Technology Tip Archive
Where Do You Get Your News?
I read a story today about a hoax that Johnny Depp had died in a car accident. The story is bogus but “sensational” news is a magnet for malicious attacks.
It seems the rumor started on Twitter and supposedly CNN had news about it as well. People who pay attention to details would know that the “CNN” story was not on CNN, but if you don’t pay attention to the details you will be easily fooled.
I recommend you take a look at this video produced by Graham Cluely, a friend of mine. http://www.youtube.com/watch?v=LPBhaVduF-Q
The video does a great job showing how the criminals trick people into installing malicious software by making some quite believable news. While social networking sites can be used to share breaking news, such as the landing of a jet in the Hudson River, you should be very, very cautious about clicking on links to news stories. If the story is legitimate you can type in www.cnn.com or www.msnbc.com, or whatever your favorite web site is. If the story is that big and it is real, you’ll find a link to it right on the front page.
The thing to remember about the internet is that anything can be spoofed. Be very wary. It is one thing if you and I are talking face to face, but quite a different thing if we are exchanging email or instant messages. If my account get hacked then it does appear that I am the one saying things to you.
Recently 32 million social networking site accounts were compromised by poor security practices and an exploit. Rockyou.com, the developer of applications for social networking sites like FaceBook, MySpace, and many others had their entire database stolen. The database included email addresses and passwords for over 32 million people. It would be trivial for the attacker to impersonate any one of those users and send an email with some sort of sensational news and a link to the story.
Whenever you are dealing with a computer it is a good idea to step back for a moment and realize that email and instant messages are not at all the same thing as speaking with a person face to face. A bit of skepticism is healthy.
When someone sends you a news story it makes a lot of sense to independently verify the facts. Type in the website of your favorite news organization. Check out www.snopes.com for hoaxes before you pass along the “big story”.
In some ways the Internet is not all that much different than driving a car. You have to be alert at all times or bad things will happen.
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Webmail Privacy
Google recently announced that it has changed the default setting on Gmail to always read email through https, which means if you are at a coffee shop reading your email, and you have the new Gmail default setting, your communications will almost certainly be private.
This setting is not automatically changed for existing users though. If you already have a Gmail account in order to help make sure your email is private when you read your email form Gmail, log into your account, go to the settings page and under general settings where it says “Browser Connection” make sure that you have checked “Always use https”
Google has had several issues with respect to security and privacy, but with this move they completely show other webmail providers, such as hotmail, Live, Yahoo, and even large ISPs, such as Comcast, as the privacy apathetic corporations that they are.
Google was the first major webmail provider to offer the option of having an encrypted email session. The other providers only encrypt your log on.
If you use webmail for sensitive communications, you might consider a Gmail account for the privacy considerations that no other major webmail provider cares enough to offer.
You can read about the Gmail change at http://www.theregister.co.uk/2010/01/13/gmail_default_encryption/
Please feel free to email me at askeset@eset.com if you have any security related questions.
Randy Abrams
Director of Technical Education
ESET LLC
Seller Beware!
There is a common scam many people are falling for. You decide to sell something, and find an eager buyer. Usually, but not always, the buyer lives a great distance from you. The price is agreed upon and they send you a check. After the check is sent they contact you and say that they or their accountant, or someone else made the check out for too much… perhaps hundreds or thousands of dollars more than the agreed price. The scammer then asks you to send back the overpayment.
The way that the scam works is that the check is fake or stolen. In time, the bank will inform you the check was bad and you will be liable for the full amount of the check. If you already sent the item for sale, you will have lost that as well.
If you take a personal check for an item you sell, it is a very good idea to check with the bank to make sure the check is legitimate and then wait a few days to make sure it does not come back. If someone claims to have sent you too much money, tell them to send a new check for the correct amount and return the old check to them with the word “VOID” written across the check. Even then, ask the bank when it will be certain that the check is good. Federal banking regulations require banks to make deposited funds available even before the check actually clears. You can spend the money and then be told it was bad and you are on the hook for it.
This scam is not limited to checks. PayPal and other forms of payment can also be used by thieves. An overpayment is a very reliable sign of fraud. Don’t fall for it!
If you have any security questions or topics you would like to see covered here, feel free to email me at askeset@est.com
Randy Abrams
Director of Technical Education
ESET LLC
PDF Safety
A decade ago macro viruses were ravaging corporations and individuals who had Microsoft Word and Excel. Microsoft learned security the hard way and at the expense of a ton of customers – potentially millions of customers. Microsoft did figure out how to fix the problem and macro viruses are virtually extinct on all but very old versions of Office. Back in that day Adobe PDFs were the safe alternative to Word documents, but times change. Adobe wanted to add functionality to the PDF format so they introduced JavaScript to PDF files. JavaScript is a very powerful programming language that is used all over the web by both good guys and bad guys.
Unfortunately Adobe combined an insecure implementation of JavaScript with vulnerability-ridden products and the result is that for a couple of years now we have seen JavaScript exploited in PDF files, often as part of an attack against exploitable vulnerabilities. Users of Adobe Reader and Acrobat would have dodged many attacks if Adobe had properly configured their products to begin with, and if they would have learned from a Microsoft mistake that is almost 15 years old.
Currently the highly risky configurations of Adobe Acrobat and Adobe Reader are being successfully exploited on a regular basis to affect drive-by infections. This means you can simply go to a website and immediately infect your computer without clicking on anything. The typical attack involves the bad guys finding a vulnerability they can exploit and then by using the functionality of JavaScript, they can finish the job of infecting your computer.
There is good news for you though…you can pretty easily configure Adobe Reader properly to dramatically improve your security.
Open Adobe Reader (or a PDF if that’s easier for you). Go to the edit menu and select preferences. About halfway down the preferences panel you will see the word “JavaScript”. Click on that word and then at the top uncheck the box that says Enable Acrobat JavaScript.
The vast majority of attacks against Adobe products will fail to do anything harmful if you have disabled JavaScript. There are very, very few times that the average user will encounter a PDF that uses or requires JavaScript. If you need to enable JavaScript for a specific PDF you can do so, but remember to disable it again when you are done.
The other action you need to take is to make sure you are using the most current version of Adobe Acrobat or Adobe Reader. Adobe Reader is the free product. From the Help Menu in Reader you can check for updates. I recommend you do this now if you have not done so recently!
If you have any questions about any security topics or if there are any topics you wish to see addressed here feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Passwords101
Last week I put the cart before the horse and gave you a supplement to passwords 101. This week is passwords 101. We all seem to hate passwords and I’m not going to promise to make you like them, but I can help you make better passwords that are easier to remember.
Let’s start with a little bit of non-geeky password theory. Have you ever forgotten the combination on a 3 number lock? You know, the kind they sell for suitcases or may build into a briefcase. I’m sure you realize that if you are patient enough you can try all of the possible combinations and eventually open that lock. Man, it is a boring process and I have done it before, but thankfully I got to the combination before I had to try all 1,000 combinations. Computers are not easily bored and they can try billions of combinations, each with the same enthusiasm as when they started.
It is for that reason the following passwords are not good. Never use a single word. There are about a million words in the English language and a computer can try them all very, very quickly. Did you add the number 1 to the word? The password cracking programs know that trick too, so it doesn’t help much. Don’t use all numbers unless you have to, such as in the case of a bank PIN.
Short passwords are really bad as the computers can guess them quickly also.
There are 52 characters in the English alphabet if you include uppercase and lowercase. Although this makes a large number of possible combinations, it isn’t such a large task for a computer. If you mix in numbers then the possible combinations increase dramatically and it takes a computer much longer to crack the password. Now, if you add special characters, such as commas, percent signs, and so forth the number of possible passwords starts to get really, really big. This is why many experts say to use uppercase, lower case, numbers and special characters. The problem is that this also can make it practically impossible to remember your password, so you write it down and somebody reads it and your great password is defeated.
There is another very, very important factor in the strength of a password and that is the length. Remember the 3 digit lock I told you about? I have one with four digits. I have not had the patience to try all 10,000 combinations. The longer your password is, the longer it takes a computer to crack it. The length is actually more important than the use of all of the different character sets. If you use only lowercase letters and make your password 18 characters long, it is stronger than a password of 8 characters like e#3s)=dZ. It has to do with math. The number of 8 character passwords using all of the character sets is still smaller than the number of possible 18 character passwords only using lower case. That said, using more character sets is a big help.
So, how do you make a strong password that you can remember? I have a few favorite tricks.
I like equations. Can you remember 1Hundred+900=1000? Don’t use this one since everyone here is reading it, but there are a ton of different equations you could use. The password has good length and uses upper and lowercase letters, numbers, and special characters.
Here’s another one… My wife and I married in August 1995.
No, really, that is a password. We call it a passphrase. It will take a computer years to crack that one. Yeah, it has personal information, but you wouldn’t be able to guess the nature of the sentence I used it in. I could have worded it “In August 1995 I married my wife.”
You can use personal information, but not just a simple date. If you use a sentence, it is important to mix in numbers in it because a computer can put together words as well.
The other issue we face is that even using great passwords there are too many to remember. As I mentioned last week, I use a program called Password Corral and you can find it at http://www.cygnusproductions.com/freeware/pc.asp. This program will let you keep passwords as well as other information securely stored. The key is that you need to have a master password that is really, really good and that you can remember. One trick is to make an easy to remember password, write it down 10 times (or more) every day for a few days. Always completely destroy the paper you wrote it on and the paper under it - writing leaves imprints. Writing things down helps us to remember longer. Password Corral also lets you set reminders to change your passwords. New Years might be a great time to always change your passwords!
Passwords are an important part of security, but they only work well if you use good ones.
If you would like more examples of types of passwords that are easy to remember, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
A Supplement to Passwords 101
New Years is a time that I use to remind people to change their passwords, and instruct them on how to create a great password. One of the problems is that most people can’t remember which password is linked to which website.
One of the best practices for businesses is to know where all of their computers are and to know where all of their wireless and wired access points are. If you don’t know what you have, you can’t protect it and you are seriously exposed to attack. Knowing all of your accounts is also important, regardless of whether you are a small, medium or enterprise-level business.
So-called experts often advise not to write down passwords. This is rubbish. It’s all about where you write and store them. If you write your password on a post-it note, then remember that the next piece of paper probably contains an imprint that can be recovered by shading the paper with the side of a pencil, but other than that, keeping the passwords locked in a secure place is fine. In some cases I don’t even keep track of my passwords. If I have to give a password to read a news article at a site I rarely visit, I’ll type in a very long password and then not worry about it. If I have to go back, there’s a way to reset the password.
For the accounts you do care about, it is important to use unique passwords for each account. There are software and paper solutions for this. Keeping the accounts in a Word document or Spreadsheet that is left on your computer is a really bad idea, as is posting most passwords on your monitor, but there is software that can help you.
One of my favorite tools is called Password Corral and it is developed by a company called Cygnus. It lets me type in all of my accounts, their websites and my passwords, while keeping all the information encrypted. This means I don’t have to worry about people stealing my computer and discovering all of my passwords. By entering everything into the program I also keep an inventory of the sites I use passwords at and I can set reminders to expire the passwords so I am reminded to change them. Changing passwords on a regular basis is an important part of security! If you don’t change your passwords then an attacker has as much time as they like to try to crack it. If you do change your passwords and an attacker finally cracks your old password it won’t help them. There are programs that can automatically try to crack your password, but if you have a fairly good password it can take months to crack. If you have a great password it can take years to crack. If you use a single word, in any language, it can take minutes to crack. If you add a number to the end of the password it doesn’t help much, but it you are going to do that, use a large number, like 10,002. That little comma makes your password much better!
Next week, I’ll share some tips on making great passwords that you can remember, and soon after that I’ll share some predications for 2010.
If you have any questions about any security topics or if there are any topics you wish to see addressed here feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Watch Out for Vishing
Vishing is the combination of voice and phishing. Instead of using email, the attacker uses the telephone to trick you into giving up personal information so that they can gain access to your bank account or credit cards. While I have not heard of it being used for stick market accounts or social networking accounts, there is no reason an attacker could not or would not target those accounts as well.
In the typical attack, a person receives a phone call from someone claiming to be from a bank or credit card company. They usually will state that there is a problem, such as someone using your account fraudulently, or that they are doing something related to security and verification. Sometimes the attacks are easy to spot if you pay attention. For example, in one case I heard of the attacker claimed they were calling about the person’s Visa, MasterCard or American Express credit cards. American Express is completely different from Visa.
Regardless, if you get a call from your bank or credit card company, insist on calling them back. You should be able to use the toll free number on the back of your credit card, or call your bank and they can tell you who to talk to.
In one particularly nasty attack scenario, the attacker claims they are transferring you through to your bank and they actually do. The problem is that the attacker is listening to the call so that when you provide information to your bank they capture it for later abuse.
If you receive a call asking you for information, then it is best hang up and call back, don’t let them transfer you unless you made the call.
What about caller ID? It isn’t foolproof. With the advent of VOIP (Voice Over IP) it has become relatively simple to spoof the caller ID.
Keep alert and don’t blindly trust a caller claiming to be from a bank, credit card company, stock broker, PayPal, or most places. The best practice is to call back.
Randy Abrams
Director of Technical Education
ESET
Anti-Phishing Made Easy
Here are two simple rules. Follow these rules and you are far, far less likely to become a victim of phishing.
Rule number 1
Never give out your password to anyone.
There are fundamentally two types of people who ask for your password… thieves and idiots. You don’t want to give your password to a thief and if you give it to an idiot the idiot will probably do something completely stupid with it.
So you get an email saying that they are cleaning up inactive accounts. Perhaps they claim to be doing something security related. Whatever the excuse, they tell you that you must send some information, including your password. The email was sent by a thief. It does not matter if you believe it was Gmail, or Hotmail, Or Yahoo, or Google, or Facebook, or Myspace, or anyone else. Even if you believe it was a legitimate email and they threaten to close your account, sue you, sell your kids, force you to take their kids, whatever, the email is not legitimate, it was sent by a thief. This is 99.9999999999% accurate. What about the other .0000000001%? It was an idiot who would most certainly do something stupid with your password.
Please spread the word. Especially if you have naïve friends, let them know that 100% of the requests for their passwords are from thieves. Even if the email threatens grave consequences, it is a lying thief who sent the email. In fact, let’s stick with round numbers. It’s easier to tell your naive friend 100% than to explain the idiot quotient.
Now it is possible that you could be at work and get a call from helpdesk and the technician says that your password is required. This is a common trick. It isn’t the helpdesk technician who is actually calling, it is an impersonator. In the case that I might be wrong and it is actually helpdesk, then it is an idiot asking for your password and they can’t help you anyway because they are…well…an idiot. It is possible the technician is only following policy, in which case he works for an idiot and is doing the bidding of an idiot and the chain of trust is too weak to give up your password.
God forbid you ever do give up your password, go change it immediately… then come back and finish reading this.
Rule number 2
Do not click on an email link that leads to a financial or social networking website.
In fact, if you click on a link in an email and have to log into any site at all, close your browser immediately without logging in, then type in a known good website to log into your account. For example, you get a friend request for your Facebook account and you click on the link. You see a screen that says you must log in first. Close your web browser. Open the browser again and type in www.facebook.com. If the email was legitimate then you will be able to handle the friend request without using the link in the email. If you make an exception to this rule you will become a phishing victim.
You get an email from your bank that says for some reason you must go to their website to resolve an issue. Do not click on the link in the email. Type in the address you know to be valid for your bank – and don’t refer to the email, it may try and trick you. If you don’t see a problem for you to take care of, then call your bank and ask them.
You get an email from PayPal. Close the email without clicking on the link and open your browser and type in www.paypal.com and log into your account. Anything the email says needs to be taken care of will be available from your account there.
There are two types of organizations that send links to web pages requiring you to log in (and enter your password)… thieving organizations and organizations run by idiots.
Unfortunately many legitimate companies lack the common sense to not ever send a link that requires you to provide your password. These organizations are in effect actively teach people to fall for phishing attacks. Even if you are certain the email is legitimate, do not ever use the provided link.
Follow these two rules religiously and you will almost certainly not become a victim of phishing.
Next week I’ll extend these principals to vishing, which is telephone based phishing.
Randy Abrams
Director of Technical Education
ESET
Is It Time to Upgrade to Windows 7?
Some people are wondering if Windows 7 is just more baked over Vista hype. Vista, a Spanish word that brings visions of a beautiful view, but Windows Vista wasn't a pretty picture. Part of the problem is that many developers were not writing programs that would run without administrative privileges. Part of that problem was due to years of Microsoft training people to write programs improperly
The good news is that both Microsoft and many developers have learned. Windows 7 offers enhanced security, especially in the business version, and far less nagging than Vista did.
If you are running Windows XP as a standard user, rather than as an administrator you probably know enough about security not to need my advice. If you are running Vista you will probably enjoy the Windows 7 experience more
Do you still need security software? Ask Microsoft... Their security products, including antivirus are designed to run on Windows 7, and their employees run antivirus on all computers that connect to the corporate network!
If you have any security related questions or wish to see me cover any specific topics here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Look who Dressed Up for Halloween
Get ready for some really gruesome email, IMs, tweets, and other communications. As is the case with any major (or minor) holiday, the bad guys want to cash in. For the past few years Halloween has been a favorite of the bad guys and they like to dress their emails up as electronic greeting cards.
The fake greeting cards are usually very easy to spot if you know what to look for. First of all, the e-card does not come from someone you know. The e-card says it comes from a friend (but doesn’t name the friend) a family member, an admirer, a colleague, pretty much anyone that doesn’t actually have a name. The e-card comes from an address that is not a legitimate greeting card company. If you aren’t sure of the address then don’t click on anything in the email. If you think it may really be from a friend then ask them if they sent an e-card before you click on anything. If you don’t know what friend sent it then it wasn’t sent by a friend of yours… at least you must assume that if you are to be safe.
Another favorite of the criminals is to tell you there is a video. Perhaps funny, scary, gross, etc. Again, don’t click if you are not 1,000% certain it came from a friend who knows a lot about computer security. Many programmers know little about computer security, so don’t mistake knowing a lot about computers with knowing much about computer security.
If you do click on the link in the email and are told you need to install anything or something looks like it is scanning your computer and tells you that your computer is infected, immediately close your browser, this is an attempt to install malicious software on your computer.
This year I expect a lot more than email to dress up for Halloween, I think we will see instant messages, tweets, and messages on social networking sites, like Facebook and MySpace to purport to be Halloween related. Don’t click on the links!!!
In recent months there have been many email accounts and social networking accounts that have been hijacked. Just because you get an email from someone you know doesn’t mean they sent it. Especially when it comes to messages about holidays, funny videos, natural disasters, and other high profile news items, check with your friend to make sure they really sent the item and that they really know you before you click on a link.
Educate your employees. Your company’s network can be compromised by a single click on a malicious email and now is the witching season.
If you have any security related questions or wish to see me cover any specific topics here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
How Bad (or Good) is Antivirus Software?
A company named Trusteer recently released a report that found that up-to-date antivirus software only detect a certain trojan 23% of the time. You can read the report at http://www.trusteer.com/files/Zeus_and_Antivirus.pdf
It is not a surprise that detection for this trojan is low. This is a big money maker and the bad guys have time and surprise on their side. When the bad guys release a new version of the trojan they will first test it against antivirus software. If many of the products detect the trojan they will change the program until few, if any products can detect it.
There are valid questions about the accuracy of the results, however let’s assume that the results are at least close. The study concluded that people with up-to-date antivirus software reduced their risk by 23%, but also that up-to-date antivirus software only detected this specific trojan 23% of the time. 23% is not a high rate of detection, but a 23% decrease in risk is still significant.
Antivirus, despite years of misleading marketing, cannot detect all new viruses and trojans. Antivirus software cannot come close to 100% detection of all of the real world threats out there, but antivirus is a significant part what security people call defense-in-depth. In a nutshell, you use multiple approaches and/or products for security and o not rely upon one product to make you secure… it won’t happen.
Cars have seatbelts. The use of seatbelts significantly decreases the risk of death or serious injury in car accidents, but it isn’t close to preventing all death or injury in car accidents. Air bags can also reduce risk, crumple zones decrease risk, and things like good brakes and tires ad to your driving defense-in-depth.
In addition to antivirus software there are personal firewalls, automatic and manual updating of software to increase security, a myriad of corporate products that include intrusion prevention and detection, and there is education. An educated user will make significantly better decisions and dramatically reduce risk. If you know to never give your password out, then when you get an email that says it is from Hotmail Support and you must give them your password or your account will be terminated, you aren’t going to be a victim of that phishing attack. If you know that pirated software is likely to contain viruses and trojans, and armed with that knowledge do not download pirated software it will not infect you.
So, if in the case of this particular trojan in the study, antivirus is reducing risk by 23%, then I would say as a part of a defense in depth strategy the antivirus software is making a significant contribution to security.
Antivirus software is not a good defense all by itself, but used in conjunction with other products and techniques it does carry its own weight.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
When is Updating a Bad Thing?
I often advise people to keep their software up-to-date by applying patches and using the most current versions of software. This advice is sound, but you need to understand when a new version of software is a bad idea.
One of the common attacks involves a user to a webpage with a video on it. When the user tries to run the video a dialog box appear that tells the user they need to install a codec to view the video. A codec is a piece of software that allows your media player to understand how to play the video. The most commonly used codecs are built into the media players such as QuickTime, Real Player, and Windows Media player, as well as most others. While there are times that a user might actually need a codec that is built in, it is very rare and virtually every time you see a popup that claims you need to install a codec it is not a codec at all, it is malicious software. Whenever you see a popup that says you need to install software, such as a codec, it is almost always going to be a scam to install malicious software. There are a few exceptions, but you should only install software from highly trusted webs sites. Social networking sites, such as Facebook, MySpace, Hi5, and Linked in are not good sites to place much trust in. YouTube is not a site to trust when it comes to installing software.
Another common attack involves telling the user that they need a new version of Flash. As often as Adobe has been updating Flash to fix security problems, the likelihood that you need a new version of Flash is really high. The bad guys know this and they not only craft web pages that say you need a new version, but then a file download box pops up offering to install it for you. You should never install Flash, or other software from anywhere other than the developer’s web page. If I need a new version of Flash I go to http://www.adobe.com/ to download the latest version.
Remember, keeping your software up-to-date is a great idea, but always update the software from the developer’s website and not when a web page says “Here’s the version you need”.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Spot the Phish
I recently received the following email:
----------------------------------
From: Google Mail Team [mailto:verifyscess@googledesk.com]
Sent: Sunday, September 13, 2009 2:11 PM
Subject: Warning Code:VX2G99AAJ
Dear Account User,
This Email is from Gmail customer care and we are sending it to every Gmail accounts owner for safety. We are having congestion due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted. We are sending this email to you so that you can verify and let us know if you still want to use this account. If you are still interested please confirm your account by filling the space below.Your User name, password, date of birth and your country information would be needed to verify your account.
Due to the congestion in all Gmail users and removal of all unused Gmail Accounts. Gmail would be shutting down all unused Accounts, you will have to confirm your E-mail by filling out your Login Information below after clicking the reply button or your account will be suspended within 24 hours for security reasons.
* User name: ............................
* Password: ................................
* Date of Birth: ............................
* Country Or Territory: ....................
Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.
Thank you for usingGmail!
The Gmail Team
GMAILBETA
---------------------------------------------
Notice that the email came from “googledesk.com, not google.com. This is one sign that it is a phish. The email came to an address that I never provided to Google as a backup email address, which is another sign. The subject line is unlikely for such a notification, but some might believe it. The grammar and spelling have errors. The fact that I am being asked for my password is a dead giveaway. Never, ever, ever give out your email password. If the email had you fooled and you thought that googledesk.com belonged to Google and was legitimate, the request for your password should be enough for you to either dismiss the email as a phishing attack or else forward the email to support@google.com and ask if it is legitimate. Google, Hotmail, Yahoo, and all other legitimate businesses will never ask you to disclose your password. If a legitimate business does ask you to disclose your password then realize that they may be legitimate, but far too ignorant to be doing business with.
If I had fallen for this, the attackers could do many things with my email account. They could use it to send spam, they could use it to send my contacts links to malicious software, and they could impersonate me and try to convince my contacts that I am in trouble and need financial assistance immediately. If I had information, such as banking, or passwords, then other accounts could be compromised. If I used the same password for other email accounts the attacker may try to hack those accounts as well.
Any request for your password should always be refused.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Who Do You Trust?
One of the biggest problems we are seeing in the security industry is something we call “Rogue Antivirus”. Rogue antivirus products scare and annoy users into paying for a product that does little or nothing. The common scenario is that you go to a web page and it looks like you’re your computer is being scanned. The web page, which may look like a real program” will tell you that your computer is infected, when it really is not infected. Typically the pop up that says you are infected will not be easy to get rid off and people are annoyed into buying the fake antivirus product. In some cases the rogue product actually will detect some malicious software so as to attempt a claim that they are real antivirus.
Real antivirus products will never scan your computer if you did not install the product or if you did not specifically choose to perform an online scan. If you go to a web site and see something that automatically starts scanning your machine then close down your browser.
In some cases if your computer is already infected, the malicious software will download the fake antivirus software and make it look like you are infected. Sometimes the fake antivirus software will download malicious software to detect as well.
Before you pay money for an antivirus product you should do a little research to make sure you are buying a legitimate product.
Virus Bulletin has a large list of security vendors. While the list doesn’t tell you which is the best, if you are considering a product and it isn’t on the list you really should do a bit more research before you spend your money.
The list can be found at http://www.virusbtn.com/resources/links/index?ven
If you know someone who has fallen for the fake antivirus scam there is some good news. This particular breed of crook doesn’t want undue attention. In many cases a simple demand for a refund will work. These crooks know it is better to refund the money than to initiate complaints that result in credit card chargeback and law enforcement attention.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
May I Read Your Email?
Well, of course I can if you access your email from a wireless connection that is not using encryption. There are several different scenarios and if you do not understand them then you will not be able to decide what risk is acceptable to you.
Let’s start with the ISP scenarios. The ISP is the company that provides your home or business with internet service. Comcast, Cox, Warner, Roadrunner, and Verizon are some of the ISPs. When you get home internet service you get email accounts as well. There are a couple of ways you might read your email.
When you use your web browser, like Internet Explorer or Firefox, to read your email you log into your email account and the ISP protects your username and password by using and HTTPS web page. Take a look at the web address next time you log into your email and see if it starts with HTTPS://. I bet it does! The problem is that after you are logged in the email is displayed in a web page that starts with http:// instead of https://. The difference is that with https the information coming and going to and from your computer is encrypted. That means that if you are using a wireless connection I might be able to intercept the information, but it will be jumbled. The email you read has no such protection from most, if not all ISPs. This means that if you are using wireless, and do not have encryption, then someone near you can read your email also.
You might use Outlook, Outlook Express, or another program, other than a web browser to read your email. By default, ISPs tell you to configure your program to reveal your username and password. Yes, that’s right, ISPs, such as Comcast really want you to send your username and password so that any hacker can easily hijack your email account. From what I have seen from Cox and Verizon, they also default to insecurity.
Perhaps you use something like Gmail or Yahoo email, or Hotmail. Gmail is the only webmail provider I know of that has a clue about privacy. Yahoo and Microsoft have no option to read your email securely with a web browser. Gmail does allow you to configure your account to always use https, which protects your privacy.
Both Gmail and Hotmail allow you to use Outlook and other POP3 email clients. Yahoo leads industry in disregard for security and privacy.
There are good reasons to use an email client for your email. With an email client you can download your email and store it on your computer. This means you can also keep a copy and delete what is on the server. The advantage is that if your email account is compromised the attacker will not have access to all of your archives. You can also read your email when you are offline and even compose replies to messages.
If you are not sure how to configure Outlook, Outlook Express, or another email program to send and receive your email with encryption, then you probably are not using encryption. When I asked Comcast how to do this they claimed it was not supported. I figured out how to make it work even though.
If enough people tell their ISP that they need all email to be protected with encryption then they ISPs will finally decide to learn a little about privacy and security. Today the landscape in general is ugly on the ISP level. The odds are that if you use public wireless access, or have a wireless connection at home without encryption turned on, your email can easily be intercepted and potentially your user name and pass word can be intercepted as well.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
What’s Your Mother’s Maiden Name?
Don’t tell me, just tell me where you live and I can probably figure it out from there. There are genealogy websites that may have that information. I also can buy stolen identities that could have that information as well. What high school did you go to? That information is probably online as well. Classmates.com has lots of people indexed. What am I getting at?
When you sign up for an account online, such as Yahoo mail or Hotmail, they often have a “secret” question in case you forget your password. The problem is that the question isn’t secret and the answers are generally not secret. You may recall that Sarah Palin’s email account was hacked. This was done by a kid who knew her email address, tried to log in, got the password wrong and then correctly answered the password reset questions.
When you have to use password reset questions there is only one correct answer to the question, but there are unlimited incorrect answers. For your security you should always use an incorrect answer. It is much harder for an attacker to guess the wrong answer. The problem is you need to remember what is was that you gave as an answer. There are some tricks to help you remember, and you can write the answers down as long as you store them correctly.
A favorite movie can provide memorable answers for you. Perhaps for your mother’s maiden name you could use “Skywalker”. Your favorite dog? A Wookie. Your first car? The Millenium Falcon.
Maybe you are a fan of Egyptian culture. Your mother’s maiden name was Cleopatra, you attended Cairo High School, and your first car was a Camel.
Perhaps not quite as secure, but probably good enough, you can jumble the answers. Use your first car as your mother’s maiden name, and your mother’s maiden name as your high school.
Regardless of the technique you find most easy to remember, it is a really good idea to use the wrong answer for your password reset questions.
If your email account gets hacked, it can be used to trick friends into installing malicious software. Another attack involves sending an email that says you are stranded and need money immediately to get home. The email actually comes from your email address and account, so it looks very believable. Finally, sometimes the accounts are not actually taken, as in you are not denied access, but then your email account is used to send spam. This can cause your legitimate emails to be flagged as spam.
Now is probably a good time to change the answers to your password reset questions if you answered them truthfully.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Has Your Web Mail Account Been Hacked?
Recently Microsoft reported an increase in the number of hijacked Hotmail accounts. In these cases the attackers are not changing the passwords to take control of the accounts, they are simply using the accounts to send spam. The user doesn’t generally know that someone else is using their account as well.
The most common way that the hackers get the passwords is through a phishing attack. Many users have received emails that appear to come from “Hotmail Technical Support” and claim that they must know the password or the account will be terminated. This is never true. Hotmail, Gmail, Yahoo mail, and all other legitimate email providers with never ask you to disclose your password. When you get an email from “technical support”, or anyone, it is always a good idea to look at the email address itself, not just the friendly name. Even if the email comes from the right place, if they ask for information it is a good idea to go to email support, for example support@hotmail.com if you have any question about the validity of the email. If the email asks for personal information, or says there is a problem with your account, then you should question if the email is legitimate.
It is a very good idea to change your password from time to time. If a hacker is using your account, and it isn’t only Hotmail, then you will cut off their access by changing the password. For accounts that have password reset questions, be sure you don’t answer the questions truthfully. For most people it isn’t hard to find their mother’s maiden name, the high school they attended, etc. Another common way to hijack accounts is to change the password using the password reset questions.
Next week I will go into more detail about password reset questions and how to effectively deal with them. For now, if you haven’t changed the password on your email account for a long, long time, it is probably a good time to change it now!
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Router Security
So, we talked about patching the operating system and the applications, but there is still one thing left… the router. I hope you have a router.
A router allows you to share an Internet connection with multiple computers. Some routers provide wireless networking as well. Most routers include a basic firewall, and that is a good thing. However you still want to have a personal firewall, like the kind included with antivirus suites or other software providers.
From time to time there are vulnerabilities discovered in the routers as well. Routers today rarely, if ever, have the ability to automatically update themselves. You need to look up the model of the router you have and go to the vendor’s website to see if there is a firmware update available. If you do not use the most current firmware, then a remote attacker can potentially take over your router and that is really bad news. When a remote attacker controls your router they can control what websites you go to and may be able to penetrate your network.
Many routers have built in DNS capabilities. DNS is what translates www.eset.com to 72.3.254.86. These numbers (IP addresses) are how the computers know where to find www.eset.com. If an attacker can control your DNS then when you type in your bank’s website they can make your computer go somewhere else, like to an online fake bank that allows them to capture your account information when you think you are actually logging on to your online banking.
You should also take other steps to secure your router. Brand new routers have a default administrator account and the password is the same for all of them of the same brand. If I know you have a Linksys router, then I can easily find the default password on the web. Having the administrator account information can allow an attacker to control your router as well. Make sure you change the default password on your router. You can even write it down and put the paper in the box your router came in. Do save the box, or at least the instructions that came with the router.
Most routers have the ability to be remotely controlled. Newer routers usually have remote administration turned off, but it is a good idea to check and see that yours is turned off.
If you don’t have a router, it is a really good idea to get one. It doesn’t have to be fancy or expensive - even the cheap ones provide some additional protection.
Wireless routers allow you to encrypt the information sent between your computer and the router. This also is used to control access to the router. If you do not have the security enabled, then anyone can use the router. When you enable the security, a password is required to connect. This helps keep the bad guys off of your network.
If you have a wireless router that is more than a few years old, it is a good idea to get a newer one. The old routers used a security protocol called WEP. WEP has been found to be easily crackedand the newer routers use a protocol called WPA-2. There was WPA, but WPA-2 adds some extra security.
To recap: Make sure you have a router. Make sure you have the most current firmware. Make sure that remote administration is turned off, or if you require it, then use a really good password to protect it. Make sure you have changed the default password, and make sure that you are using WPA or WPA-2 for security. These are the absolute basics for router security.
Randy Abrams
Director of Technical Education
ESET LLC
The Identity Theft Problem
It was recently reported that three men were indicted in the largest identity theft bust in US history http://www.reuters.com/article/topNews/idUSTRE57G4GC20090817. There are steps you can take to reduce your chances of being a victim of identity theft and credit card fraud, but in this case most of those steps would not have helped.
One of the ways that ID theft and credit card fraud occur is by malicious software stealing information off of infected computers. The defenses against this type of attack include keeping your operating system and application software current. The use of Microsoft Update and the Secunia scanner (http://www.secunia.com) can help you with this. Another way that information gets compromised is through the use of public computers and wireless access points. If you are using a public computer or a wireless access point that is not at home or at work, then never use it for anything that requires a password, a PIN, or other confidential information. Public computers can have malicious software installed on them and wireless access pints that are not properly secured can be “sniffed”, which means others can see what you are doing. Even at home your wireless access point needs to be secured, but that is material for a future article.
In the case of the recent bust, there was little you could do to protect your information, other than not use credit or debit cards. The companies that process the information were hacked and that is how so many credit card numbers were compromised. Although no unauthorized charges were made, both my wife and I had credit/debit cards that had been potentially compromised and we had to get replacements for them.
For some people, not using plastic is a choice they make. I personally like the convenience and recognize that there is risk in our lives every day. The key is to do what you can to reduce risk at a reasonable price and then live your life. No matter what security precautions you take, there will always be some level of risk. It is when you think that you have eliminated risk that you have a false sense of security.
Randy Abrams
Director of Technical Education
ESET LLC
A Tiny URL Can Be a Big Problem
A URL is the address of a website. http://www.eset.com is a URL. Sometimes URLs get quite long and it is convenient to have a shorter URL, so some smart folks came up with something called “redirection.” In a nutshell, redirection means you go to one URL and it redirects you to another one. This happens all of the time on the net for a variety of reasons. One reason may be that a web address had changed. For example, when Chase Bank was given Washington Mutual for a song and a dance, they became the “owners” of Washington Mutual’s depositors. One day Chase may no longer want to support Washington Mutual’s website, so I envision the day when you type in www.wamu.com and you will be redirected to http://www.chase.com since that is where you need to be at anyway.
Twitter is a popular social networking site that limits “tweets” (messages) to 140 characters, which happens to be the standard length of an SMS, or text message. People often share URLs that are quite long, so in order to keep the message short they use a service called “TinyURL”. Now, I could go into great detail about TinyURL, but I think in this case the best way to learn is to try it out yourself.
Go to www.tinyurl.com and try pasting in a long URL and see what happens. I used http://www.pcworld.com/article/169790/why_attack_twitter.html and came back with http://tinyurl.com/l9csx7 for my new URL. These URLs lead to an article about Twitter.
The problem with TinyURL and related services is that you no longer can see the real website you are going to. The bad guys know this, so they use Twitter to trick people into clicking on URLs that take them to websites they normally would not visit.
There is a solution to the problem. At http://tinyurl.com/preview.php?enable=1 you can make TinyURL show you a preview of the URL you are going to be redirected to before you actually get there. Knowing where a URL is truly leading you to is an important part of computer security.
Try out TinyURL and the preview feature so you can see what is happening. If you still have questions, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (5 of 5)
This is the last one in this series. Not that there isn’t enough content for another dozen articles, mind you. It holds true that the best way to protect yourself from bots is exactly the same way you protect yourself from all other malicious software (malware).
There are some more advanced tools and techniques that are very effective, but they require you to learn a bit more about computers. If you learn a little more, you will be much more effective in using your computer safely, and you will probably be more efficient in using it from day to day.
One of my favorite programs is called SandboxIE. Sandboxing is a way of isolating things from the rest of your computer. It can be very similar to a virtual computer, but isn’t always. The way SandboxIE works is that it keeps everything your browser does away from the normal parts of the computer. If you download something bad and it runs it will not mess up the rest of your computer. All you have to do is empty the sandbox. Where a little more education is required to use it involves downloading files, saving preferences, updating your browser, and deleting the sandbox. You also have to know to delete the sandbox before you do something like online banking. You need to know to run the browser outside of the sandbox when you want to install updates to it, otherwise each time you delete the sandbox you will have to update the browser.
Firefox has an add-on called NoScript. This can be very effective in preventing bad stuff from running on your computer, but you need to understand when to allow scripts and when not to. A script is a program that runs on your computer. Almost all websites use scripts, so if you disallow all scripts, the Web is pretty useless. If you allow all scripts then there is no extra protection.
One of the mental obstacles people put up is that sometimes a program can look quite intimidating. However, you don’t have to learn all of the programs at once to reap some benefits
It is quite helpful if you understand something called “the path”. No, I am not talking about a spiritual path, but rather understanding where your computer stores files and how to find them and move them around. If you try Firefox with NoScript you will soon learn that when you go to a website it may often include content from many websites.
Since these tools are so useful I’ll address some of the things you need to learn to use them effectively in future columns!
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (4 of many)
Last week I promised some examples of the types of emails used to trick people into installing bots and other malicious software. This week I’ll make good on that promise!
On Halloween I received the following email.
----------------------------------------------------------------------------------
From: HappyHalloween [hairremoval@requisiteimpart.net]
To: AskEset@eset.com
Subject: Your Friend Has Sent You a Scary Halloween E-Card
----------------------------------------------------------------------------------
Inside the email there was a link to a website. If I have clicked on the link I would have been prompted to download a program that was not really an “E-card” at all!
Notice the "From" field. The friendly name is “HappyHalloween”, but the address is hairremoval@requisiteimpart.net. This is not the email address of a friend of mine or a known legitimate E-card company. That’s enough to know the email was fake.
The subject line is another clue. Legitimate E-Card companies use the name of the person who sent it, not something like “A friend”, or “Your mother”, or “A secret admirer”.
Here is another email example…
----------------------------------------------------------------------------------
From: lisao@wagged.com
To: Randy Abrams
Subject: Mail System Error - Returned Mail
Attachment: eset.com.zip
Dear user abrams@eset.com,
Your account was used to send a huge amount of junk e-mail messages during the last week.
Most likely your computer had been compromised and now runs a trojan proxy server.
Please follow our instruction in order to keep your computer safe.
Sincerely yours,
eset.com technical support team.
----------------------------------------------------------------------------------
Again, the "From" line was a great giveaway. It dos not make sense for the sender to be sending me this information.
If my computer had been sending spam, my IT department would have contacted me personally.
The IT department would not send an email from lisao@wagged.com and the technician would have signed his name to the email. If everything but one of these items looks right, then it is still wrong.
A final example:
----------------------------------------------------------------------------------
From: Prince Bradshaw [p.tarin@keraben.com]
To: Randy Abrams
Subject: DHL Tracking number #04HAP39708CICS5
Attachment: dhl_n756512.zip (71 KB)
Hello!
We were not able to deliver postal package you sent on the 14th of March in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your personal manager: Prince Bradshaw,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.
----------------------------------------------------------------------------------
I’ll bet you already looked at the “From” address. Even though the email purports to be from “Your personal manager: Prince Bradshaw” the domain “keraben.com” is wrong. It should have been from DHL.com, except that DHL would not email me a file (attachment), so it is all wrong.
In fact, our IT manager sent an email warning to all of us. In the warning he stated:
If you do receive this email, you should easily distinguish that it is not from DHL with the following clues:
-the sender address is not from DHL. Anybody contacting you would have a @DHL.com address.
-DHL does not send invoice for you to print out so you can pick up a package
-There are no personal managers for consumer packages, this email pretends there is one
-Email notification from DHL will always be texted base with NO attachments.
-DHL would not contact your business email address for personal packages
One other thing… It says that they could not deliver the postal package I sent... I didn’t send a package!!!
If there was any doubt I would have looked up DHL’s phone number and called them.
Other attacks have included PDF files that claimed to be invoices, a past due bill, and so on.
Paying attention to the details and knowing what they should be is a very effective way to prevent bots and other malware from being installed on your computer.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (3 of many)
So far I’ve written about patching and using basic security software. There are many other topics that need to be discussed when protecting yourself from bots. Did you know that you might need to patch your router? I’ll write about that in another column. Understanding URLs is really important as well. If you haven’t done so, go back to the archives and look at the “Duke of URL” series. Understanding where your web browser is taking you to is very important when deciding whether or not to trust a web site. Education is a critical component of protecting yourself from bots. A basic understanding of what computers can do, especially how they can lie to you, is really important.
One of the most common means of infection is from email that bots send. The primary means of tricking users is to include a link to a web site or an attachment. Many times the attachment trick will not work if your computer is patched, but it is not a good idea to open the attachments, even if your computer is patched.
The types of emails that I have seen used to spread bots include the following. In some cases the email may appear to come from someone you know. It is always a good idea to check with a known sender before you click on a link in email or open an attachment.
When there is a big news event or a holiday, always be suspicious of emails that talk about these things. One of the most common tricks is for the email to claim to show you a video of a disaster. The Storm worm got its name because it talked about a deadly and devastating storm that killed many people in Europe. The email included a link to a web site. Later the storm worm claimed to be eCards for many different occasions, Halloween comes to mind. One common attack is to take you to a web page and then a dialog box pops up and says you need a new “codec” to see the video. There isn’t a video worth downloading a “codec” for. Codecs are included with Windows Media Player, Real Media player, QuickTime, and all legitimate media players. If a new codec is really needed then you probably have an outdated media player and should go to the Microsoft, Apple, Real, or other legitimate web site and download a newer version. If you are not signed up to received emails about news events, then do not trust any emails you receive a bout news events. If you do normally receive such emails, always check to see that they really came from the source you expect them from.
Another trick is to send a PDF file that claims to be an invoice for an overdue bill, lottery winnings, a court summons, etc. The important thing is not to say “Ah, Randy warned me about the UPS delivery notice”, the important thing it is to get the concept. If you are not expecting an email with an attachment, then do not open it until you have verified that it really is legitimate. Sometimes the attachments are Word documents, and sometimes they are programs, but are designed to look like something else.
Typically if you look at the email address the emails come from you will see that they are not legitimate, if you understand email addresses.
In the coming weeks I’ll provide real examples of the scam emails. Please keep in mind that you want to understand the concepts, the actual emails are always changing, but with a little practice you can learn to spot the bad ones quickly and easily.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (2 of many)
Asking what is the most important thing for security is like asking what is most important on the car. Are the brakes most important? The steering wheel? Crumple zones? The list goes on and the most important item really depends upon what is happening. The same goes for computers. Patching your programs will proactively protect against many security problems, but there are many threats that do not require a vulnerability to cause problems. There are also some vulnerabilities that might not be a problem for you if you have additional security measures in place.
The use of security software is another part of protecting against bots. There are three basic programs and one piece of hardware that you shouldn’t be without. The software programs are antivirus, anti-spam, and a firewall. The hardware device is called a router. These are bare minimums, not an exhaustive list.
Antivirus is really no longer an accurate title. Malware is a combination of the words “Malicious” and “Software”. Viruses, trojans, bots, adware, spyware, rootkits, and other such programs are included in the term malware. Almost all antivirus software also protects against malware in general, however in some cases free antivirus products may not cover all of these different types of malicious programs.
It is important to understand that no antivirus product can or ever will detect everything. If someone thinks that since they have antivirus software they can use their computer however they like and be protected, find them a good therapist, but first take their computer away until their delusional behavior has effectively been treated. No security software protects against everything. When you see something like “Detects 100%” it means 100% of a small set of viruses and not anywhere even close to 100% of all threats. Still, most of the infected computers out there are infected with malware that most antivirus products have protected against for quite a while.
Anti-spam software is also good for security. At first thought one might be tempted to think that anti-spam isn’t for security, it is to prevent annoying email from coming in. The fact is that a lot of email designed to trick users into installing malware looks a lot like spam and the anti-spam can prevent these emails from getting into your inbox.
There are both hardware and software firewalls. In general, hardware firewalls are too expensive for the average home or very small business user to consider. However, a software firewall is essential. Windows XP and Vista include basic firewalls that are much better than nothing. Many security suites, such as ESET Smart Security (full disclosure: I work for ESET), includes antivirus, anti-spam, and a firewall that is more advanced than the stock firewall that comes with Windows. Firewalls block many malicious attacks from the Internet. There are programs on the Internet that randomly attack computers many times each second of every day. Many of these attacks are thwarted simply with a firewall.
A router is a hardware device that goes between your computer and your cable modem, DSL modem, or even telephone line. Most routers include a simple firewall also. The firewall in these devices is rarely suitable for replacing a software firewall, but these devices are still a very important part of keeping your Internet connection secure. These devices also will usually allow you to use multiple computers with a single Internet connection. Common brands include Linksys, D-Link, Netgear, and Belkin, but there are many others. Personally I think it should be illegal to sell high-speed Internet access without a router.
When installing a router it is essential that you change the default username and password. There are some more advanced configuration options that it might make sense to change, but changing the default username and password is essential. In many cases it doesn’t even matter if you put the new username and password on a sticky note and leave it on the router… as long as you do not have remote administration enabled and do not use that password anywhere else.
There are other types of security software that can be very helpful, but typically they require a bit more than a novice level of computing expertise to use effectively.
Feel free to email me at askeset@eset.com with any security-related questions or topics you would like to see addressed in future columns.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (One of many)
I recently received the following from a reader:
Thanks for your info on the Chamber newsletter...it was very informative and, for me, scary. What can I do about 'bot' not infecting my computer?
The simple answer is that you do the same things that you would do to prevent anything from infecting your computer, but that probably doesn’t help much.
The hard answer is that you really need to educate yourself about computers. There are many tools to help keep your computer safe, and of all the tools, knowledge is the most important one. Knowledge allows you to properly use all of the other tools.
In the coming weeks I’ll go through many of the things you need to do to keep your computer safe.
Patching is probably one of the most overlooked safety tools at your disposal. Patching means fixing problems with programs by updating or replacing them. You are probably familiar with Microsoft automatic updates. When there are security vulnerabilities in Windows or Office, Microsoft will create a fix and you will then become protected when automatic updates downloads and installs the new program. You do have automatic updates enabled, don’t you? Did you turn it off because it kept rebooting your computer and you lost work? I hope not. You can tell Windows update to prompt you before it installs patches (updates) and reboots your computer.
There are many, many other programs that also can contain security vulnerabilities and need to be patched as well. It is common for bots to be installed by exploiting non-Microsoft programs too. A company called Secunia offers a free scan for home users so you can see what programs you might have installed that need to be patched. The scanner is at http://secunia.com/vulnerability_scanning/online/.
For businesses, Secunia sells their product and services. Shavlik (http://www.shavlik.com) is another company offering such a service and has free trial versions of their software.
In the coming weeks I’ll give you a bunch of tips to help prevent your computer from becoming infected with a bot or other malicious software. For right now, why don’t you run the Secunia scan and make sure that al of your software has the latest fixes. In some cases you may need to download a new version of the software.
Feel free to email me at askeset@eset.com with any security related questions or topics you would like to see addressed in future columns.
Randy Abrams
Director of Technical Education
ESET LLC
Do You Know What a Bot Is?
One of the problems I face in trying to teach people about computer security is they often feel it is not important. Thoughts like “I don’t have anything of value on my computer” are common. When I am able to convey what the threats are and why it does matter to them, it becomes a lot easier for people to find security a little more interesting and personally worthwhile.
One of the most common threats out there is called a bot. This is short for robot and the type of program was named before there were PCs. Bots were programs that UNIX systems administrators used to automate boring repetitive tasks. Today bots have a much more nefarious job.
In today’s world, the common bot is a program that gives a remote attacker complete programmable control over the infected computer. Perhaps you have seen programs like “PC Anywhere” that will allow you to remotely control your home computer from almost anywhere in the world. A computer with a bot on it can be controlled by someone who should not control your computer.
If you think there is nothing of value on your computer, you might want to think again. Your computer itself is of value and you do have something to lose. A bot can record your keystrokes, so if you log into your email account a remote attacker can get your username and password. Once they have this, they can send massive amounts of spam from your email address. This can result in your email account being blocked so you cannot send email to anyone. When this happens it can be very difficult to get your email account restored. The attacker also has your contacts, so they can send email to your friend and make it look like it is coming from you. There are many unkind things attacker can do when they pose as you, and it can cost your friends money or cause your friend’s computer to get infected.
When a bot is installed, an attacker can control tens of thousands of computers all at the same time. The attacker can simply type in a command and all of the sudden your computer and thousands of others might start attacking a computer that is trying to block spam. The attacker can make you computer download child pornography or other illegal software.
There are many harmful things that can be done with your computer, even if you never buy anything online with it. I’ll tell you about some more of the different types of threats in the coming weeks.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Travel Tips, Part 2
This week’s additional travel tip highlights the difficulties of security done right. Recently the government announced that passengers on airline flight will need to use their full names as it appears on their government issued documents.
A few days ago my wife booked an international flight on United Airlines, who incidentally sent out a communication advising me of the new requirement. When my wife booked the flight online, United would only allow her to enter her middle initial!!! US passports contain a full middle name.
If you Google the following phrase (without quote marks) you will find that many airlines have not changed their systems to allow for compliance with TSA requirements.
Search “airplane ticket name must match” but do not use the “ ” symbols.
If you book an airline ticket, be sure to notice if you are allowed to enter your full name as it matches your driver’s license or passport. You may need to call the airline, repeatedly, to get the reservation fixed.
On a personal note… a TSA-approved lock seems to mean that it is a lock the TSA can steal. I’ve lost two in the last 6 months!!!
One More Thing…
Last week I forget to mention an important note in the travel security tech tip. I said it is a good idea to use a Kensington lock, but there is a specific step than must be taken or you may render the lock worthless.
Most Kensington style locks use a combination rather than a key. It is essential that as soon as you unlock your laptop computer you move the numbers on the combination. If you fail to do this then someone may see the lock with the valid combination. It is the equivalent of the sticky note on the monitor.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Travel Security
I travel frequently and I am often amazed by the security mistakes I see. There are a few basics that can help ensure that you will be less likely to be a victim when you travel with your computer.
Let’s start at the airport with your laptop going through the x-ray machine. There have been thefts that happened when a person went through the body x-ray too soon before their laptop went through the x-ray machine, or too late after their laptop went through the X-Ray machine. Whenever possible, wait with your laptop until you have seen it go into the x-ray machine and until there is not a line of people ahead of you before you can join your laptop at the other end. This may not always be possible, but generally it is very doable.
On a side note, put everything but your shoes and laptop through first. Put your shoes through last. Why? The odds of you forgetting anything before your shoes come through are very small. If your laptop is after your shoes and you are in a hurry, then you may forget there was one more item! Do remember that a hard drive can still be stolen out of a locked laptop. Sometimes I actually remove my hard drive from my laptop and take it with me. It all depends on what the data is worth and how secure I believe the hotel room is.
Virtually every laptop had a slot for a lock called a “Kensington style lock”. This type of lock will secure your laptop. It is essential that you use it because it doesn’t help to have one and not use it. When I leave my laptop in my hotel room, it is always locked to something. I’ve locked my laptop to desks, dressers, heaters, lamps, etc. I’ve heard of people locking them to the pipes under the bathroom sink, or even the toilet. Yes, someone with a pair of bolt cutters can probably snip the cable and steal the laptop, but generally hotel thieves want in and out quick. You can make your laptop less attractive than the laptop in the room next door! I also lock my laptop to my chair when I am at a conference and get up for coffee.
Privacy filters may be a good idea at the airport, on the plane or train, and at conferences. 3M makes a privacy filter (not to be confused with glare filters) that makes it very hard for a person sitting next to you to look over your shoulder. If you have data that others should not see then the privacy filter is a very effective tool for keeping your data confidential.
Finally, encryption software can make it so that if your laptop is stolen at least a thief can’t get to your data. Regularly backing up can mean that if your laptop is stolen, at least you didn’t lose much data!
If you have any questions about this Tech Tip or any general security questions, feel free to email me at askeset@eset.com
Can I Own Your Email Account?
Many websites have password reset questions. Oftentimes these questions have answers that are public knowledge. If someone knows the answers to the password reset questions and they know your login name, then they can reset the password and gain control of your account.
Websites with poor security practices will use questions like “What is your mother’s maiden name”. This is generally public information. Another question I have seen is “What was your first car?” Have you ever written what it was on a web site? No? By guessing the most common cars one can often make a lucky guess. By using social engineering tactics one can probably learn the answer.
There are two defenses against this type of attack. The primary line of defense is deception. Use the wrong answer. Make up a name that is not your mother’s maiden name. Make sure you will remember the name though. Maybe your first car was “The Space shuttle”. Maybe your high school was Harvard University. Perhaps you met your wife on the moon.
It is very hard to guess the correct wrong answer!
The second approach is more damage control than prevention. If you use something like Gmail you can download your emails to your computer. By deleting the emails off of the web you minimize the amount of information available if your account is hijacked.
For web based email accounts that do not allow you to download, such as the free Yahoo email accounts, you can forward messages to an account that you use to download email from. It is important that you delete emails from the web based account if there is anything personal or confidential.
For maximum security and privacy use both of these techniques.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Are You Patient or A Patient?
Twitter is a popular social network. Because of its popularity it is an attractive target for the criminal element. The curiosity of users is such that anyone can follow someone and have a very good idea that the person being followed will want to find out who is following them. This trick works very well to lure users into clicking on links in “tweets” or going to malicious pages that infect visitors, phishing web sites, or porn web sites.
As a rule of thumb, if you get a twitter announcement that someone is following you, it is a good idea to wait a couple of days before you check it out. If you are a little patient you can often avoid making your computer an antivirus patient!
Hide Viruses?
Microsoft operating systems, since Windows 95, have had a strange “feature” that assists viruses in hiding from you. By default Microsoft hides the extension of common files, critical files and any file anyone wants to hide. The problem is that viruses and other malicious software can use these mechanisms to hide and trick you.
On a normal Windows system, if I name a file “Picture.jpg.exe” you will see “Picture.jpg” and might likely think the file is a picture instead of the program file it truly is. Virus writers have been exploiting this trick for years. For critical operating system files you won’t see anything at all and it is trivial to make a file appear to be a critical system file, even if it is not.
There are three completely mindless default settings that Microsoft uses. I call these settings the Microsoft “Hide viruses” feature. I was using this terminology when I was teaching users at Microsoft about security. I recommend you fix the incorrect settings. I don’t have a Windows Vista system in front of me as I write, so email me at askeset@eset.com if you want instructions for Vista. For now I’ll tell you how to fix the problem with Windows XP.
First open up Windows Explorer. This is different than Internet Explorer. Once you have Windows Explorer open, go to the tools menu and choose folder options. From there select the “view” tab, there are three settings to select here. Under “Hidden files and folders” make sure you have selected “Show hidden files and folders”. For the selection “Hide extensions for known file types” uncheck the box. The line that says “Hide protected operating system files (Recommended) should be unchecked. The only reason this is recommended is that a person completely ignorant of security recommended it. The final step is to click the button that says “Apply to all folders”.
Now when you use Explorer you will see a lot of files you didn’t know were there. You will also see extensions like “.exe”, “.txt”, “.xls”, “.doc”, and so on. Information is your friend. Windows is the enemy of information.
You don’t have to know what every extension means. All you need to know is that if you do not know what the extension means you do not want to click on it!
It is an inconvenient truth, but you cannot safely use the Internet if you don’t learn a bit about the computer accessing it. The operating system is not the issue, although Microsoft goes to great lengths to hide the fact that you really do need some knowledge.
If you have any topics you would like to see addressed in the weekly Tech Tip, send an email at askeset@eset.com and let me know it is for the SD Chamber Tech Tip column. I’d be delighted to explore any tech topics you find interesting!
Randy Abrams
Director of Technical Education
ESET LLC
NoScript
Recently there was a big uproar in the Firefox community over a battle between two authors of programs (plugins) for Firefox. One of the plugins is called “NoScript”. The purpose of NoScript initially was to prevent scripts, such as JavaScript and Visual Basic script, from running when you visit a web page, unless you authorize the website to run scripts. Scripts on websites are responsible for many computer infections. Later NoScript was updated to add protection for things called “cross-site scripting” and “clickjacking”. For information on these attacks, please see http://en.wikipedia.org/wiki/Cross-Site_Scripting and http://en.wikipedia.org/wiki/Clickjacking.
One of the problems with scripts is that they can download programs without your knowledge. This means that your computer can get infected if the web site you visit has a bad script. The Miami Dolphins hosted the Superbowl a couple of years ago. Hackers placed a script on their site to infect visitors. Increasingly, good websites contain advertisements that come from different websites. Sometimes these ads contain scripts that download malicious software. As of this morning, the Technet.com web site had a page that linked to another website that contained a malicious file. Sites like MySpace and Facebook have often been attacked with scripts that infect users.
NoScript can add a significant amount of security to your web browsing experience, but, like all tools, it needs to be used properly to be effective. And like all security products, it won’t be foolproof.
There are two ways to use NoScript “properly”. The first is to deny scripting on all websites. This will make many websites non-functional. Realistically this isn’t an option. The other way is to be selective about what sites are allowed to run scripts. This is where NoScript becomes useless for users who are not computer savvy. If you don’t already have a good idea what sites should be allowed to run scripts and what sites should not, then you can’t make educated decisions.
Even with this limitation, I believe it is useful for Firefox users to try NoScript for a little while. Many people do not realize just how many websites are running scripts (programs) on their computers when they visit them.. When you click the “Options” NoScript will ask you which sites to allow scripts to run from. For example, when you go to www.espn.com, there are three websites trying to run scripts. www.cnn.com runs scripts from four websites, including itself.
It is an eye opener to see how many places are trying to run scripts each time you visit a site. NoScript is easy to remove if you don’t want to keep it.
If you have any topics you would like to see addressed in the weekly tech tip, send me an email at askeset@eset.com and let me know it is for the SD Chamber tech tip column. I’d be delighted to explore any tech topics you find interesting!
Randy Abrams
Director of Technical Education
ESET LLC
All You Need to Spell “Swine” is in “Swindle”
As news of a new deadly outbreak of the swine flu (now called S1N1 virus) breaks, the dregs of humanity are at work exploiting misery for profit. This is really nothing new. For years it has been the practice to exploit news stories as a means of social engineering. When hurricanes hit, we in the security space see domains registered to cash in on tragedy. When a tsunami hits, the same thing happens. Even news that may be perceived as good is exploited. Many people were elated that Obama was elected president. It doesn’t matter your political views, it was news and so, of course the bad guys created malware for it.
There is a take-away from all of these events. The takeaway has nothing to do with God, fate, or anything philosophical. Don’t believe everything (or much of anything) that comes to you in email. There are really, really sick people out there. As a percentage, it may be no more than it was 50 or 100 years ago, but with the Internet they can reach millions of more people.
Always get your news from a reputable source. OK, I understand that on the whole the US media, the BBC, Pravda, and other mainstream news sources can be criticized for being dishonest on their best days, but still, they are not trying to infect your computer and there are lots of news stories they do cover these events objectively. The one thing about legitimate news organizations is that they don’t email you the news without you asking them to.
Whenever you get email about a current event assume the email is some kind of attack unless you know for a fact that you signed up for emails from the sender.
General security questions and suggestions for topics for this column can be submitted to askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Knowledge is Power
The most serious security vulnerability is not in a Microsoft product. The vulnerability has nothing to do with hackers in China or Russia or in our own backyard. The vulnerability is the uneducated user. It may be unfortunate, but it is not possible to securely use the iInternet without getting some education. I predict that in about 20 years the basic level of Internet security education will be much higher because as it becomes part of the curriculum in schools it will become part of our culture, but for today you need to make an effort to learn more. Without education, a user on the Internet is a digital Pearl Harbor waiting to be attacked.
Very soon you will start seeing information about a program called “Securing our e-City” (securingourecity.org) and education will be the driving force behind this initiative. For today there are some really good resources out there with understandable information. As a starting point, I highly recommend that you check out http://www.staysafeonline.org. This website is put together by the National Cyber Security Alliance. “NCSA is a collaborative effort among experts in the security, non-profit, academic and government field established to provide free resources to help secure cyberspace”, as they put it on the web site.
There is great information up there for virtually everyone. Home users, Small businesses, and educators alike will find use information to help improve their online security. So check them out today, but check back with the Chamber real soon to learn more about “Securing our e-City”.
If you have any topics you would like to see addressed in the weekly tech tip, send me an email at askeset@eset.com and let me know it is for the SD Chamber tech tip column. I’d be delighted to explore any tech topics you find interesting!
Randy Abrams
Director of Technical Education
ESET LLC
Cutting Through the Hype
2009 has been a banner year for security hype, and we are barely into the second quarter. It isn’t that there haven’t been important security stories, but the problem is that people are getting caught up in the details and forgetting to look at the big picture.
If there is a hole in our roof, is the problem that a big storm is coming or is the problem that any storm can pour water into your living room? Is it a problem that pigeons may roost in your attic and squirrels may take up residence in your walls, or is it just the big storm that a meteorologist with a .200 batting average is saying may dump between three drops and four feet of water over the next 24 hours?
If the hole in the roof is fixed, you don’t worry about the next storm, if it isn’t then there are plenty of other problems to worry about as well. So it goes with security. For a couple of months now we have seen story after story about the Conficker worm. Speculation about what might happen is great for selling coke, popcorn, and advertising space, and even security software, but it is really irrelevant to the user. What is relevant to you is that there are security vulnerabilities that tens of thousands of malicious programs can exploit. If you take the steps to protect against the thousands of other threats out there, then Conficker is truly nothing special. Yes, you still need to use smart security practices, but there is nothing special, from a defensive point of view, about Conficker or most other over-hyped threats.
Whenever there is a serial criminal out there the cops worry about the copycats. If you only look out for the serial criminal you are still vulnerable to the copycats. In the computer world copycats are much more like drone armies many thousand strong. In the computer world there is little risk associated with crime, so we see a much larger scale of certain types of criminal activities than we do when it comes to traditional physical crimes. Fortunately, when it comes to computers it is a class of crime and not an individual criminal that you are defending against. This means that good defenses are far more effective overall, but it takes some education to defend against computer attacks.
The next time you see a headline about the latest and most dangerous threat, take a step back and think for a moment… The same things that make this over-hyped up threat possible make thousands of other attacks possible. If you protect against the underlying problem, then the specific attack is not going to be an issue for you.
As always, if you have any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Tools of the Trade (Password Corral)
OK, this time the tool isn’t for techies.
I have already written about how important it is to have good strong passwords. I have mentioned that you need to use different passwords for different places. You should not use the same password for different email accounts. The password you use to log on to your bank account should not be the same as you use anywhere else.
After awhile, even with easy-to-remember passwords, the sheer number of passwords makes it difficult to remember all of your passwords and you will need some sort of system to keep track of them all.
If you write down your passwords then either you may not have them when you are traveling, or you risk potentially losing them all at once. If they are with your wallet, that could be a problem.
To help me with my passwords I use a program called Password Corral. You can download this program at http://www.cygnusproductions.com/freeware/pc.asp
Password Corral can help you to keep track of your passwords. The program is easy to use. About the only thing that might be tricky for some users is the choice of what type of encryption to use. The answer is that either it doesn’t matter or your data is so important that you need to hire a professional if you don’t know the answer. For most people it really doesn’t matter.
There are two important things to remember. First, you need to use a very good password for password corral. Your password should be at least 16 characters long and something you can easily remember.
Here are a couple of examples of good passwords that are easy to remember.
This password will keep 100 passwords safe
My parents met in 1955
Really, rover 8 my homework
Remembering my password is 50% of the problem
Really, the important thing is that you have a long password that is not a single word or common phrase. “The woods are lovely, dark and deep” isn’t such a good password or passphrase. Make sure you can remember it. Write it down and put it somewhere safe, but don’t carry it around with you. Your webmail account is not a safe place.
Use the password 5 to 10 times a day for a week or so and you will probably remember it for a long time. Remember to use it every week or so after to keep it fresh. This is a really important password for you to memorize.
It is still a good idea to change it every year or so, assuming it is a long password. If the password is short, then change it more often.
The second thing to remember is to always back up your passwords after you have added a new one. I recommend that you back them up to at least two different locations that are not on your hard drive. Password corral has the backup functionality in it. You just have to do it.
As a safety precaution, when you close Password Corral, it wipes the clipboard of anything you have copied. So if you copy a password to paste it into a form, then paste it before you close Password Corral.
There is no such thing as security…there is only risk management. If your computer gets infected with a keystroke logger, it is possible the password you type into Password corral could be captured. When you weigh the risks of using bad passwords, the risk isn’t so great after all.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
How Good is your Password?
One of the biggest security related mistakes people make is in dealing with passwords. The biggest password blunders are unchanged passwords, poor quality passwords, inappropriately re-used passwords, and inappropriately stored passwords.
Let’s start with inappropriate storage. We’ve all been told not to write the password on a sticky note and put it on the monitor. The truth is that it really depends upon the environment. I’m not particularly worried about someone seeing my password on my monitor since I work from home. I still don’t leave it there, but it really wouldn’t be a problem for me to write it down and have it handy. Leaving your PIN, which is a type of password, in your purse or wallet with the associated debit or credit card is not a good idea. Keeping your passwords in a file on your computer only makes sense if the file is well encrypted, which probably means you have a password for the file. I use this method. There is a free program called “Password Corral” that I use to store my passwords. I have a very strong password that I have memorized specifically for that program, and it is not used anywhere else.
The reason I do not use my Password Corral password anywhere else is that if someone discovered my password somewhere else, I would not want them to be able to access my other passwords that I store. I also back up my password corral data every time I add a password. There are only a few exceptions where it makes sense to re-use a password. If the password is not used to protect anything of value to you, then it doesn’t matter if you have a good password, a bad password, or you use the same password for similar things. An example of this is a news web site that I have to register on to read articles. There is a caveat here… it has to be a site where registering doesn’t mean I can comment. If someone gets my password and then can impersonate me and leave damaging comments, the password has value. I would never use the same password for my bank account as for my stock brokerage account, or anything else.
The problem of password reuse is greatly amplified by the use of poor quality passwords. If I can guess your password, and you use the same password everywhere, then all I have to do is learn one password to cause considerable harm. It turns out that computers are very, very good at guessing passwords. So, what is a good password and what is a bad password?
Let’s start with bad passwords. A word is a bad password. There are about a million words in the English language. It doesn’t take a computer long to try all of the words in an attempt to guess a password that is a word. Names are words. Words with a short number at the end, less than 4 digits, are generally bad, except when you increment the number and then it becomes a terrible password. Words with special characters, such as @pple, or dollar$, are not good since they are effectively a single word and the bad guys know to check these minor modifications. Dates tend to also be pretty bad passwords. Birthdays, anniversaries, and holidays are all easy to guess based upon public information and personal information that you might not think is public or in the possession of criminals. Assume that all of the bad guys know your social security number, your birthday, your entire immediate and extended family’s birthdays, your anniversary, and your pet’s names. Short passwords are also bad passwords. No matter what special characters you use, there is no way to make an 8 or 10 character password hard to crack.
The reason you need a long password is that it makes it take too long for a computer to guess it. A computer can crank through a few trillion tries in a reasonable amount of time, unless you change your password very, very frequently. If you have to use a short password because a social networking site doesn’t understand security, or for other reasons, then it becomes important to use upper and lowercase letters, numbers, and other characters. If you can use a long password it is far less important that the password is complex. Here is the reason why. There are about 5.4 trillion possible combinations of letters in a 9 character password. There are about 634,000 trillion combinations possible for a 9 character password that contains letters, numbers and special characters, such as a dollar sign, etc. when you get to a 15 character password there are more than 1.6 billion trillion combinations of lower case letters alone!
A 15 character password, that is not a single word, is far better than any 9 character password, no matter what characters you use in it. It will take even a very powerful computer a while to crank through 1.6 billion trillion possible passwords, but then it doesn’t have to go through all of them, it can stop when it gets it right. A 15 character password with letters and numbers is even better. One of the most unfortunate things about passwords is that there has been so little education about how to make a good password that is also fairly easy to remember. So, I‘ll give you some tips for making memorable passwords. A birthday may be a bad password all by itself, but it can be a part of a good password. Consider the following.
I was born on 4/17/60
At 21 characters (and yes, you often can use spaces) this password is very strong and I can remember my birthday. OK, the password is not strong because I have published it, but it was once a good password. “Ilove2eatchocolate” is a fine password and easy to remember. “Rover is my dog’s name” is a strong password. One of my favorite tricks is to use math. No, I never really much enjoyed math, but it has its place. Can you remember “3 Hundred + 5 = 305”? Perhaps “4000*seven=28000”? “1Hundred+200=300”? “One hundred times 5 = zero”. As long as you will remember it, you can use the wrong answer to the equation! There are an infinite number of wrong answers to any equation.
No matter how long you make a password, it can eventually be cracked. If you use a strong password and change it every three to six months, then by the time a computer can guess what the password is you will have changed your password, and knowing the old password will be useless. If you use the same weak password in multiple places you have virtually no security. If you must use a short password, the it becomes more important to use uppercase, lowercase, numbers and symbols, and to change the password at least every 3 months or so.
For some more really good tips on passwords I recommend a book by Mark Burnett called “Perfect Passwords”. Jesper Johansson formerly with Microsoft also has some excellent advice at http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Tools of the Trade (Autoruns)
Last week I wrote about a cool little utility (program) called ESET SysInspector. This week I’ll highlight another really cool diagnostic program called Autoruns.
Autoruns is one of many free programs in the SysInternals suite of programs. SysInternals was an independent project that was eventually bought by Microsoft. The utilities have long been regarded as some of the best Windows programs in their class, and at “free” you can’t complain about the price.
When a computer gets infected, the malicious software (malware) will usually try to position itself to start when the computer is booted. This allows the malware to embed itself quite deeply in the system, making it difficult to find and remove. A lot of people know about the run key in the Windows registry, but there are many other places that malware can hide and be caused to launch at or near boot time.
Autoruns shows you all of the locations that a program may reside in to be automatically started. This is not a tool for the faint of heart as it contains a ton of details, but it is very valuable for diagnostics. As is the case with SysInspector, the results can be saved and sent to an expert user to help diagnose the problems. Like SysInspector, it takes a little time for Autoruns to inventory the system, but after doing so, the file menu has an option to save the log file or export it. If you need help from an expert, the SysInspector log, the Autoruns log, or both come in really handy. Both programs are easy for a novice to run and provide essential information that a skilled user needs to effectively diagnose problems.
Autoruns can also disable certain programs to help clean the computer. This is not always effective, but can be quite useful. If you are a novice aspiring to learn more about the nitty gritty of your computer, the tool can be a great resource to help you learn what to learn more about. Autoruns shows a lot more than just the locations that automatically start programs. For example, the registry keys for little programs called “Browser Helper Objects” (BHOs) that add functionality to Internet Explorer are also displayed. BHOs are often abused by adware and spyware. In addition to BHOs, Autoruns provides registry locations for AppInit, KnownDLLs, Winlogon, Winsock Providers, Print Monitors, LSA Providers, Network Providers, Logon, Explorer, Internet Explorer, Scheduled Tasks, Services, Drivers, Boot Execute, and Image Hijacks. That’s a lot of really technical stuff. You don’t have to understand all of it to get some excellent use from the tool.
You can learn more about this program at http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx. The article also links to another article describing some of the advanced usage of Autoruns. It also contains a link to a forum where you can get help with the program, and there is also a link to download the program. I would provide the link, but I never teach bad computing habits. Always get your software directly from the developer’s website. If you search for Autoruns you will have many hits and many places that claim you can download it from them. I recommend that you always go to the Microsoft site to get the most current version of Autoruns, and to know you are getting a legitimate copy. Another site may be a hacked copy that will actually infect your computer! You do not have to register or provide any personal information for this program.
Along with ESET SysInspector, Autoruns is a must-have in the techie’s toolkit. It’s not just a program, but an education as well!
If you have any questions about this Tech Tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Tools of the Trade (SysInspector)
Problems with computers are a fact of life. Diagnosing exactly what is wrong, however, can be a challenge.
There are a number of tools that can help a skilled user resolve problems, or help an unskilled user provide information that a skilled user can utilize to assist. In this week’s Tech Tip I’ll start with a tool that ESET provides for free. In the coming weeks I’ll talk about programs other vendors provide.
Many people are aware of a program called “HijackThis”. HijackThis was created by a Dutch program named Merijin Bellekom to help rid people of spyware. It would inventory a computer and report everything that was on it. The log file was very useful for tech support and other skilled users to identify what bad software was on a computer. For a long time this was one of the diagnostic tools that many antivirus vendors used when assisting customers who had undetected malware on their computer. When the program was sold to antivirus vendor Trend Micro, it presented a conflict of interest to send users to a competitor, so other solutions were developed.
ESET’s response is a free program called “SysInspector.”
ESET SysInspector is an advanced utility that is easy-to-use, intelligent, thorough, and free of charge. ESET SysInspector helps technical support, network administrators and first responders by providing a detailed snapshot of an ailing system - much like an MRI image is used by doctors to gain greater insight into health problems undetected through visual inspection.
So what’s the difference? Where HijackThis gave a report of what was running on a system, SysInspector adds some very unique and helpful features, such as:
* Option to exclude private, personal information from being saved in logs
Some of the information included in log files may be of a private nature that a user might not wish to divulge. The ability to send a log that excludes much of the information that may be considered private is quite useful to some people
* Integrated Anti-Stealth technology allows discovering hidden objects (e.g. rootkits) in Master Boot Record, registry entries, drivers, services and processes
In the age of rootkits, it has become much more difficult to identify all of the programs running on a computer. The anti-stealth technology uncovers information that rootkits would normally hide from such programs. This can be essential in identifying the source of problems
* Ability to compare two existing logs for differences makes it easy to detect changes over time
This is pretty self-explanatory. If you can track what has changed over time, then the amount of data you need to be concerned with becomes much more manageable.
* Log entries are assigned a color code risk level for easy filtering. A normal computer has a lot of things running and installed. The vast majority of programs, processes, and registry entries are perfectly legitimate. By allowing a user to filter out the things we are sure are not a problem, the task of finding the bad stuff becomes much more manageable.
* Intuitive hierarchical navigation of logs
When dealing with massive amounts of information, organization is critical. Skilled users know where to begin looking for problems. Their task is compounded if the information is not logically organized.
* Fast and compact single file executable, ideal for first responders to run from a USB drive without lengthy installation
This is a big feature. SysInspector is a standalone program that does not require additional components, such as the Microsoft .NET Framework, Visual Basic runtime DLLs and so on. You don’t want to clutter the hard drive with even more files and registry entries when you already have a huge pile of data to sift through.
Because the program has to inventory the entire system, it can take a little while to finish running, but after that, there is a wealth of useful information to help resolve problems caused by hard-to-find spyware, adware, bots, and other malicious programs.
You can obtain a free copy of ESET SysInspector at http://www.eset.com/download/sysinspector.php.
I would ask that you do not share copies of the program with other people, and I ask this for one reason.. It is a best practice to always obtain programs from a reputable developer. Sharing executable files is a bad habit to get into, and definitely not a best security practice. Whenever I come across a really cool program that I think another person would find useful, I tell them where they can download it for themselves!
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Antivirus Testing
Many people look to antivirus tests for assistance in deciding which product is “best.” The history of antivirus testing is filled with truly gross incompetence and most of the tests are more beneficial to marketing than to users. There are very few exceptions. I recently had a conversation with someone who thought that because a lab was ISO 9001 certified it meant that the test results could be trusted. The truth about ISO 9001 certification is that it tells you processes are documented and followed, but speaks nothing to the quality of the good or service produced. You can document a process to reliably produce garbage and be ISO 9001 certified.
Even the best tests out there have limitations. For antivirus products the most respected tests and certifications are done by a small group of companies. Virus Bulletin (www.virusbulletin.com) is the oldest, most respected, and most scientifically valid testing organization, but the testing covers a small subset of the things we expect products to detect. Still, it is a test that all of the companies know the answers to in advance and should thus pass the test virtually every time.
ICSA Labs (http://www.icsalabs.com/icsa/main.php?pid=b31a$6140dfe3-4a851ebd$eaa4-72b) has been around for quite a while and they certify security products for a number of criteria. A key difference between ICSA Labs and Virus Bulletin is that with the Virus Bulletin VB 100 award a company has to pass the first time… there are no retires for each test. With ICSA labs if a company fails, they get a retry. The ICSA also uses a limited set of threats.
West Coast Labs (http://www.westcoastlabs.com/) like ISCA Labs also is a respected organization that certifies security products. As is the case with Virus Bulletin and ICSA Labs, the test sets are fairly limited, but testing is competently performed.
AV-Test.org and AV-Comparatives.org are pretty well respected and use massive test sets, but with that comes some problems. There isn’t time to check all of the samples, so most of the tests include files that shouldn't be included in the test. This can result in rewarding products that generate false positives, while penalizing others who correctly identify the file as uninfected. Even with the massive test sets of a million or more samples, the tests contain far fewer threats than actually exist. The combination of garbage files and limited sample size can skew results by 10% or more.
No one test will tell you what product is best. The only way to determine that is to look at the history of test results from a variety of organizations. You want a product that consistently performs well across the board. All products will have tests in which they underperform on occasion, but the measure of a quality antivirus product is the ability to consistently place near the top in many different tests. You wouldn’t pick a stock based upon a one-day performance. The same goes for security products. History is the critical element in evaluating the products you are considering.
If you have any questions about this Tech Tip or any general security questions, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
The Duke of URL (Part 3)
Aside from the tricks I have shown in the past couple of tech tips, there are also some other aspects of URLs that are worth noting.
Did you know that http://www.%6D%69%63%72%6F%73%6F%66%74.com is the same thing as http://www.microsoft.com? Each letter and number has a hexadecimal equivalent that can be expressed as %## for a web browser. %20 is the numerical representation of the space character. The use of these codes is another way that is sometimes used to trick people. This technique does not always work correctly with Firefox, but in most cases it will.
A phishing site that attacked Bank of America customers included the following as part of its URL:
/images/treatments/bankofamerica_1_%5b1%5d.com.zip
This would normally display as /images/treatments/bankofamerica_1_[1].com.zip
bankofamerica_1_[1].com.zip is the name of a file that was downloaded by victims of the phishing attack. This was an unusual example in that the use of the hex codes may have actually made the deception less effective. Using “.com.zip” was probably intended to make people think that it was a Bank of America web site, but the use of the hex codes possibly made the “.com” less obvious.
The codes are also useful for legitimate purposes. Sometimes spaces and other special characters may be interpreted different ways by different programs, but their hexadecimal (hex) representation is more widely uniform. Interoperability is at least part of the reason why the hex notation is supported.
Do you ever have email problems where a URL is wrapped (put on two lines) and so it doesn’t work correctly? Usually it will look something like this
http://smokeys.wordpress.com/2008/11/30/matousec-and-his-firewall-challenges-hall-of-shame-2008-awardee/
You click on the link and usually get a page not found error or the wrong page. The way to make sure that doesn’t happen to the links you share, at least in email, is to put the link in angle brackets < >
< http://smokeys.wordpress.com/2008/11/30/matousec-and-his-firewall-challenges-hall-of-shame-2008-awardee/>
Another trick with URLs is something called “redirects.” Redirection is both a feature and vulnerability. Redirection allows one web site to send you to another. This is handy for advertisers, but even more useful to phishing attacks. Google has historically been one of the most abused sites for redirection. Most companies that care about security do not let their web sites be used for redirection by unauthorized people. Here is an example of a URL that used redirection. I have modified it slightly from its original form since it was a real phishing link.
http://www.google.com/url?q=%68%74%74%70%3a%2f%2fh36.net33.rxvtf.us/images/logon/user.htm
This URL uses both hex characters and Redirection!!! If we “translate” the hex the URL looks like
http://www.google.com/url?q=http://h36.net33.rxvtf.us/images/logon/user.htm
The browser will take you to the second part of the URL, the http://h36.net33... part. If Google didn’t let the phishers use google.com to deceive users, the attack wouldn’t work.
We’ll finish up this part of the “Duke of URL” series with one final URL trick. There may be more on URLs in the future, but for now this is the last in the series.
Tinyurl (www.tinyurl.com) is a web site that lets you convert long URLs to short ones. It is realty handy, but it also masks where the web address really is.
http://tinyurl.com/co28a4 is really a link to:
http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_January_2009.pdf, which is a PDF file.
This can be really handy, but can also be abused by the bad guys to hide the fact that they are trying to make you open a document or a picture, etc.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com Randy Abrams
Director of Technical Education
ESET LLC
The Duke of URL (Part 2)
Last week I provided a little information on URLs and why you need to understand a bit about them. This week let’s take a look at some real examples of how they are used in phishing attacks and for fake ecards that are used to install malicious software (malware) on your computer.
The most common trick involves showing you a real URL, but what you see is not what the URL really is. The reason this works is because you can give a link a title. If you click on http://www.eset.com you would expect to be taken to the ESET web site, but in this case it simply takes you to http://www.sdchamber-members.org/TechTip.htm If you hold your mouse over the link it will show you where the link really points to. Here is an example of how this technique was used in a fake Chase bank email .
You can see the link really points to http://211.148.143.130/credit_card_online/chase(sm)index.html/.
If you remember from last week, the 211.148.143.130 is the web site. The rest of the link has nothing whatsoever to do with Chase. Links to email addresses and to websites can be spoofed in this manner, so always be sure to look at the URL in your browser’s address bar to be sure the link took you where you intended to go.
Here is another example of URL trickery.
http://219.95.137.132/https:3DSecureCard.wamu.com/?enroll=EwNj5vsz87RT
Http://219.95.137.132/ was the actual website. https:3DSecureCard.wamu.com?enroll=EwNj5vsz87RT is the name of a location that is not related to WaMu (Washington Mutual) other than being part of a phishing attack against Washington Mutual’s customers. The https:3d does not make this an https (secure) URL. In fact, https:3DSecureCard.wamu.com?enroll=EwNj5vsz87RT was only put there to trick people into thinking it is a Washington Mutual web page. If you understand a little about URLs this trick becomes obvious.
Here is an example that shows trickery in the email sender’s name and URL. This is a typical fake eCard.
Notice the sender’s name says “AMERICANGREETINGS”, but the email address is Terra@nimbler.net. The email address is clearly not from AmericanGreetings.com! Additionally, the link that purports to be at americangreetings.com is a façade and actually takes the victim to a web page at http://americangeetingsc.org.
This is a nasty trick for two reasons. First of all at a quick glance you might not notice the letter c at the end of americangreetings, so it appears to be americangreetings at a casual glance. Secondly, the .org is a different site than .com. Not all companies that own a .com web site also own the same .org web site.
Another variation on this trick is the use of inverted letters. www.myspace.com is not the same as www.mysapce.com! The bad guys actively register web site with these inverted letters so as to trick people either into believing they are going to a different web site, or to catch people when they make a typing error while entering a URL manually. My favorite personal example of this type of mistake was when I accidentally typed www.untied.com in when I was trying to go to the United Airlines web site. Untied.com is actually a site where people complain about United airlines.
If you are going to stay safe online, you really need to pay attention to email addresses and URLs. The details really do matter!
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
The Duke of URL (Part 1)
If you haven’t already, it is time for you to command a little knowledge of the subject “Uniform Resource Locator”, often simply called “URL”. URLs are the friendly names for the locations of web pages. Just like when someone asks you where the airport is, “The airport” is a friendly name for an address that defines a specific location.
HTTP://www.eset.com/ is a URL that describes the address 72.3.254.86. You can type 72.3.254.86 into your address bar in your browser and it will take you to http://www.eset.com.
So, why do you need to know more about URLs? The reason is that tricks can be played with URLs to fool people into going to phishing sites and fool them into thinking things are not what they really are.
A normal URL looks something like this:
http://www.eset.com/podcasts/. The http:// tells the browser what type of protocol to use, and everything before the next forward slash “/” is the website. The part after the forward slash tells the location of the web page on the website. How can I use this to trick you? There are a few ways.
The username and password trick is one of the oldest. If you go to a web site that requires a username and password, you can put those into the address bar as well. The format is http://USERNAME:PASSWORD@www.eset.com.
(The following are examples. Clicking them may take you to search engines. I recommend you don’t click them)
So, I want to trick you into coming to my fake web site that you are supposed to think is the Bank of America. I send you a link to
http://www.BankOfAmerica.com:FraudPrevention@www.BaknOfAmerica..com/securelogin.php
If we break this URL up into parts here is what it really says.
Www.BankOfAmerica.com:FraudPrevention@ is the username “www.BankOfAmerica.com” and the password for that user is “FraudPrevention”. Www.BaknOfAmerica.com is the actual website and has nothing to do with the Bank of America. The part “/securelogin.php” is the web page that the link is supposed to take you to if this link actually worked at all. The whole point is to trick you into thinking you are going to a legitimate Bank of America web site when you are not. Generally this type of attack comes in an email telling you that you need to log in to solve a problem with your account or to get paid for a survey. The page you end up at will ask for account information so a criminal can use your credit card, empty your checking account, or steal your identity for a variety of purposes, such as obtaining more credit in your name.Microsoft has disabled the username/password behavior in the URL for http and https sites in Internet Explorer version 7 and possibly in Internet Explorer version 6, service pack 1, but not for ftp. Ftp means File Transfer Protocol. An attack using ftp would generally download a file to your computer. Here is another trick to get users to think they are going to a legitimate web site.
http://www.a.com/www.BankOfAmerica.com/FraudPrevention.html
Notice that the actual website is www.a.com and has nothing at all to do with the Bank of America or fraud prevention!!! The part after http://www.a.com/ is www.BankOfAmerica.com/FraudPrevention.html and this specifies a specific web page on www.a.com.
In the coming weeks I’ll explore this topic more fully and show you some examples of how the bad guys are using these tricks for phishing attacks and to install viruses and Trojan horse programs on your computer.
It isn’t very hard to learn just enough to protect yourself without having to understand all of the technicalities of URLs.
For questions on this or other security topics, feel free to contact me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Get Rid of Auto-Infect
It is the longest standing un-patched Microsoft vulnerability and Microsoft calls it a “feature”. Microsoft calls it “autorun”, I call it “auto-infect”. The idea of autorun is to attempt to make it so that a person can use a computer with a minimum amount of knowledge. This emphasis away from education is part of the reason why cybercrime is so effective and so widespread. The way autorun works is that when you use removable media, such as a USB key, a CD, etc., Windows will automatically look for a file called “autorun.inf” and if it is there then Windows will do what the file says to do. The idea was that a user doesn’t have to know how to double click on setup.exe, they just put a CD or USB key in and the program runs itself. The problem is that the bad guys know that and often use autorun to install malicious software as soon as a USB drive is plugged in.
In 2008 more than 1 out of every 15 threats we detected were using autorun.inf to help infect users. In January, nearly 1 out of every 10 threats we detected at ESET used autorun. Microsoft does not provide a truly effective solution for disabling autorun and the partial solution they suggest is cumbersome. My friend, Michael Horowitz, who blogs at http://blogs.computerworld.com/horowitz, recently shared a real solution with me. You can read more about it on his blog from January 30th (http://blogs.computerworld.com/the_best_way_to_
disable _autorun_to_be_protected_from_infected_usb_flash_
drives). The fix works with XP and Vista.
Here’s where it gets a little bit techie. The fix involves creating a registry key. Michael provides a link to a program to do this on his blog, but I’ll tell you how to create the file here.
You need to use something like notepad, or if you use Word, then you must save the file as a plain text file, not a document. The file extension must be .reg. alternately, you can create the registry key by hand if you are so inclined.
Here are the contents of the registry file. You can copy and paste everything between the dashed lines into your file. You might name it, noautorun.reg, but the name isn’t as important as the final extension.
Please note, the second line wraps, but it is really a single line.
--------------------------------------------------------------------------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
--------------------------------------------------------------------------------------
When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist.
For extra security you can go to the new autorun.inf key and set some special permissions. I go into the special permissions, add “everyone” and then deny all access except to read and query the key. This should prevent malicious software from changing the value of the key in almost all cases.
The Microsoft solution is ineffective and breaks Windows Media Player. When you use Microsoft’s solution, each time you change a CD for Media player you have to close and re-open Windows Media player for it to recognize the new disk. With the solution I am suggesting Windows media player still recognizes when you change a disc.
Giving credit where it is due, a guy named Emin Atac came up with this approach. There are few known side effects of this approach and none are as bad as the side effects of allowing auto-infect, er… autorun.
To undo the modification you can manually delete the key that was created, or use the same reg file, but place a minus sign in front of the second line… right before [HKEY….
General security questions and suggestions for topics for this column can be submitted to askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
The Cone of Silence
You have security software, but do you listen to it? One of the most overlooked aspects of security is auditing. Everything from Windows to your antivirus software logs a variety of activities. Sometimes the applications are screaming for attention, but almost as comically as the cone of silence in the old “Get Smart” TV show, nobody hears anything at all.
I was recently reminded of this when I visited the logs of my antivirus product. I discovered that somehow a setting had been changed and my virus samples arriving via email were being deleted. Fortunately this had only been happening for two days, but if I didn’t check my logs it could have gone undetected for a long time.
Oftentimes the logs will reveal situations that need attention. The event viewer in Windows can reveal a variety of problems that may be impacting system performance. The antivirus logs can reveal changes in settings, abnormal levels of detection, or that something is not working at all. Firewall logs can reveal potential intrusions, data leaving your site, and so on.
Testing is also important. By testing your security products and verifying the logs contain the expected information, you can ensure your security software is properly functioning. For antivirus software it can be very dangerous to test with viruses, but there is safe way to test. Many years ago the EICAR test file was created so that users can verify their antivirus software is functioning. Some people call this the EICAR test virus, but the file is not a virus at all and has no harmful properties.
You can download the file in a variety of formats from http://www.eicar.org/anti_virus_test_file.htm. You can also create the file by pasting the following into a text file:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Use notepad because RTF, Word, PDF’s and other document types are not really plain text files, they have other program information. The EICAR test file contents have to be the first thing in the file or it should not be detected.
Detection of the test file does not say anything at all about the quality of a product. It is possible to write a program that detects EICAR and nothing else. The test file is simply used to verify that your antivirus product is functioning at all. This file is a safe and simple way to make sure that something hasn’t disabled your protection. There are some more advanced types of tests that can be done with the file, such as determining what compression types your scanner supports, and how many layers of recursive compression are supported. You can email the file to yourself to see if your email scanner is working.
Once you see the results, be sure to check the log files to ensure that desired action was taken. You might think you have your scanner set to quarantine infected files, but check your logs to verify that even after detection, the proper action is taken.
Deploying security software is only part of safe computing. You still need to listen to what it has to say and verify that it is working as expected.
General security questions and suggestions for topics for this column can be submitted to askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
_________________________________________________________
Do You Want to Know a Secret?
New year, new administration…new password? Since I’ve long held that passwords need to be changed from time to time, perhaps a reminder is in order.
There are a few key ingredients to great passwords. One of the most important aspects is that passwords need to be changed from time to time. Even with an excellent password there is the possibility it could fall into the wrong hands. Changing your password from time to time limits the amount of exposure if your password is surreptitiously acquired.
Good passwords are also strong. There are some misconceptions about what makes a great password and even how to handle them. The length of the password is far more important than the amount of funny characters you put in it. You might think that X1@5#.rQz is a better password than “Listen, Do You Want to Know a Secret”, but the truth is, that line from the Beatles song will keep your secrets far more secure than X1@5#.rQz. Where the special characters are important is when you have a very limited length password. If all you have is 8 characters, or even 15, be sure to use numbers, upper and lower case letters, and special characters like the #$%^, and so on. Also, remember that the space character is valid for most passwords. Some web sites will not allow good passwords, so you need to change those ones more often. When you change a password, incrementing a number is not a good idea… it is too easy to guess.
Another important aspect of a good password is secrecy. If your secret is “I’m in love with you” and you tell the world, as the Beatles did, then the password is useless. Nobody should ever be asking you for your password. An interesting trick to get people to reveal their passwords is when a person calls, claims to be from helpdesk, and asks the user to change their password to one provided by “helpdesk”. If you change your password to one that someone told you to change it to, then you have revealed your secret.
It is also important that you do not use the same password for multiple things that are important. For example, your banking account and your computer log on should not share the same password. This is for damage control. Identity theft is much easier for the bad guys when one password buys them the keys to the kingdom.
For general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
_________________________________________________________
Did Your Data Return From the Holidays?
I hope you all had a happy holiday season. Many of us travel for the holidays and take our work with us. A hotel business center can appear to be a convenient way to get a little work done while not having to lug around the laptop and accessories, but there are some hidden dangers to using business center computers.
There are a couple of significant risks associated with the use of business center computers. The amount of risk will vary depending upon how well the hotel or other business controls their computers. It is not uncommon for these computers to be fairly uncontrolled with outdated security software, or even fake security software on them.
One of the risks is that a criminal has installed malicious software that captures any usernames and passwords you might enter as you VPN into your company or log into your web-based email account. This type of attack is likely to go unnoticed, but occasionally it is reported.
A more common risk is associated with using Microsoft Office products on these computers. When you use Microsoft Word it stores a temporary copy of the document on the PC. Oftentimes this copy is not deleted when you finish. This means that if you are working on something confidential, the information is left behind for others to see. In one case I found a confidential document relating to US cyber-security on a hotel business center in New Zealand!
Hotels are starting to get better about security on their business center computers, but there are still many business center computers that allow anyone to install any software they wish. This practice makes it unsafe to even type in your password for a Yahoo, Windows Live, Gmail, or other we based account. Do you use USB devices? Malicious software that copies itself to and from these devices is one of the most common threats today. Unsecured business center computers can easily copy such malicious software to the USB drive you plug into the computer to access your files that you wish to work on.
Business center computers are really handy for checking in for your flight, looking up maps, and other tasks that do not involve the use of passwords or confidential information. For sensitive tasks, it is best to use your own laptop, or wait until you can use a secure device.
For general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC |
