
ESET LLC
Seller Beware!
There is a common scam many people are falling for. You decide to sell something, and find an eager buyer. Usually, but not always, the buyer lives a great distance from you. The price is agreed upon and they send you a check. After the check is sent they contact you and say that they or their accountant, or someone else made the check out for too much… perhaps hundreds or thousands of dollars more than the agreed price. The scammer then asks you to send back the overpayment.
The way that the scam works is that the check is fake or stolen. In time, the bank will inform you the check was bad and you will be liable for the full amount of the check. If you already sent the item for sale, you will have lost that as well.
If you take a personal check for an item you sell, it is a very good idea to check with the bank to make sure the check is legitimate and then wait a few days to make sure it does not come back. If someone claims to have sent you too much money, tell them to send a new check for the correct amount and return the old check to them with the word “VOID” written across the check. Even then, ask the bank when it will be certain that the check is good. Federal banking regulations require banks to make deposited funds available even before the check actually clears. You can spend the money and then be told it was bad and you are on the hook for it.
This scam is not limited to checks. PayPal and other forms of payment can also be used by thieves. An overpayment is a very reliable sign of fraud. Don’t fall for it!
If you have any security questions or topics you would like to see covered here, feel free to email me at askeset@est.com
Randy Abrams
Director of Technical Education
ESET LLC
PDF Safety
A decade ago macro viruses were ravaging corporations and individuals who had Microsoft Word and Excel. Microsoft learned security the hard way and at the expense of a ton of customers – potentially millions of customers. Microsoft did figure out how to fix the problem and macro viruses are virtually extinct on all but very old versions of Office. Back in that day Adobe PDFs were the safe alternative to Word documents, but times change. Adobe wanted to add functionality to the PDF format so they introduced JavaScript to PDF files. JavaScript is a very powerful programming language that is used all over the web by both good guys and bad guys.
Unfortunately Adobe combined an insecure implementation of JavaScript with vulnerability-ridden products and the result is that for a couple of years now we have seen JavaScript exploited in PDF files, often as part of an attack against exploitable vulnerabilities. Users of Adobe Reader and Acrobat would have dodged many attacks if Adobe had properly configured their products to begin with, and if they would have learned from a Microsoft mistake that is almost 15 years old.
Currently the highly risky configurations of Adobe Acrobat and Adobe Reader are being successfully exploited on a regular basis to affect drive-by infections. This means you can simply go to a website and immediately infect your computer without clicking on anything. The typical attack involves the bad guys finding a vulnerability they can exploit and then by using the functionality of JavaScript, they can finish the job of infecting your computer.
There is good news for you though…you can pretty easily configure Adobe Reader properly to dramatically improve your security.
Open Adobe Reader (or a PDF if that’s easier for you). Go to the edit menu and select preferences. About halfway down the preferences panel you will see the word “JavaScript”. Click on that word and then at the top uncheck the box that says Enable Acrobat JavaScript.
The vast majority of attacks against Adobe products will fail to do anything harmful if you have disabled JavaScript. There are very, very few times that the average user will encounter a PDF that uses or requires JavaScript. If you need to enable JavaScript for a specific PDF you can do so, but remember to disable it again when you are done.
The other action you need to take is to make sure you are using the most current version of Adobe Acrobat or Adobe Reader. Adobe Reader is the free product. From the Help Menu in Reader you can check for updates. I recommend you do this now if you have not done so recently!
If you have any questions about any security topics or if there are any topics you wish to see addressed here feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Passwords101
Last week I put the cart before the horse and gave you a supplement to passwords 101. This week is passwords 101. We all seem to hate passwords and I’m not going to promise to make you like them, but I can help you make better passwords that are easier to remember.
Let’s start with a little bit of non-geeky password theory. Have you ever forgotten the combination on a 3 number lock? You know, the kind they sell for suitcases or may build into a briefcase. I’m sure you realize that if you are patient enough you can try all of the possible combinations and eventually open that lock. Man, it is a boring process and I have done it before, but thankfully I got to the combination before I had to try all 1,000 combinations. Computers are not easily bored and they can try billions of combinations, each with the same enthusiasm as when they started.
It is for that reason the following passwords are not good. Never use a single word. There are about a million words in the English language and a computer can try them all very, very quickly. Did you add the number 1 to the word? The password cracking programs know that trick too, so it doesn’t help much. Don’t use all numbers unless you have to, such as in the case of a bank PIN.
Short passwords are really bad as the computers can guess them quickly also.
There are 52 characters in the English alphabet if you include uppercase and lowercase. Although this makes a large number of possible combinations, it isn’t such a large task for a computer. If you mix in numbers then the possible combinations increase dramatically and it takes a computer much longer to crack the password. Now, if you add special characters, such as commas, percent signs, and so forth the number of possible passwords starts to get really, really big. This is why many experts say to use uppercase, lower case, numbers and special characters. The problem is that this also can make it practically impossible to remember your password, so you write it down and somebody reads it and your great password is defeated.
There is another very, very important factor in the strength of a password and that is the length. Remember the 3 digit lock I told you about? I have one with four digits. I have not had the patience to try all 10,000 combinations. The longer your password is, the longer it takes a computer to crack it. The length is actually more important than the use of all of the different character sets. If you use only lowercase letters and make your password 18 characters long, it is stronger than a password of 8 characters like e#3s)=dZ. It has to do with math. The number of 8 character passwords using all of the character sets is still smaller than the number of possible 18 character passwords only using lower case. That said, using more character sets is a big help.
So, how do you make a strong password that you can remember? I have a few favorite tricks.
I like equations. Can you remember 1Hundred+900=1000? Don’t use this one since everyone here is reading it, but there are a ton of different equations you could use. The password has good length and uses upper and lowercase letters, numbers, and special characters.
Here’s another one… My wife and I married in August 1995.
No, really, that is a password. We call it a passphrase. It will take a computer years to crack that one. Yeah, it has personal information, but you wouldn’t be able to guess the nature of the sentence I used it in. I could have worded it “In August 1995 I married my wife.”
You can use personal information, but not just a simple date. If you use a sentence, it is important to mix in numbers in it because a computer can put together words as well.
The other issue we face is that even using great passwords there are too many to remember. As I mentioned last week, I use a program called Password Corral and you can find it at http://www.cygnusproductions.com/freeware/pc.asp. This program will let you keep passwords as well as other information securely stored. The key is that you need to have a master password that is really, really good and that you can remember. One trick is to make an easy to remember password, write it down 10 times (or more) every day for a few days. Always completely destroy the paper you wrote it on and the paper under it - writing leaves imprints. Writing things down helps us to remember longer. Password Corral also lets you set reminders to change your passwords. New Years might be a great time to always change your passwords!
Passwords are an important part of security, but they only work well if you use good ones.
If you would like more examples of types of passwords that are easy to remember, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
A Supplement to Passwords 101
New Years is a time that I use to remind people to change their passwords, and instruct them on how to create a great password. One of the problems is that most people can’t remember which password is linked to which website.
One of the best practices for businesses is to know where all of their computers are and to know where all of their wireless and wired access points are. If you don’t know what you have, you can’t protect it and you are seriously exposed to attack. Knowing all of your accounts is also important, regardless of whether you are a small, medium or enterprise-level business.
So-called experts often advise not to write down passwords. This is rubbish. It’s all about where you write and store them. If you write your password on a post-it note, then remember that the next piece of paper probably contains an imprint that can be recovered by shading the paper with the side of a pencil, but other than that, keeping the passwords locked in a secure place is fine. In some cases I don’t even keep track of my passwords. If I have to give a password to read a news article at a site I rarely visit, I’ll type in a very long password and then not worry about it. If I have to go back, there’s a way to reset the password.
For the accounts you do care about, it is important to use unique passwords for each account. There are software and paper solutions for this. Keeping the accounts in a Word document or Spreadsheet that is left on your computer is a really bad idea, as is posting most passwords on your monitor, but there is software that can help you.
One of my favorite tools is called Password Corral and it is developed by a company called Cygnus. It lets me type in all of my accounts, their websites and my passwords, while keeping all the information encrypted. This means I don’t have to worry about people stealing my computer and discovering all of my passwords. By entering everything into the program I also keep an inventory of the sites I use passwords at and I can set reminders to expire the passwords so I am reminded to change them. Changing passwords on a regular basis is an important part of security! If you don’t change your passwords then an attacker has as much time as they like to try to crack it. If you do change your passwords and an attacker finally cracks your old password it won’t help them. There are programs that can automatically try to crack your password, but if you have a fairly good password it can take months to crack. If you have a great password it can take years to crack. If you use a single word, in any language, it can take minutes to crack. If you add a number to the end of the password it doesn’t help much, but it you are going to do that, use a large number, like 10,002. That little comma makes your password much better!
Next week, I’ll share some tips on making great passwords that you can remember, and soon after that I’ll share some predications for 2010.
If you have any questions about any security topics or if there are any topics you wish to see addressed here feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Watch Out for Vishing
Vishing is the combination of voice and phishing. Instead of using email, the attacker uses the telephone to trick you into giving up personal information so that they can gain access to your bank account or credit cards. While I have not heard of it being used for stick market accounts or social networking accounts, there is no reason an attacker could not or would not target those accounts as well.
In the typical attack, a person receives a phone call from someone claiming to be from a bank or credit card company. They usually will state that there is a problem, such as someone using your account fraudulently, or that they are doing something related to security and verification. Sometimes the attacks are easy to spot if you pay attention. For example, in one case I heard of the attacker claimed they were calling about the person’s Visa, MasterCard or American Express credit cards. American Express is completely different from Visa.
Regardless, if you get a call from your bank or credit card company, insist on calling them back. You should be able to use the toll free number on the back of your credit card, or call your bank and they can tell you who to talk to.
In one particularly nasty attack scenario, the attacker claims they are transferring you through to your bank and they actually do. The problem is that the attacker is listening to the call so that when you provide information to your bank they capture it for later abuse.
If you receive a call asking you for information, then it is best hang up and call back, don’t let them transfer you unless you made the call.
What about caller ID? It isn’t foolproof. With the advent of VOIP (Voice Over IP) it has become relatively simple to spoof the caller ID.
Keep alert and don’t blindly trust a caller claiming to be from a bank, credit card company, stock broker, PayPal, or most places. The best practice is to call back.
Randy Abrams
Director of Technical Education
ESET
Anti-Phishing Made Easy
Here are two simple rules. Follow these rules and you are far, far less likely to become a victim of phishing.
Rule number 1
Never give out your password to anyone.
There are fundamentally two types of people who ask for your password… thieves and idiots. You don’t want to give your password to a thief and if you give it to an idiot the idiot will probably do something completely stupid with it.
So you get an email saying that they are cleaning up inactive accounts. Perhaps they claim to be doing something security related. Whatever the excuse, they tell you that you must send some information, including your password. The email was sent by a thief. It does not matter if you believe it was Gmail, or Hotmail, Or Yahoo, or Google, or Facebook, or Myspace, or anyone else. Even if you believe it was a legitimate email and they threaten to close your account, sue you, sell your kids, force you to take their kids, whatever, the email is not legitimate, it was sent by a thief. This is 99.9999999999% accurate. What about the other .0000000001%? It was an idiot who would most certainly do something stupid with your password.
Please spread the word. Especially if you have naïve friends, let them know that 100% of the requests for their passwords are from thieves. Even if the email threatens grave consequences, it is a lying thief who sent the email. In fact, let’s stick with round numbers. It’s easier to tell your naive friend 100% than to explain the idiot quotient.
Now it is possible that you could be at work and get a call from helpdesk and the technician says that your password is required. This is a common trick. It isn’t the helpdesk technician who is actually calling, it is an impersonator. In the case that I might be wrong and it is actually helpdesk, then it is an idiot asking for your password and they can’t help you anyway because they are…well…an idiot. It is possible the technician is only following policy, in which case he works for an idiot and is doing the bidding of an idiot and the chain of trust is too weak to give up your password.
God forbid you ever do give up your password, go change it immediately… then come back and finish reading this.
Rule number 2
Do not click on an email link that leads to a financial or social networking website.
In fact, if you click on a link in an email and have to log into any site at all, close your browser immediately without logging in, then type in a known good website to log into your account. For example, you get a friend request for your Facebook account and you click on the link. You see a screen that says you must log in first. Close your web browser. Open the browser again and type in www.facebook.com. If the email was legitimate then you will be able to handle the friend request without using the link in the email. If you make an exception to this rule you will become a phishing victim.
You get an email from your bank that says for some reason you must go to their website to resolve an issue. Do not click on the link in the email. Type in the address you know to be valid for your bank – and don’t refer to the email, it may try and trick you. If you don’t see a problem for you to take care of, then call your bank and ask them.
You get an email from PayPal. Close the email without clicking on the link and open your browser and type in www.paypal.com and log into your account. Anything the email says needs to be taken care of will be available from your account there.
There are two types of organizations that send links to web pages requiring you to log in (and enter your password)… thieving organizations and organizations run by idiots.
Unfortunately many legitimate companies lack the common sense to not ever send a link that requires you to provide your password. These organizations are in effect actively teach people to fall for phishing attacks. Even if you are certain the email is legitimate, do not ever use the provided link.
Follow these two rules religiously and you will almost certainly not become a victim of phishing.
Next week I’ll extend these principals to vishing, which is telephone based phishing.
Randy Abrams
Director of Technical Education
ESET
Is It Time to Upgrade to Windows 7?
Some people are wondering if Windows 7 is just more baked over Vista hype. Vista, a Spanish word that brings visions of a beautiful view, but Windows Vista wasn't a pretty picture. Part of the problem is that many developers were not writing programs that would run without administrative privileges. Part of that problem was due to years of Microsoft training people to write programs improperly
The good news is that both Microsoft and many developers have learned. Windows 7 offers enhanced security, especially in the business version, and far less nagging than Vista did.
If you are running Windows XP as a standard user, rather than as an administrator you probably know enough about security not to need my advice. If you are running Vista you will probably enjoy the Windows 7 experience more
Do you still need security software? Ask Microsoft... Their security products, including antivirus are designed to run on Windows 7, and their employees run antivirus on all computers that connect to the corporate network!
If you have any security related questions or wish to see me cover any specific topics here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Look who Dressed Up for Halloween
Get ready for some really gruesome email, IMs, tweets, and other communications. As is the case with any major (or minor) holiday, the bad guys want to cash in. For the past few years Halloween has been a favorite of the bad guys and they like to dress their emails up as electronic greeting cards.
The fake greeting cards are usually very easy to spot if you know what to look for. First of all, the e-card does not come from someone you know. The e-card says it comes from a friend (but doesn’t name the friend) a family member, an admirer, a colleague, pretty much anyone that doesn’t actually have a name. The e-card comes from an address that is not a legitimate greeting card company. If you aren’t sure of the address then don’t click on anything in the email. If you think it may really be from a friend then ask them if they sent an e-card before you click on anything. If you don’t know what friend sent it then it wasn’t sent by a friend of yours… at least you must assume that if you are to be safe.
Another favorite of the criminals is to tell you there is a video. Perhaps funny, scary, gross, etc. Again, don’t click if you are not 1,000% certain it came from a friend who knows a lot about computer security. Many programmers know little about computer security, so don’t mistake knowing a lot about computers with knowing much about computer security.
If you do click on the link in the email and are told you need to install anything or something looks like it is scanning your computer and tells you that your computer is infected, immediately close your browser, this is an attempt to install malicious software on your computer.
This year I expect a lot more than email to dress up for Halloween, I think we will see instant messages, tweets, and messages on social networking sites, like Facebook and MySpace to purport to be Halloween related. Don’t click on the links!!!
In recent months there have been many email accounts and social networking accounts that have been hijacked. Just because you get an email from someone you know doesn’t mean they sent it. Especially when it comes to messages about holidays, funny videos, natural disasters, and other high profile news items, check with your friend to make sure they really sent the item and that they really know you before you click on a link.
Educate your employees. Your company’s network can be compromised by a single click on a malicious email and now is the witching season.
If you have any security related questions or wish to see me cover any specific topics here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
How Bad (or Good) is Antivirus Software?
A company named Trusteer recently released a report that found that up-to-date antivirus software only detect a certain trojan 23% of the time. You can read the report at http://www.trusteer.com/files/Zeus_and_Antivirus.pdf
It is not a surprise that detection for this trojan is low. This is a big money maker and the bad guys have time and surprise on their side. When the bad guys release a new version of the trojan they will first test it against antivirus software. If many of the products detect the trojan they will change the program until few, if any products can detect it.
There are valid questions about the accuracy of the results, however let’s assume that the results are at least close. The study concluded that people with up-to-date antivirus software reduced their risk by 23%, but also that up-to-date antivirus software only detected this specific trojan 23% of the time. 23% is not a high rate of detection, but a 23% decrease in risk is still significant.
Antivirus, despite years of misleading marketing, cannot detect all new viruses and trojans. Antivirus software cannot come close to 100% detection of all of the real world threats out there, but antivirus is a significant part what security people call defense-in-depth. In a nutshell, you use multiple approaches and/or products for security and o not rely upon one product to make you secure… it won’t happen.
Cars have seatbelts. The use of seatbelts significantly decreases the risk of death or serious injury in car accidents, but it isn’t close to preventing all death or injury in car accidents. Air bags can also reduce risk, crumple zones decrease risk, and things like good brakes and tires ad to your driving defense-in-depth.
In addition to antivirus software there are personal firewalls, automatic and manual updating of software to increase security, a myriad of corporate products that include intrusion prevention and detection, and there is education. An educated user will make significantly better decisions and dramatically reduce risk. If you know to never give your password out, then when you get an email that says it is from Hotmail Support and you must give them your password or your account will be terminated, you aren’t going to be a victim of that phishing attack. If you know that pirated software is likely to contain viruses and trojans, and armed with that knowledge do not download pirated software it will not infect you.
So, if in the case of this particular trojan in the study, antivirus is reducing risk by 23%, then I would say as a part of a defense in depth strategy the antivirus software is making a significant contribution to security.
Antivirus software is not a good defense all by itself, but used in conjunction with other products and techniques it does carry its own weight.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
When is Updating a Bad Thing?
I often advise people to keep their software up-to-date by applying patches and using the most current versions of software. This advice is sound, but you need to understand when a new version of software is a bad idea.
One of the common attacks involves a user to a webpage with a video on it. When the user tries to run the video a dialog box appear that tells the user they need to install a codec to view the video. A codec is a piece of software that allows your media player to understand how to play the video. The most commonly used codecs are built into the media players such as QuickTime, Real Player, and Windows Media player, as well as most others. While there are times that a user might actually need a codec that is built in, it is very rare and virtually every time you see a popup that claims you need to install a codec it is not a codec at all, it is malicious software. Whenever you see a popup that says you need to install software, such as a codec, it is almost always going to be a scam to install malicious software. There are a few exceptions, but you should only install software from highly trusted webs sites. Social networking sites, such as Facebook, MySpace, Hi5, and Linked in are not good sites to place much trust in. YouTube is not a site to trust when it comes to installing software.
Another common attack involves telling the user that they need a new version of Flash. As often as Adobe has been updating Flash to fix security problems, the likelihood that you need a new version of Flash is really high. The bad guys know this and they not only craft web pages that say you need a new version, but then a file download box pops up offering to install it for you. You should never install Flash, or other software from anywhere other than the developer’s web page. If I need a new version of Flash I go to http://www.adobe.com/ to download the latest version.
| 