Technology Tip Archive
It’s Back to School Time
It’s that time of year that many kids are heading off to college with brand new computers. Oftentimes new computers come bundled with trial versions of an antivirus product. After three to six months the trial expires and the software is no longer updated to protect against the latest threats.
One way to prepare for this is to simply go ahead and install a full version of the security software of your choice. Don’t be fooled into thinking that the trial software is necessarily what the computer manufacturer thinks is the best for you to use. In most cases the reason the trial security software is there is because the company who sells it actually paid the manufacturer to put it on the computer.
It is also a good idea to run the Secunia Personal Software Inspector to make sure that all of your programs are up to date with the latest security patches. It is quite common for a new computer to have software that isn’t current with security patches. These unpatched programs can make it a lot easier to get infected by simply visiting a compromised web page.
Knowing about the latest threats can help you to protect yourself better. To make that task easier you might want to visit the threat blog at http://blog.eset.com/ to keep up to date about the threat landscape.
Randy Abrams
Director of Technical Education
ESET LLC
Got an iPhone, iPod, or an iPad?
If you own any of these devices it is important that you regularly connect them to your computer and run iTunes. Recently there were a couple of vulnerabilities that Apple patch, but the only way to apply the patch is to connect your device to your computer and run iTunes.
One of the vulnerabilities involved viewing a PDF file. If you opened a specially crafted PDF file then an attacker could install malicious software on your device. In the case of an iPhone the attacker would be able to do things like place calls without your knowledge to premium services. This could really run up your phone bill fast. An attacker could read you emails, send email, read and send text messages, copy files, or pretty much anything you can do. For iPhones and iPads alike, passwords could be captured so as to compromise email and social networking accounts.
Initially the vulnerability was exploited to allow users to jailbreak their iPhones by simply opening a PDF file, but we do expect criminals to exploit the vulnerability for malicious purposes. The good news is that you can be protected from these and other attacks by simply connecting to iTunes and updating your device.
Whether you use an iPhone, an Android based phone, a Blackberry, or any other smart phone, it is important to remember that these are really small, but powerful computers. Just like their big brothers on your desktop or your laptop, they will have security problems from time to time, so it is important to know how to get updates and periodically check for updates.
Randy Abrams
Director of Technical Education
ESET LLC
What is Your Smart Phone Saying?
iPhones and Android based phones are among the best selling smart phones on the market today. A large part of their popularity is due to the incredible number of applications you can install on these phones. There are programs for everything from using your phone to scan a bar code and look up competitive prices on the web, to programs that let you make your phone act like a flute by blowing into the microphone and pressing keys. From the sublime to the silly, if someone can think of it, it seems there is an application out there to do it. Unfortunately some people think of doing things you wouldn’t want done, and there are applications out there that steal information and spy.
There are basically two flavors of iPhones and iPhone applications. There are stick iPhones and “jailbroken” iPhones. The applications for a stock iPhone can only be obtained through the Apple App Store and these applications are screened by Apple to help ensure they do nothing bad. The process isn’t perfect, but it does a good job of minimizing risk. For the jailbroken iPhones there are applications that can be installed that Apple has never approved or seen. It is very easy for a person to write truly malicious applications for the jailbroken iPhones. Being selective about where you download your applications from and what developers you trust is essential for security. Remember, Apple is not the developer for most of the App Store applications. It makes good sense to investigate what people are saying about the developer whose application you are considering installing on your iPhone, whether or not it is jailbroken.
The process for the Android based phones is a bit different. There is the Android Market where you can download applications from, but Google does not inspect the applications to make sure they are not malicious. This makes it far easier and less costly for a malicious person to develop and distribute a malicious program. There are also applications that can be installed on Android based phones that are not on the Android Market. AT&T restricts the user’s ability to install non-market applications, but either way the potential risk is higher with Android applications.
There is a difference in the security model between iPhone and Android phones. Applications for the iPhone simply install, however for an Android based phone, part of the installation process is declaring to the user what rights the program is requesting, then the user must accept that this is what the program will be able to do. Some of the “rights” include the ability to send and receive messages. Yes, an application can send an SMS on your behalf. Other rights include the ability to connect to the internet and read your contact list, among other things. If you are not comfortable with granting rights to the application you have the opportunity to prevent it from installing. In reality, techies are about the only people who will bother to look at what rights are being granted and make a decision. Most people will simply click “install”.
Regardless of the make of smart phone, applications can and do sometimes send information to third parties, such as advertisers. In severe cases your contact list, SMS messages (text messages) instant message conversations, and even emails can be sent to a third party. In all cases, unless you have a strong reason to trust the developer it makes sense to wait until an application has been out for at least a few weeks before you install it. Give others a chance to find out for you whether it was a mistake to install.
In addition to the applications you can install, there are some basic phone settings that will enhance your privacy and security. A little research, a bit of patience, and a dash of prudence can help keep your data safer and more private when it comes to today’s smart phones.
Randy Abrams
Director of technical Education
ESET LLC
iPhone vs. Android
Mobile phones based upon the Android platform are growing in popularity and offer many of the same features as an iPhone, perhaps even more. One of the drivers for the popularity of the Android based phones is that the devices are offered by multiple carriers, not only AT&T.
When it comes to security, the iPhone has an advantage however the cost of the advantage is choice. In order for a developer to offer an application for users to buy or use it must first be approved by Apple before it gets into their online store. For the case of an Android phone just about anyone can offer anything. Apple’s approval process reduces the risk of malicious applications finding their way into the store. Remember the key word is “reduces” it does not eliminate risk and Apple has had to remove some malicious applications from their store as they were found to steal data after they had been approved. For Android phones pretty much anyone can become a developer and share their applications without review. This makes it very easy for the bad guys to develop and distribute malicious applications. There is a nifty security feature on the Android based phones. When you install an application it must request permission to access certain resources. The problem is that most people simply allow access without understanding what they have just done, so for all but the most sophisticated users the security feature doesn’t help much. I do expect that the Adroid based phones will be the most attacked of all smart phones.
When it comes to using smart phones in a corporate environment, Blackberry probably has the best potential security and offers plenty of productivity tools as well. With the Blackberry Enterprise Server an administrator can prevent users from installing applications, thereby preventing malicious software from being installed.
Regardless of what smart phone you choose, there are some basics that can help you to be more secure. Always set the phone to automatically lock after a few minutes with no use. Yes, it can be a little annoying to type in a password when you want to make a call, however, if you lose your phone or it is stolen then locking the phone can help keep your data private.
Bluetooth headsets are very handy, but do not leave Bluetooth in discovery mode on your cell phone when you are not pairing with a new device. If you turn off Bluetooth when you are not using it you will extend your battery life. Leaving Bluetooth in discovery mode can allow others nearby to access the data on the phone, depending upon the type of phone you have.
Encrypt the data on your phone. Using encryption means that if your phone is lost or stolen then others will not be able to access your data.
You might want to consider placing a label on your phone that has alternate contact information. Most people are honest and will return your phone if it is lost, assuming they can figure out how to contact you. Some people are concerned that this may be a problem since others in public places might see the information. One way around this is to place the information on a small sticky note and attach it to the battery inside the phone. You can put a label on the outside that indicates contact information is inside the battery compartment.
Randy Abrams
Director of Technical Education
ESET LLC
Fine isn’t Always Good
At least when it comes to fine print we aren’t talking about the quality of the print, in fact it is often the opposite of fine.
One of the current favorite dirty tricks of highly untrustworthy web sites like Yahoo travel and Travelocity is that after showing you the fare for an airplane ticket you wish to book, and then they quietly add a $20 insurance policy that you are automatically opted into. You have to read very closely to see that they have decided you will purchase the trip insurance and choose not to purchase it. This is like going to the grocery store, picking up a gallon of milk, and having the clerk add a 6 pack of coke without asking you. Sure, if you are looking you can see the clerk do it and demand that you not be forced to buy the coke, but if you are not looking carefully you might not notice.
Obviously if the travel insurance being offered had any value at all these sites would sell it based upon the quality instead of sneaking it past you, but let their actions speak for the quality of a product they choose to try to trick you into buying.
It isn’t only organizations like Yahoo and Travelocity that can cause you real problems. Some free products can cause you a real headache if you don’t look closely. In some cases when you go to download free products they will try to include other products or change your preferred search site. Sometimes you have to scroll ALL of the way down the page to see what else might be installed or changed if you are not careful. Accidentally installing an antivirus product when you already have one can cause your computer to run more slowly or be unstable. Installing toolbars you don’t need can adversely impact system performance and clutter your screen as well.
It is very easy to get stuck with software you don’t want and insurance you didn’t know you were buying if you are not careful. The difference between companies like Yahoo and Travelocity and many of the online criminals is that we know where Yahoo and Travelocity are and they cannot hide. If you want to do something about such grossly deceptive practices you can write to your state attorney general and sites like Yahoo and Travelocity have “contact us” sections so you can let them know what you think.
A fine wine may be quite good, but fine print is not usually so fine.
Randy Abrams
Director of Technical Education
ESET LL
Tools of the Trade (Memtest)
Oftentimes when a computer has a problem, viruses are the first thing that come to mind. However, it isn’t always a virus.
When I first started writing this column I did a few articles under the headline “Tools of the Trade”. Today I would like to introduce you to another great software utility that I hope you won’t often have a need for.
Recently my wife’s computer had some strange errors. The problems were not consistent and didn’t seem to have a pattern, but we scanned the computer for viruses and spyware and nothing showed up. A while later Windows reported a memory problem. I was skeptical and so I rebooted and changed the BIOS settings to check the memory on boot up. (For those of you who use a PC and are not familiar with the BIOS, it is something we call firmware. It is software, but it is on a chip on the motherboard of the computer. By default most computer manufacturers disable the memory test because it makes a computer take longer to boot.)
The BIOS memory check did not report any problems, but still Windows did. Another factor in the equation was that the computer was running Windows Vista, a notoriously buggy operating system. I decided that rather than buy new memory first, I would upgrade the computer to Windows 7. If I was right, and memory wasn’t the problem, then I save the money for the memory module. If I was wrong, Windows 7 is still a superior operating system to Windows Vista.
Two attempts to install Windows 7 failed, and each failure was for a different reason. At that point I went to www.memtest.org. Memtest is a memory diagnostic tool with a long standing reputation for quality. In order to run memtest you need to boot up in a special environment that doesn’t happen to be Windows. Memtest is available for download in a bootable CD image called an ISO file. Modern computers can boot from a CDROM.
So I downloaded the ISO file and burned it to a CD. The next step was to reboot the computer from the CD I had just made. Memtest started running and sure enough, there was a memory problem. The next issue was to determine which, if not both, of the memory modules was the bad one. By removing one module at a time and testing, I was able to determine which module was bad.
The symptoms of the PC could have easily been explained by malicious software, but sometimes the problems really are the hardware. Memtest is a useful tool and not too difficult to use.
If you wish to submit questions or comments to “Ask the Expert” please feel free to send them to askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Is It Infected?
Did you ever wonder if a file you have received is infected? No antivirus product detects everything and you don’t want to have multiple antivirus products running on your computer at the same time, so how do you get a second opinion? There is a free website called Virus Total. The URL is http://www.virustotal.com and you can upload files there to be scanned by well over 20 different antivirus products. You also can email files to the website and get the results back in email.
There are a few things to keep in mind however.
Virus Total is not a replacement for quality antivirus software on your desktop. Virus Total does not offer you real time protection like an installed antivirus product does.
Just because an antivirus product says something is infected it doesn’t mean that it is. Sometimes antivirus products get it wrong and say a clean file is infected. If only one or two products say something is infected there is a high likelihood that it is not, however sometimes only one or two products do detect a real threat. Usually waiting a day or two will allow the companies to fix false positives or allow other companies to add detection.
Just because no product says a file is infected it doesn’t mean it is clean. It means there is a higher chance it is clean, but the bad guys use Virus Total also to make sure than nobody detects their brand new malware.
You can’t tell the quality of an antivirus product based upon the results of Virus Total. Virus Total only uses one component of an antivirus product. Antivirus products today have many means of detecting threats and the on demand scans that Virus Total uses does not take advantage of all of the protection mechanisms that an installed antivirus product can offer.
All of that said, Virus Total is useful and can help offer some additional “opinions”.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Just Browsing
Sometimes I am asked “Which browser is the safest” or “Which browser is the best”. Unfortunately, the answer really depends upon you. I’ll limit this to the 4 major browsers, but there are others.
Internet Explorer, from Microsoft is the best known and most widely used browser on the market. Internet Explorer, often called IE, has a long history of design problems and exploitable bugs that rendered it highly unsafe in its default configuration. In recent years Microsoft has focused upon security and made IE a relatively safe browser, but due to its popularity it is still attacked more than any other browser. The ease of use that IE has makes it very popular with users who are not very tech savvy and are probably more likely to make serious security mistakes. For advanced users who choose to change the default configuration, IE can offer some of the best security of all browsers, but that comes at the expense of ease of use. When I want a really secure browsing environment I will use IE, but I have it prompt me for almost everything it allows. This is truly annoying as there are many dialog boxes to answer as I browse. The ability to use “zones” can help alleviate the tediousness, however it would be really nice if custom zones were supported and easy to add. There are a handful of websites that only work properly with Internet Explorer.
Mozilla’s FireFox is an excellent browser and probably the second most popular of all. While less attacked than IE, Firefox is still in the crosshairs of the criminal element and is also targeted. Firefox is a little less user friendly than IE and that can be a good thing. Where IE gives you the option to save or run a program, Firefox generally requires you to save it. For users who don’t know how to find the file they just saved, or how to run it from the download dialog, this can prevent malicious programs from being run, however it also may prevent users from running legitimate programs. Firefox also has some really cool plugins that can significantly augment security, but there have been cases where malicious plugins were made available. Users need to exercise caution when installing any software.
Google’s Chrome browser is another choice. In theory this should be a very safe browser as it includes a technology called sandboxing that is designed to limit how much hard a program can do while you are browsing the web. In reality I have been unable to find any independent testing that would confirm the sandboxing has any effect upon security. Chrome is also far less configurable than IE or Firefox and updating is not a choice. When there is an update for Chrome, it is automatically installed and you do not have a choice. The lack of ability to control updates means that Google could make a change that breaks an in house application and you would not be able to revert to a version that does work.
Microsoft, Mozilla, and Google all tend to fix security problems very quickly and that is a good thing.
Apple’s web browser is called Safari. Safari is the browser I am least likely to use or recommend. The unfortunate truth about Safari is that when there are security problems with the browser, Apple often takes much longer to address these issues. A bug in Safari may be fixed on the PC or Mac, but not on the iPad at the same time.
For any browser I choose to run it inside a program called SandboxIE. SandboxIE helps protect the operating system from attacks. While the program is free, I paid for my copy because I enjoy the added features of the paid version. SandboxIE does require some user knowledge to get the most out of it, but the security benefit is well worth learning how to use it.
For day to day browsing, I think it is probably best to use Firefox, but a savvy user can choose most any browser and enjoy relative security. The decisions you make about browsing are the single biggest factor in your web browsing security from day to day.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
5 Worst Security Mistakes
One of the worst security mistakes that businesses and users alike make is failing to keep their software up to date. Applying security patches to your software is your front line of defense. It isn’t only your operating system, but all of your third party applications, such as Adobe Reader, Adobe Flash, Apple iTunes, and many other products. Think of a hockey team. The offense tries to keep the puck in the opponents half of the ring. This keeps the puck as far away from their own goal as possible and gives them an opportunity to score. If the best defense is a good offense, then the offense line is part of the defense. When the offense fails then it is up to the defense to keep the puck away from the goal. Properly patch software is your offense. Vulnerabilities in software allow attackers to get dangerously close to your data and often get at your data. When the defense fails then the enemy gets a shot on goal and it is up to the goalie to prevent the opponent from scoring. You might think of things like a firewall as your defensive line. Your antivirus software is a goalie. It doesn’t matter how good your goalie is, given enough shots on goal something will get past. I have frequently recommended the Personal Software Inspector at www.secunia.com to make sure your software is up to date.
Another big mistake that companies make is failing to use security software. Products like antivirus, and firewalls are essential. Businesses should seriously consider additional security products such as intrusion detection and intrusion prevention systems. The security products themselves should also be kept up to date. Hiring a good security expert to audit your company’s security setup is a great idea. The best IT people in the world know the value of having an outside opinion. For these true experts it is not an insult to suggest that someone else might find something they did not, it is a sanity check to make sure that another very smart person is not finding something they may have overlooked.
The failure to use encryption software is a glaring mistake. Between 2005 and 2009 there were over 251 million documented cases of data records that were exposed through breaches. A lost laptop, stolen computer or lost USB memory device can expose potentially sensitive data if the data is not encrypted. You can protect your company’s proprietary information by using encryption software.
Password management and education is another serious problem. Users often use very bad passwords and use the same usernames and passwords for multiple accounts. If an employee uses the same username and password on your network that they use for their banking or email accounts, and they get phished, the bad guys may have access to your network as well. Don’t think that you do not have anything of value to a hacker, that would be a mistake. The use of your company’s computers is quite valuable to a criminal. Many phishing web sites are actually hosted on the computers of legitimate companies who have poor security nd have been hacked. Churches, schools, even government computers have been found to be hosting phishing web sites. Additionally, the ability to store illegal software on your computers makes it less risky for the criminals, after all, if the cops come the child porn or pirated software isn’t on their computers, it’s on yours.
The failure to address user education is probably the worst of all security mistakes. The better educated your employees are about computer security, the better they are able to help make your network secure by using best practices. Learning more about computers actually helps employees to work more efficiently. At http://securingourecity.org/workshop-signup you can request a free cybersecurity workshop to help improve security in your business.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Pharmacy Spam and Scams
With the artificially high prices that pharmaceutical companies charge in the US, it is not surprising that many Americans are buying their prescription drugs online from Canadian pharmacies. To give an example of price differences, take a look at Viagra, since it is probably the most spammed drug out there. Familymeds.com, an American online pharmacy, lists ten 100 mg Viagra tablets for about $164. The generic of Viagra is not sold in the USA, but can be ordered from a Canadian pharmacy and will cost about $70 for 30 tablets. That’s less than $2.50 per pill compared to over $16 each for the name brand. Even the name brand Viagra is available through a Canadian online pharmacy for about $10 each.
With price differentials like that, it is easy to see the appeal of the Canadian mail order pharmacies. Because this is a big business, the criminal element is involved and spam for Canadian pharmacies is rampant as are illegal sites selling pharmaceuticals, often without requiring a prescription.
The legitimate Canadian pharmacies don’t spam you, so if you receive an unsolicited email from a “Canadian pharmacy” then you already know it is not legitimate. If the pharmacy does not require a prescription for prescription medications, then you also know it is a scam. I would not recommend ingesting something that is supposed to be a prescription drug and is being sold by a criminal.
The question then becomes how do you find a legitimate Canadian pharmacy without going to Canada? Finding the pharmacies is really quite simple. You can simply search for “Canadian Pharmacy” and the odds are pretty good the results will include many legitimate pharmacies, but that really isn’t good enough. The Canadian International Pharmacy Association certifies Canadian pharmacies that sell online. The legitimate pharmacies will have a CIPArx seal on their web page, but illegal websites can also put the seal on their website. What you need to do is go to www.ciparx.com and use their search feature to verify that the pharmacy you wish to do business with is certified.
One spam message I looked into lead to a “Canadian pharmacy” that has a CPA seal. If you clicked on the picture of the CPA seal it would open a web page with an official looking certificate. The problem is that the certificate is on the fraudulent website and not on any legitimate organization’s web site. CPA is also not the same as CIPA. This particular web site had certificates allegedly coming from the FDA, the American Pharmaceuticals Association, and even VeriSign. All of the certificates were bogus. The FDA doesn’t certify Canadian pharmacies anyway.
Endorsements are great if they are real, but always verify an endorsement independently. Criminals have no problem lying about their endorsements and the fact that something is illegal doesn’t stop a crook.If you’re going to buy from a Canadian pharmacy, it pays to do your homework and make sure you are dealing with a legitimate vendor.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Who’s Watching Your Laptop?
Hundreds of laptops are being stolen each week at LAX alone. This isn’t a problem that is specific to LAX, but it is a serious problem. In some cases the attacks are very targeted. I will present one such attack I was recently informed of.
The scenario is that a criminal gang wants a specific laptop. The will buy tickets and follow the victim. Two of the criminals will go through security directly before the victim. The criminals will have something metallic in their pockets so that the TSA people have to interrupt the screening process. The first criminal removes the metallic object and sends it through the x-ray machine. If victim’s computer is already on the conveyer belt, the game is over. The first criminal gets through and now the second criminal sets off the metal detector. The victim has not yet gone through the screening, but the laptop is already through and has been stolen.
Perhaps nobody is specifically targeting you, but this type of attack also happens randomly. With fare specials as low as $39 at times, it is cost effective to buy a ticket, steal a laptop and leave the terminal without flying.
How do you defend against this type of attack? First, use encryption so that if the laptop is stolen your data is not accessible. Second, wait for the person in front of you to clear the screening before you put your laptop into the x-ray machine. Keep your eyes on the laptop as soon as it comes out the other end.
Sometimes laptops are simply forgotten. A person gets distracted and leaves the laptop (or cell phone) behind. I have a trick for this problem. I always put my shoes through last. I noticed that the character that Clooney plays in the movie “Up in the Air” did the same thing! You are very unlikely to forget your shoes and you will pick up all of your belongings that come through before your shoes. I travel internationally quite often. In most other countries you do not have to take off your shoes. I always travel wearing a vest that has a lot of pockets. Everything metal I carry goes into the vest and then I put the vest through the x-ray machine so I don’t have to pick up all the individual items at the end. When I don’t take off my shoes, the vest goes through last.
The laptop theft problem at airports is difficult to defend against, but being aware of the types of attacks and staying alert can help prevent loss.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Email from Bill Gates
Recently Christopher Dale, our Public Relations Manager, received an email from Bill Gates. No, it was not the founder of Microsoft. It really wasn’t even from a person named Bill. The email came from some guy in Iran who found it amusing to have the display name “Bill Gates”. The point is that computers are very, very, accomplished pathological liars. Simply tell a computer to lie and it will – without question or compunction.
The reason for this is that computers do only what they are told. There are so many ways to make a computer lie that it really isn’t even funny… it’s startling. The email from “Bill Gates” for example, in this case the email address was not Billg@microsoft.com, but that is only because the computer the email was sent from was not told to lie about that. Yes, the computer the email is sent from can be told to lie about the email address being used. Other computers along the way can be told to lie about the email name, address, and location as well. The lesson here is that just because you get an email from someone whose name you know, doesn’t mean that the person you know sent it. Beyond that, if someone is able to log into a friend’s email account, they don’t have to tell the computer to lie, they can just impersonate your friend. Be very wary of emails from friends telling you they need financial help or telling you to go to a website. Always take steps to verify you are talking with your friend.
Email is not the only “liar application” on a computer. When you go to a web page, it will show you what it has been programmed to show you. If I make a pop-up of the control panel, it will look amazingly like the real control panel. More insidious, I bet you don’t recall what a Windows Security Center warning looks like. I don’t even have to make that pop up look like the real thing. If I make a pop up that says it is Windows Security Center and there is a problem with your computer, the odds are that most people will fall for it. If I make an animated web page that says it is scanning your computer for viruses, then many people assume that is what is happening, even when no such scan is being done. The combination of the fake scan with the fake security warning is why there is such a problem with fake antivirus. This is the stuff that infects your computer while it tells you that your computer is infected and you have to pay to make it go away.
If you have been a victim of this rogue antivirus software, you do have recourse. You can demand that the company refunds your money, or you can dispute the charge with the credit card company. Because the criminals behind the rogue antivirus software need to keep accepting credit cards, they cannot tolerate too many charge backs. So in some cases it is that easy to get your money back.
How can you tell when your computer is lying? It can be really hard to tell sometimes, but understanding what a computer can and cannot do helps, and paying attention to context helps even more. For the most part, a web page can’t start scanning your computer without your permission. A company that scans your computer for viruses without your permission is unethical, so it wouldn’t be prudent to believe anything they say. Simply landing on a web page will never result in a virus scan. Again, the context is important. If you come to the ESET free online scanner at http://www.eset.com/online-scanner, you will have to agree to have your computer scanned and you specifically chose to go to such a website. That is how honest companies operate. The context is everything.
For email, instant messaging, and social networking sites it can be more difficult so having a dialog with the person you know is essential for establishing context.
Always remember that a computer has the perfect poker face and will lie anytime it is instructed. Paying attention to the context is paramount.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Social Nut Works
Facebook has been in the news quite a bit lately for problems related to privacy. This really should come as no surprise, Facebook is a SOCIAL network, not a private network. In fact, recently it came to light that Mark Zuckerberg, the founder of Facebook offered a friend information about his users. When the friend asked how he got the information Zuckerberg replied that the people trusted him and were dumb f*cks”. I kid you not… you can read the article at http://www.theregister.co.uk/2010/05/14/facebook_trust_dumb/.
Fundamentally when using social networks, regardless of whether it is Facebook or any of the many other social networks, you have to assume that everything you say is public information. Aside from the possibility of an unethical employee with access to your account doing something, there are always going to be bugs and vulnerabilities that may potentially compromise some or all of your account information.
The default privacy settings for social networks are not usually set up to ensure your privacy, they are set to attempt to make the service as attractive as possible to potential advertisers and that means sharing as much of your data as the site can get away with.
Phishing aimed at social networking accounts is quite widespread. This means that if a friend’s account is successfully phished, you may believe you are conversing with a friend, but it is not a friend at only, only their account that is being used to try to get you to do something, such as install malicious software or give up information that may be used for identity theft.
If you are the victim of a phishing attack in which one of your social networking accounts is compromised, then your account can be used to attempt to get money or information from your friends. If you use the same password for multiple social networking sites, then the compromise of one of your accounts can lead to the compromise of all of your accounts. An attacker can read all of your messages, delete pictures and other information, delete contacts, add contacts, and use your account for spamming and other nefarious activities.
Remember, it really is nuts to think a SOCIAL networking site is a private network. Think carefully about the messages you send and the pictures, etc. that you put up on your site. By all means, do not ever use the same password on a social networking site that you use somewhere else, especially for an email account. If an attacker gains access to both your social networking accounts and your email accounts it can be next to impossible to regain control of any of your accounts.
As long as you remember the word “social” in social networking, you are rational, but when you think a social network is private, that is simply nuts!!!
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Where Do You Download Your Updates From?
There is a phishing attack underway that involves Adobe products. Adobe has issued an advisory at http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html. The scenario is that an Adobe customer receives an email claiming to be from an Adobe employee. The recipient is instructed to download an update to fix a security vulnerability.
As Adobe states, they do not send links to updates that require you to run them from your web browser and they do not send attachments. No sane security company does this except in rare circumstances where you have a special contract in place with them, and even then usually you get a link to a download page and then select your download.
It is a good rule to always type in the address of a known good web site, such as www.adobe.com, and then find what you are looking for. If you need an update for iTunes, type in www.apple.com.
Yes, security updates are essential, but just because someone sends you an email that says you need one, or a web page tells you that you need an update, it doesn’t make it true. As I have previously mentioned… perhaps more than a few times, I recommend the free (for home users) tool at www.secunia.com to make sure you have all of the security patches for the different programs on your computer. For a business it is probably well worth the money to buy the corporate tools from Secunia, even if you have a very small business.
A huge number of attacks will not work if your system is properly patched, and a large number of attacks will work if you try to get updates from a link in an email. Today, many programs have an option to check for updates right in the help menu.
Don’t get medical advice from your web designer and don’t get updates from emails!
Randy Abrams
Director of Technical Education
ESET LLC
Cybersecurity Education – and a Free Lunch
Over the past year or so, ESET has been offering free cybersecurity workshops to help businesses and consumers learn more about what they need to do to stay safe online. On May 5th, ESET is offering a workshop with an exceptionally impressive lineup of speakers, and it won’t cost you a penny!
Dr. Peter Fonash from the US Department of Homeland Security will be the featured speaker, as is Mayor Jerry Sanders. Guest speakers include Mark Weatherford, Chief Information Security Office for the State of California; Mike Dayton with the State of California Emergency Management Agency; Chief William Lansdowne of the San Diego Police Department; Karen Hewitt, US Attorney, Michael Kaiser of the National Cyber Security alliance; Ruben Barrales with the San Diego Regional Chamber of Commerce; and Anton Zajac, CEO of ESET.
Registration for the free symposium starts at 11:30 AM and the symposium goes from noon to 4:45. There is also a reception from 4:45 to 6 PM. additionally you can attend the morning cybersecurity workshops which begin at 9 AM.
Registration is mandatory at http://www.securingourecity.org/cyber-symposium.php
The subjects of the symposium include
- “Securing Our eCity” from a National Perspective
- Critical Infrastructure and Emergency Preparedness
- Economic impacts, Cluster and Technology of Cybersecurity
- Educating Our eCity
All that and a free lunch – provided you register. This is an event you don’t want to miss!
Randy Abrams
Director of Technical Education
ESET LLC
Did you do it?
I have mentioned on more than one occasion that it isn’t only the operating system that needs to be updated. Third party applications also have security problems and require updates. To help with keeping third party software up to date I have recommended that you run the Personal Software inspector from Secunia (http://secunia.com/vulnerability_scanning/personal/). Keeping your software patched is just as important as using a firewall and great antivirus software.
Microsoft recently released their security intelligence report. One of the findings was that for browser based exploits, the kind of stuff where you visit a web site and are immediately attacked, more than 45% of the attacks are against Adobe products, like Reader, Acrobat, and Flash. There are also many other 3rd party applications that get attacked.
Microsoft statistics also showed that newer operating systems and browsers have lower infection rates as well. Are you still running Windows XP? If you are then I hope you have Service Pack 3 installed. The older versions of Windows XP have significantly higher infection rates and both Windows Vista and Windows 7 are proving to be more resilient than Windows XP. Internet Explorer 6 has a really bad security track record. I strongly recommend that you upgrade to Internet Explorer 8. You might also want to consider other browsers, such as Firefox or Google Chrome.
You can find the Microsoft Security Intelligence report at http://www.microsoft.com/security/about/sir.aspx. This year the statistics are broken up to show the threats that enterprises face most commonly, as well as those consumers most commonly encounter. In the past the studies did not separate out these two groups.
The clear message from the report is that newer software is getting more secure and if you do not keep your third party applications up to date you are at serious risk from malicious software.
So, I told you about the Secunia Personal Software Inspector… have you used it?
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
What’s a Codec and do I need one?
One of the most common tricks cyber criminals use to get people to install malicious software on their computers is to present a video but when the victim clicks on it they are told they need a new “codec” to play the video. So, what is a codec.
Codec stands for Coder/DECoder, or sometimes Compressor/DECompressor. Video files are quite large as they contain a lot of data so they are compressed when they are created and then decompressed when they are played back. Additionally, video files are encoded and require decoding to be played. Because there are many technologies for creating video files there are many codecs that are required to play them back. Each video type requires a different codec.
Most media players, such as Windows Media Player, Quicktime, and Real Player have several codecs built right in so you never even have to be aware of the technology. When a new video compression format is invented a new codec is required to be able to play the movie back. Sometimes when you get an update or a new version of your media player it includes additional codecs.
In most cases you never need to go looking for a codec and a movie on the web is virtually never going to require you to install a codec. Many years ago new video formats were evolving much more rapidly and it took longer for the codecs to be integrated in products. At that time it was a little more common to actually need to install a new codec. Today about the only time a person would need to install a codec is if they are working with a video developer who is using a rare video format.
Codecs are not only use for video. Music files require codecs
It is safe to assume that whenever you go to a web page and it says you need to install a codec to watch a video, it is not a codec you will be downloading, it is a virus or other malicious software.
Most people do not know what a codec is, but they do know what the Flash Player is. The cyber criminals will sometimes trick users by saying that they need to update their flash player. Flash player updates should never be install from anywhere other than www.adobe.com. It isn’t a Flash Player update that the criminals are trying to get you to install, it is malicious software.
If you just say no to codecs and Flash Player updates that do not come from Adobe, you will avoid a lot of problems!
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
News or Noose?
There’s been a lot going on in the news. The miraculous rescue of 115 miners in China, the disastrous explosion that claimed 29 live in a mine explosion in Virginia, the death of the Polish president along with 95 other people on the airplane, and of course Tiger Woods’ return to golf. All of these events have something in common… People are searching for news about the news. The bad guys know this so they are working very hard to make sure that they can take advantage of your searches.
There are a variety of ways the attacks are carried out, but really only one reason… money. Whether it is for identity theft, simple financial theft, or advertising revenue, the bad guys want you to find them when you are looking for something else.
Here are a few of the attack scenarios and some advice on how to mitigate your risk of finding a digital noose when you search for digital news. In all cases, using current, high quality antivirus software is advised, as is using other security software such as a firewall and anti-spam software.
The most difficult attack to pull off and defend against is when the bad guys compromise a legitimate web site. In these relatively rare cases the attack may be a “drive by” where once you land on the legitimate web page your computer is infected, either because the website itself has malicious programs on it or because an advertisement displayed on the web site has malicious code in it. In most cases you will be protected if you keep your operating system fully patched and your other software fully patched. Once again, I recommend that you visit
http://secunia.com/vulnerability_scanning/personal and run the Personal Software Inspector to make sure that your system is fully patched. Most of the attacks exploit programs that could be patched. If you go to a web site looking for news and it says you need to install or update software, the odds are very high that you do not need anything except to close your browser. Never update a “codec”, Flash player, or other software from a web site that does not belong to a trusted software publisher… not news publisher.
Another attack is to use search engine optimization (SEO) techniques to make sure the bad guy’s web site is on near or at the top of the results of the search. If you click on the link to the website it may try to exploit vulnerability (drive by), tell you that you need a codec to view the news video or that you need to update your Flash player, or even look like it is scanning your computer for viruses and say your computer is infected. The defenses against the drive by and fake update alerts have already been explained. Anytime you land on a webpage and it says it is scanning your computer for viruses without you even asking it to, it is an attempt to infect your computer and/or steal your money by selling you useless software. Never believe those web pages and always close your browser immediately without clicking on anything at all. You might have to use task manager to close your browser. Another defense against this attack is to actually look at what the address of the website is. Just because it ranked high in the search it doesn’t mean that it really is relevant. You really should stick to known news sources. This doesn’t mean you cannot learn about new resources for news, but the way to do that is to search for respected news organizations, not the news itself. Usually the results you are looking for are probably not in a foreign country. Often you can tell it is a foreign country by the website address.
There always the good old email attack. Unless you signed up to have the news emailed to you, then it really doesn’t make sense for email about the news to be coming to you from an unknown source. The typical attack involves and email with a subject line about a current news item. The email will contain a link in it to direct you to a video of the subject, or more information. Anti-spam will filter out many of these attacks, but it won’t protect you if you go digging through your junk email and then click on the link. Your best bet is to delete the email. It is fine to sign up with reputable organizations to have the news emailed to you, but unsolicited email about the news is virtually always bad news.
It really isn’t only the news that is involved in SEO attacks. Anything that lots of people are searching on the web, the bad guys are targeting. A little caution when following up on the results of your searches can help keep the news from putting a noose on your computer.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Share and Share Alike
Peer-to-peer (P2P) file sharing networks have long been one of the major sources of security headaches for businesses and the government. You might recognize the names of some of these so called services. Limewire, Kazaa, and Bittorrent are just a few of the better known P2P networks, but there are hundreds of them. The idea behind the networks is that you can share files and others can share files with you. P2P networks really can be used for legitimate reasons, but the abuse of the networks is probably magnitudes more common than the legal and/or safe use of the networks.
P2P networks are commonly used to share pirated software such as MP3 music files, movies, operating systems, and applications like Microsoft Office, antivirus software, and other commercial programs.
There are a few serious dangerous related to these networks. The bad guys know that greed is the perfect offensive weapon and so they often put up desirable looking files that contain viruses or trojan horse programs. P2P networks are one of the major sources of infections. P2P networks can mean that illegal materials ranging from copyrighted software to child pornography are on your network. If and when law enforcement and/or industry antipiracy groups find this out, it can be a huge headache for your company. Another danger is that these programs often make files on the computer they are installed on available to others. Critical business information has been compromised when ignorant employees install these programs on work computers and don’t even realize what they are sharing. In some cases classified military and other secret governmental data has been lost.
Recently the US House of Representatives passed a bill that limits the use of P2P software on government computers, as well as on computers used by contractors doing business with the government. If your business has government contracts, it behooves you to be aware of the legislation known as H.R.4098 – Secure Federal File Sharing Act & P2P. Even if you don’t do business with the government, you really should be aware of these networks and make sure they are not present in your work environment.
Recently Jeff Debrosse blogged about this bill and provided some great information and links on the ESET Threat Center Blog. I would highly recommend taking a look at the information and resources Jeff provides at http://www.eset.com/blog/2010/03/26/h-r-4098-secure-federal-file-sharing-act.
Randy Abrams
Director of Technical Education
ESET LLC
Northern Lights Attack Those in the Dark
Unless you have been living under a rock, or have a life outside of computer security, you have probably heard of “Operation Aurora”. This is the alleged catalyst for why Google is threatening to pull out of China. “Operation Aurora” was (or is) a group of attacks that targeted several large America companies, including Google. The allegations are that China was/is behind the attacks. As is the nature of a sophisticated cyber attack, it is really difficult to say with authority where the attacks came from.
One of the interesting aspects of the attacks is that they targeted vulnerabilities in Internet Explorer 6.0. Please don’t tell me you are still running IE 6. Internet browsers are constantly being updated to defend against attacks. The current version of Internet Explorer is version 8.0. Even if you use a different browser, such as Firefox or Opera, it is very important that you keep the browser current.
However, web browsers are not the only programs that need to be kept up to date. Most programs that are commonly used have vulnerabilities and other security issues which require newer versions. Automatic updates are becoming more and more common, but are still not ubiquitous. I recently turned on a computer that had been left off for several months. I knew that Firefox was out of date on the computer so I immediately updated it. What I discovered was that it retrieved the updates for the old version it was running, as opposed to updating to the newest version. I knew there was a newer version, so after the update was completed I told it to look for updates again. About the 3rd time I did this it retrieved the current version. I know that eventually Firefox would have told me there was a newer version available, but I didn’t want to browse the web with the older version.
If security is important to you, then it makes sense to regularly check to see if you are running the most current version of your programs. Older versions of Adobe products, such as Flash, Reader, Shockwave, and Reader had no automatic update mechanism. It makes a lot of sense to check the vendor’s website to see if you have then most current version of the product you are using.
In the end, it doesn’t matter if “Operation Aurora” originated from China or not, the same attacks can be used by anyone from any location. Keeping your software current is essential for your security. If you are not sure that you are running the most current versions of your programs, you are really in the dark. Don’t let something like “Operation Aurora” light up your network!
If you have any general security questions or comments, please feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
What Are You Looking For?
When we want to find something, Google is the first place that millions of people go to for assistance. It is amazing all of the useful and trivial things you can find using Google, but many people don’t realize that they can do a lot more than simply type in a word or phrase to help them find what they want, and reduce the number of entries they don’t want to see.
The Google search box allows for a variety of really helpful options. If I search for Big Band, I get about 96 million entries. It is a pretty safe bet that most of those are not what I am looking for. In this case pages with the word “big” will appear and pages with the word Band will appear. If I put quotation marks around the phrase it limits the results. Searching for “Big Band” now returns about 8.7 million entries. But perhaps I don’t want to read about Glen Miller. I can exclude terms from my search by putting a space and then a minus sign in front of the word I don’t want to appear.
“Big Band” -Glenn -Miller eliminates the pages that contain Glenn or Miller, but that means I won’t find Al Miller and perhaps I want Al to also show up in the results.
Perhaps I really am looking for something I read in the San Diego Union Tribune about big bands. I can limit my search results to web pages from the San Diego Union Tribune’s website by including site: signonsandiego.com, which is the Tribune’s web site.
So, “Big Band” -Glenn site:signonsandiego.com returns about 300 results which is starting to get manageable. May be I want results only from specific countries, rather than from the Tribune’s web site. To get results from Singapore I can use the Singapore country code (sg) and search “Big Band” -Glenn site:.sg
At http://www.google.com/help/cheatsheet.html you can print out a cheat sheet that documents a lot of the features that Google search supports. http://www.google.com/support/websearch/bin/answer.py?answer=136861 is also helpful.
There is something you must always be very, very careful about when using Google or any search engine. The bad guys know people are looking and so they work very hard to make sure their malicious web pages turn up in a search. If you click on a result and are prompted to install, run, or download something, then the odds are extremely high that it is a malicious web page and you should close your browser immediately. If you click on a result and the page says it is scanning your computer or that your computer is infected, it is a malicious web page… close your browser and do not click on anything in the web page.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Please Rob Me
Yes there is a website called pleaserobme.com and it isn’t quite as far-fetched as you may think. It has become quite common for some people on Twitter to tell the world where they are. This also tells the world where they are not… at home. It is one thing if all of the people who know you are honest, but if you use your real name, especially if it isn’t a real common name, then a lot of people might know a lot more about you than you think.
People are using a lot of different social networking services and the amount of information that can be pieced together is amazing. A short time ago on Google Buzz I saw a Twitter message that had been reposted. A woman, whose full name was used, said where she was going in New Jersey. I searched on her name and location and looked at her public profile on Google. This gave me enough information to identify who she was on other social networking sites. One of the sites had her phone number. A quick reverse phone number look up revealed her address and that there was one other person at that address on the telephone account. An online map would make it easy to know how long she would be gone... at a minimum.
For a “would be” robber, this is a bonanza of information. For me, it is an interesting exercise to take random posts and see what I can find out about a person I have never met. I blogged about this on the ESET website at http://www.eset.com/threat-center/blog/2009/12/21/what-does-the-world-know-about-you.
If you participate in multiple social networks, look at your profile and the public messages and pull together all of the information from the various sites to see how much information you have exposed about yourself. Try putting your first and last name in a Google search. Put quote marks around your whole name. You can add and extra word or two, to narrow the search. For example, if you search for Randy Abrams you’ll find several people with that name, or who have Randy or Abrams in their name. If you search for “Randy Abrams” the top results will be for people named Randy Abrams. If you search for “Randy Abrams” ESET then most of your results will be a specific Randy Abrams, namely me.
Try the same search on your name and add something relevant, such as the company you work for, the city you live in, or even both. Perhaps you participate in discussions about a hobby. You can try this with friends as well. It can be a real eye opener to see how much information is exposed. When you couple this with an innocent looking tweet that says “Hey, I’m not home” you can really expose yourself. The odds of something bad happening are pretty low, but what is the reward for such behavior? Does it warrant the risk?
The Internet can be a pretty entertaining place and a great way to share information and meet people with whom you share common interests, but be aware of how much information you are sharing and how that can be used in ways you might not want it to be used.
If you have any questions or comments about this or other general security topics, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Care About Privacy? Google Doesn’t
Google recently rolled out a new product called Google Buzz. The problem is that if you have Gmail then Buzz was already turned on and potentially sharing information that you did not choose to share or, perhaps even want to share.
The idea behind Buzz was for Google to create a social network without people choosing to be a part of it. Google added Buzz to all Gmail accounts and automatically had you start following people. Google also linked Buzz to their Picasso and Reader products.
An example of the privacy problems Google’s arrogance created can be found at http://gizmodo.com/5470696/fck-you-google
A broader perspective can be found at http://www.nytimes.com/2010/02/13/technology/internet/13google.html
Initially Google made some very, very minor changes, but now is revising the auto-follow to auto-suggest, where they will suggest people you might want to follow. Still, it isn’t all about who you follow, they also show the world who you follow. There are some privacy settings, but on initial roll out your information was already shared unless you didn’t create a public profile.
If you care about privacy it is extremely difficult to maintain it with Google products.
My suggestion is that if you have a Google profile, public or private, you delete it. Then I suggest you delete all of your contacts. You might first with to make a list with their email addresses, etc., but I would delete all contacts. You never know how Google will choose to share this information without your permission. This does mean that you will not be able to use Google Chat, but there are many other free chat programs that pose less risk to privacy than Google does.
My thought is that the next Google product will be Google Gossip, where Google will scan your Gmail messages for juicy sentences, take them out of context, and then send them to all of your contacts. For example, I might write to a friend that “Right before leaving my last job I decided it is time to look for a new job.” The next think I know Google will send a message on my behalf to all of my contacts saying “Randy says ‘it is time to look for a new job’”. Of course this would get back to my boss and guess what happens at review time :) OK, perhaps exaggerated a bit, but Google does not think about basic privacy when they launch a product.
If you have a Gmail account and have not logged in recently, I recommend you log in and turn off Buzz at least until Google has fixed their mistakes and there has been time to test it.
You can see Google’s apology at http://gmailblog.blogspot.com/2010/02/new-buzz-start-up-experience-based-on.html
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Does This Ring a Bell?
Regardless of our practices, we all know that it is important to use security software on our computers and to back up our data, but do you think the same about your phone?
Smart phones are becoming more and more like computers. We store extensive lists of contacts, email, music, and other data on the devices. Smart phones are being used more and more to conduct business and that leads to some security concerns, so here are some tips to help you with a safer smart phone.
Perhaps one of the most important things is to get into a habit of backing up your data. Millions of cell phones are lost, stolen, or yes, even dropped in the toilet each year. One report I saw claimed that 1 out of every 4 iPhones is lost or stolen. It is bad enough to have to replace the device, but sometimes the data is worth even more. If you back up your data regularly then if your phone is lost, stolen or damaged you will have far fewer worries.
Smart phones come with the ability to lock the device when you are not using it. Locking your phone helps to protect your data if your phone is lost. Locking your smart phone is important if you have intellectual property on the device, but it can also help to prevent identity theft. Smart phones often have enough personal information stored on them to make identity theft easy if a bad person is the one who finds the device.
Encrypt your passwords. Many people store a lot of passwords on their smart phone. Smart phones generally have the ability to encrypt the passwords, but that is not usually the default. If your smart phone is lost will it give someone access to your email accounts and social networking sites? Perhaps you have online banking or other financially related passwords on your smart phone?
Consider Antivirus software. Actually, this is not an option for the iPhone, and Blackberries have had very few problems, although there is commercial spyware for the Blackberry. For many other types of smart phones there is antivirus software available and this adds a layer of defense. The smart phone is gaining popularity with the criminal element since these devices are more frequently being used for a variety of activities which can profit criminal organizations. Yes, even access to your Facebook or MySpace account can be of value to a criminal. Malicious software can steal information off of your smart phone without you knowing it. Unfortunately, Apple will not allow antivirus for the iPhone as their marketing is far more important to them than end user security.
Speaking of Apple security, just as you patch/update your operating system, you need to keep your smart phone’s operating system up to date. It is worth taking a little time to find out how to do this for your specific device. An iPhone has to be connected to a PC with iTunes running in order to update the operating system, and Apple just fixed some serious vulnerabilities on the iPhone. Most all devices have had some security updates at some point, so save yourself a hassle and make sure you are up to date.
Now for the easy one… Put a label on your smart phone. Believe it or not, there are a lot of honest people out there and if you lose your smart phone there’s a decent chance a person will return it if they know how to. The label should include at least a first name and an alternate number to call if the device is lost. If you lock the phone a person may not be able to find anything out to help them return the phone, but a label can help you get the device back faster. Yes, there is a concern that the label gives away some information about you, but you have to weigh the risk and potential benefit for yourself.
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Stubborn, OK… Mule NO!
One of the big scams involves what we call money mules. A money mule is a person who is used to transfer money for the criminals. The way the scam typically works is a person receives an email telling them that they can work from home. The work involves transferring money in and out of their account and they get to keep a percentage of the money. In reality the money is being stolen from someone else’s account. When the first victim becomes aware of the theft and notifies the bank then the mule becomes responsible for all of the money, not just the percentage they were told they could keep.
For example, the mule may be told they get to keep 10%. A transfer of $10,000 is made into their account and they transfer $9,000 to another account or via Western Union. When the bank catches up the mule becomes responsible for all $10,000.
Sometimes the “job offers” appear to come from well known companies like Texaco. Other times the bogus offers come from companies that claim to be financial services organizations. One scam I received claimed I would be a secret shopper to report on the customer service of Western Union and another financial institution.
In a rather humorous blog, Brian Krebs, formerly of the Washington post, tells of the top 10 ways to get fired as a money mule http://www.krebsonsecurity.com/2010/01/top-10-ways-to-get-fired-as-a-money-mule/. Of interest, Krebs reports that the money mules get used for one transfer and then the criminals ditch them. This makes sense since the crooks know they just stung the mule as well as the person who initially got ripped off.
Oftentimes the criminals target people looking for jobs at websites like Monster.com and Careerbuilder.com. They know these people are sometimes desperate for a job, so the job they offer has very tempting wages. Probably just as often, the bogus job offers come through untargeted spam runs.
Evidently there are a lot of very gullible people as the FBI reported that money mule scams topped $100 million last year, and that is only in the US.
The biggest sign that a communications is a scam is that it looks too good to be true. The wages I have seen offer range from about $2000 a month for a couple of hours work to about $17,000 per month. Most of the mules don’t have any experience in the financial transaction industry. A very high paying job for a person with no experience is too good to be true.
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Where Do You Get Your News?
I read a story today about a hoax that Johnny Depp had died in a car accident. The story is bogus but “sensational” news is a magnet for malicious attacks.
It seems the rumor started on Twitter and supposedly CNN had news about it as well. People who pay attention to details would know that the “CNN” story was not on CNN, but if you don’t pay attention to the details you will be easily fooled.
I recommend you take a look at this video produced by Graham Cluely, a friend of mine. http://www.youtube.com/watch?v=LPBhaVduF-Q
The video does a great job showing how the criminals trick people into installing malicious software by making some quite believable news. While social networking sites can be used to share breaking news, such as the landing of a jet in the Hudson River, you should be very, very cautious about clicking on links to news stories. If the story is legitimate you can type in www.cnn.com or www.msnbc.com, or whatever your favorite web site is. If the story is that big and it is real, you’ll find a link to it right on the front page.
The thing to remember about the internet is that anything can be spoofed. Be very wary. It is one thing if you and I are talking face to face, but quite a different thing if we are exchanging email or instant messages. If my account get hacked then it does appear that I am the one saying things to you.
Recently 32 million social networking site accounts were compromised by poor security practices and an exploit. Rockyou.com, the developer of applications for social networking sites like FaceBook, MySpace, and many others had their entire database stolen. The database included email addresses and passwords for over 32 million people. It would be trivial for the attacker to impersonate any one of those users and send an email with some sort of sensational news and a link to the story.
Whenever you are dealing with a computer it is a good idea to step back for a moment and realize that email and instant messages are not at all the same thing as speaking with a person face to face. A bit of skepticism is healthy.
When someone sends you a news story it makes a lot of sense to independently verify the facts. Type in the website of your favorite news organization. Check out www.snopes.com for hoaxes before you pass along the “big story”.
In some ways the Internet is not all that much different than driving a car. You have to be alert at all times or bad things will happen.
If you have any general computer security questions, feel free to contact me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Webmail Privacy
Google recently announced that it has changed the default setting on Gmail to always read email through https, which means if you are at a coffee shop reading your email, and you have the new Gmail default setting, your communications will almost certainly be private.
This setting is not automatically changed for existing users though. If you already have a Gmail account in order to help make sure your email is private when you read your email form Gmail, log into your account, go to the settings page and under general settings where it says “Browser Connection” make sure that you have checked “Always use https”
Google has had several issues with respect to security and privacy, but with this move they completely show other webmail providers, such as hotmail, Live, Yahoo, and even large ISPs, such as Comcast, as the privacy apathetic corporations that they are.
Google was the first major webmail provider to offer the option of having an encrypted email session. The other providers only encrypt your log on.
If you use webmail for sensitive communications, you might consider a Gmail account for the privacy considerations that no other major webmail provider cares enough to offer.
You can read about the Gmail change at http://www.theregister.co.uk/2010/01/13/gmail_default_encryption/
Please feel free to email me at askeset@eset.com if you have any security related questions.
Randy Abrams
Director of Technical Education
ESET LLC
Seller Beware!
There is a common scam many people are falling for. You decide to sell something, and find an eager buyer. Usually, but not always, the buyer lives a great distance from you. The price is agreed upon and they send you a check. After the check is sent they contact you and say that they or their accountant, or someone else made the check out for too much… perhaps hundreds or thousands of dollars more than the agreed price. The scammer then asks you to send back the overpayment.
The way that the scam works is that the check is fake or stolen. In time, the bank will inform you the check was bad and you will be liable for the full amount of the check. If you already sent the item for sale, you will have lost that as well.
If you take a personal check for an item you sell, it is a very good idea to check with the bank to make sure the check is legitimate and then wait a few days to make sure it does not come back. If someone claims to have sent you too much money, tell them to send a new check for the correct amount and return the old check to them with the word “VOID” written across the check. Even then, ask the bank when it will be certain that the check is good. Federal banking regulations require banks to make deposited funds available even before the check actually clears. You can spend the money and then be told it was bad and you are on the hook for it.
This scam is not limited to checks. PayPal and other forms of payment can also be used by thieves. An overpayment is a very reliable sign of fraud. Don’t fall for it!
If you have any security questions or topics you would like to see covered here, feel free to email me at askeset@est.com
Randy Abrams
Director of Technical Education
ESET LLC
PDF Safety
A decade ago macro viruses were ravaging corporations and individuals who had Microsoft Word and Excel. Microsoft learned security the hard way and at the expense of a ton of customers – potentially millions of customers. Microsoft did figure out how to fix the problem and macro viruses are virtually extinct on all but very old versions of Office. Back in that day Adobe PDFs were the safe alternative to Word documents, but times change. Adobe wanted to add functionality to the PDF format so they introduced JavaScript to PDF files. JavaScript is a very powerful programming language that is used all over the web by both good guys and bad guys.
Unfortunately Adobe combined an insecure implementation of JavaScript with vulnerability-ridden products and the result is that for a couple of years now we have seen JavaScript exploited in PDF files, often as part of an attack against exploitable vulnerabilities. Users of Adobe Reader and Acrobat would have dodged many attacks if Adobe had properly configured their products to begin with, and if they would have learned from a Microsoft mistake that is almost 15 years old.
Currently the highly risky configurations of Adobe Acrobat and Adobe Reader are being successfully exploited on a regular basis to affect drive-by infections. This means you can simply go to a website and immediately infect your computer without clicking on anything. The typical attack involves the bad guys finding a vulnerability they can exploit and then by using the functionality of JavaScript, they can finish the job of infecting your computer.
There is good news for you though…you can pretty easily configure Adobe Reader properly to dramatically improve your security.
Open Adobe Reader (or a PDF if that’s easier for you). Go to the edit menu and select preferences. About halfway down the preferences panel you will see the word “JavaScript”. Click on that word and then at the top uncheck the box that says Enable Acrobat JavaScript.
The vast majority of attacks against Adobe products will fail to do anything harmful if you have disabled JavaScript. There are very, very few times that the average user will encounter a PDF that uses or requires JavaScript. If you need to enable JavaScript for a specific PDF you can do so, but remember to disable it again when you are done.
The other action you need to take is to make sure you are using the most current version of Adobe Acrobat or Adobe Reader. Adobe Reader is the free product. From the Help Menu in Reader you can check for updates. I recommend you do this now if you have not done so recently!
If you have any questions about any security topics or if there are any topics you wish to see addressed here feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Passwords101
Last week I put the cart before the horse and gave you a supplement to passwords 101. This week is passwords 101. We all seem to hate passwords and I’m not going to promise to make you like them, but I can help you make better passwords that are easier to remember.
Let’s start with a little bit of non-geeky password theory. Have you ever forgotten the combination on a 3 number lock? You know, the kind they sell for suitcases or may build into a briefcase. I’m sure you realize that if you are patient enough you can try all of the possible combinations and eventually open that lock. Man, it is a boring process and I have done it before, but thankfully I got to the combination before I had to try all 1,000 combinations. Computers are not easily bored and they can try billions of combinations, each with the same enthusiasm as when they started.
It is for that reason the following passwords are not good. Never use a single word. There are about a million words in the English language and a computer can try them all very, very quickly. Did you add the number 1 to the word? The password cracking programs know that trick too, so it doesn’t help much. Don’t use all numbers unless you have to, such as in the case of a bank PIN.
Short passwords are really bad as the computers can guess them quickly also.
There are 52 characters in the English alphabet if you include uppercase and lowercase. Although this makes a large number of possible combinations, it isn’t such a large task for a computer. If you mix in numbers then the possible combinations increase dramatically and it takes a computer much longer to crack the password. Now, if you add special characters, such as commas, percent signs, and so forth the number of possible passwords starts to get really, really big. This is why many experts say to use uppercase, lower case, numbers and special characters. The problem is that this also can make it practically impossible to remember your password, so you write it down and somebody reads it and your great password is defeated.
There is another very, very important factor in the strength of a password and that is the length. Remember the 3 digit lock I told you about? I have one with four digits. I have not had the patience to try all 10,000 combinations. The longer your password is, the longer it takes a computer to crack it. The length is actually more important than the use of all of the different character sets. If you use only lowercase letters and make your password 18 characters long, it is stronger than a password of 8 characters like e#3s)=dZ. It has to do with math. The number of 8 character passwords using all of the character sets is still smaller than the number of possible 18 character passwords only using lower case. That said, using more character sets is a big help.
So, how do you make a strong password that you can remember? I have a few favorite tricks.
I like equations. Can you remember 1Hundred+900=1000? Don’t use this one since everyone here is reading it, but there are a ton of different equations you could use. The password has good length and uses upper and lowercase letters, numbers, and special characters.
Here’s another one… My wife and I married in August 1995.
No, really, that is a password. We call it a passphrase. It will take a computer years to crack that one. Yeah, it has personal information, but you wouldn’t be able to guess the nature of the sentence I used it in. I could have worded it “In August 1995 I married my wife.”
You can use personal information, but not just a simple date. If you use a sentence, it is important to mix in numbers in it because a computer can put together words as well.
The other issue we face is that even using great passwords there are too many to remember. As I mentioned last week, I use a program called Password Corral and you can find it at http://www.cygnusproductions.com/freeware/pc.asp. This program will let you keep passwords as well as other information securely stored. The key is that you need to have a master password that is really, really good and that you can remember. One trick is to make an easy to remember password, write it down 10 times (or more) every day for a few days. Always completely destroy the paper you wrote it on and the paper under it - writing leaves imprints. Writing things down helps us to remember longer. Password Corral also lets you set reminders to change your passwords. New Years might be a great time to always change your passwords!
Passwords are an important part of security, but they only work well if you use good ones.
If you would like more examples of types of passwords that are easy to remember, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
A Supplement to Passwords 101
New Years is a time that I use to remind people to change their passwords, and instruct them on how to create a great password. One of the problems is that most people can’t remember which password is linked to which website.
One of the best practices for businesses is to know where all of their computers are and to know where all of their wireless and wired access points are. If you don’t know what you have, you can’t protect it and you are seriously exposed to attack. Knowing all of your accounts is also important, regardless of whether you are a small, medium or enterprise-level business.
So-called experts often advise not to write down passwords. This is rubbish. It’s all about where you write and store them. If you write your password on a post-it note, then remember that the next piece of paper probably contains an imprint that can be recovered by shading the paper with the side of a pencil, but other than that, keeping the passwords locked in a secure place is fine. In some cases I don’t even keep track of my passwords. If I have to give a password to read a news article at a site I rarely visit, I’ll type in a very long password and then not worry about it. If I have to go back, there’s a way to reset the password.
For the accounts you do care about, it is important to use unique passwords for each account. There are software and paper solutions for this. Keeping the accounts in a Word document or Spreadsheet that is left on your computer is a really bad idea, as is posting most passwords on your monitor, but there is software that can help you.
One of my favorite tools is called Password Corral and it is developed by a company called Cygnus. It lets me type in all of my accounts, their websites and my passwords, while keeping all the information encrypted. This means I don’t have to worry about people stealing my computer and discovering all of my passwords. By entering everything into the program I also keep an inventory of the sites I use passwords at and I can set reminders to expire the passwords so I am reminded to change them. Changing passwords on a regular basis is an important part of security! If you don’t change your passwords then an attacker has as much time as they like to try to crack it. If you do change your passwords and an attacker finally cracks your old password it won’t help them. There are programs that can automatically try to crack your password, but if you have a fairly good password it can take months to crack. If you have a great password it can take years to crack. If you use a single word, in any language, it can take minutes to crack. If you add a number to the end of the password it doesn’t help much, but it you are going to do that, use a large number, like 10,002. That little comma makes your password much better!
Next week, I’ll share some tips on making great passwords that you can remember, and soon after that I’ll share some predications for 2010.
If you have any questions about any security topics or if there are any topics you wish to see addressed here feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Watch Out for Vishing
Vishing is the combination of voice and phishing. Instead of using email, the attacker uses the telephone to trick you into giving up personal information so that they can gain access to your bank account or credit cards. While I have not heard of it being used for stick market accounts or social networking accounts, there is no reason an attacker could not or would not target those accounts as well.
In the typical attack, a person receives a phone call from someone claiming to be from a bank or credit card company. They usually will state that there is a problem, such as someone using your account fraudulently, or that they are doing something related to security and verification. Sometimes the attacks are easy to spot if you pay attention. For example, in one case I heard of the attacker claimed they were calling about the person’s Visa, MasterCard or American Express credit cards. American Express is completely different from Visa.
Regardless, if you get a call from your bank or credit card company, insist on calling them back. You should be able to use the toll free number on the back of your credit card, or call your bank and they can tell you who to talk to.
In one particularly nasty attack scenario, the attacker claims they are transferring you through to your bank and they actually do. The problem is that the attacker is listening to the call so that when you provide information to your bank they capture it for later abuse.
If you receive a call asking you for information, then it is best hang up and call back, don’t let them transfer you unless you made the call.
What about caller ID? It isn’t foolproof. With the advent of VOIP (Voice Over IP) it has become relatively simple to spoof the caller ID.
Keep alert and don’t blindly trust a caller claiming to be from a bank, credit card company, stock broker, PayPal, or most places. The best practice is to call back.
Randy Abrams
Director of Technical Education
ESET
Anti-Phishing Made Easy
Here are two simple rules. Follow these rules and you are far, far less likely to become a victim of phishing.
Rule number 1
Never give out your password to anyone.
There are fundamentally two types of people who ask for your password… thieves and idiots. You don’t want to give your password to a thief and if you give it to an idiot the idiot will probably do something completely stupid with it.
So you get an email saying that they are cleaning up inactive accounts. Perhaps they claim to be doing something security related. Whatever the excuse, they tell you that you must send some information, including your password. The email was sent by a thief. It does not matter if you believe it was Gmail, or Hotmail, Or Yahoo, or Google, or Facebook, or Myspace, or anyone else. Even if you believe it was a legitimate email and they threaten to close your account, sue you, sell your kids, force you to take their kids, whatever, the email is not legitimate, it was sent by a thief. This is 99.9999999999% accurate. What about the other .0000000001%? It was an idiot who would most certainly do something stupid with your password.
Please spread the word. Especially if you have naïve friends, let them know that 100% of the requests for their passwords are from thieves. Even if the email threatens grave consequences, it is a lying thief who sent the email. In fact, let’s stick with round numbers. It’s easier to tell your naive friend 100% than to explain the idiot quotient.
Now it is possible that you could be at work and get a call from helpdesk and the technician says that your password is required. This is a common trick. It isn’t the helpdesk technician who is actually calling, it is an impersonator. In the case that I might be wrong and it is actually helpdesk, then it is an idiot asking for your password and they can’t help you anyway because they are…well…an idiot. It is possible the technician is only following policy, in which case he works for an idiot and is doing the bidding of an idiot and the chain of trust is too weak to give up your password.
God forbid you ever do give up your password, go change it immediately… then come back and finish reading this.
Rule number 2
Do not click on an email link that leads to a financial or social networking website.
In fact, if you click on a link in an email and have to log into any site at all, close your browser immediately without logging in, then type in a known good website to log into your account. For example, you get a friend request for your Facebook account and you click on the link. You see a screen that says you must log in first. Close your web browser. Open the browser again and type in www.facebook.com. If the email was legitimate then you will be able to handle the friend request without using the link in the email. If you make an exception to this rule you will become a phishing victim.
You get an email from your bank that says for some reason you must go to their website to resolve an issue. Do not click on the link in the email. Type in the address you know to be valid for your bank – and don’t refer to the email, it may try and trick you. If you don’t see a problem for you to take care of, then call your bank and ask them.
You get an email from PayPal. Close the email without clicking on the link and open your browser and type in www.paypal.com and log into your account. Anything the email says needs to be taken care of will be available from your account there.
There are two types of organizations that send links to web pages requiring you to log in (and enter your password)… thieving organizations and organizations run by idiots.
Unfortunately many legitimate companies lack the common sense to not ever send a link that requires you to provide your password. These organizations are in effect actively teach people to fall for phishing attacks. Even if you are certain the email is legitimate, do not ever use the provided link.
Follow these two rules religiously and you will almost certainly not become a victim of phishing.
Next week I’ll extend these principals to vishing, which is telephone based phishing.
Randy Abrams
Director of Technical Education
ESET
Is It Time to Upgrade to Windows 7?
Some people are wondering if Windows 7 is just more baked over Vista hype. Vista, a Spanish word that brings visions of a beautiful view, but Windows Vista wasn't a pretty picture. Part of the problem is that many developers were not writing programs that would run without administrative privileges. Part of that problem was due to years of Microsoft training people to write programs improperly
The good news is that both Microsoft and many developers have learned. Windows 7 offers enhanced security, especially in the business version, and far less nagging than Vista did.
If you are running Windows XP as a standard user, rather than as an administrator you probably know enough about security not to need my advice. If you are running Vista you will probably enjoy the Windows 7 experience more
Do you still need security software? Ask Microsoft... Their security products, including antivirus are designed to run on Windows 7, and their employees run antivirus on all computers that connect to the corporate network!
If you have any security related questions or wish to see me cover any specific topics here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Look who Dressed Up for Halloween
Get ready for some really gruesome email, IMs, tweets, and other communications. As is the case with any major (or minor) holiday, the bad guys want to cash in. For the past few years Halloween has been a favorite of the bad guys and they like to dress their emails up as electronic greeting cards.
The fake greeting cards are usually very easy to spot if you know what to look for. First of all, the e-card does not come from someone you know. The e-card says it comes from a friend (but doesn’t name the friend) a family member, an admirer, a colleague, pretty much anyone that doesn’t actually have a name. The e-card comes from an address that is not a legitimate greeting card company. If you aren’t sure of the address then don’t click on anything in the email. If you think it may really be from a friend then ask them if they sent an e-card before you click on anything. If you don’t know what friend sent it then it wasn’t sent by a friend of yours… at least you must assume that if you are to be safe.
Another favorite of the criminals is to tell you there is a video. Perhaps funny, scary, gross, etc. Again, don’t click if you are not 1,000% certain it came from a friend who knows a lot about computer security. Many programmers know little about computer security, so don’t mistake knowing a lot about computers with knowing much about computer security.
If you do click on the link in the email and are told you need to install anything or something looks like it is scanning your computer and tells you that your computer is infected, immediately close your browser, this is an attempt to install malicious software on your computer.
This year I expect a lot more than email to dress up for Halloween, I think we will see instant messages, tweets, and messages on social networking sites, like Facebook and MySpace to purport to be Halloween related. Don’t click on the links!!!
In recent months there have been many email accounts and social networking accounts that have been hijacked. Just because you get an email from someone you know doesn’t mean they sent it. Especially when it comes to messages about holidays, funny videos, natural disasters, and other high profile news items, check with your friend to make sure they really sent the item and that they really know you before you click on a link.
Educate your employees. Your company’s network can be compromised by a single click on a malicious email and now is the witching season.
If you have any security related questions or wish to see me cover any specific topics here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
How Bad (or Good) is Antivirus Software?
A company named Trusteer recently released a report that found that up-to-date antivirus software only detect a certain trojan 23% of the time. You can read the report at http://www.trusteer.com/files/Zeus_and_Antivirus.pdf
It is not a surprise that detection for this trojan is low. This is a big money maker and the bad guys have time and surprise on their side. When the bad guys release a new version of the trojan they will first test it against antivirus software. If many of the products detect the trojan they will change the program until few, if any products can detect it.
There are valid questions about the accuracy of the results, however let’s assume that the results are at least close. The study concluded that people with up-to-date antivirus software reduced their risk by 23%, but also that up-to-date antivirus software only detected this specific trojan 23% of the time. 23% is not a high rate of detection, but a 23% decrease in risk is still significant.
Antivirus, despite years of misleading marketing, cannot detect all new viruses and trojans. Antivirus software cannot come close to 100% detection of all of the real world threats out there, but antivirus is a significant part what security people call defense-in-depth. In a nutshell, you use multiple approaches and/or products for security and o not rely upon one product to make you secure… it won’t happen.
Cars have seatbelts. The use of seatbelts significantly decreases the risk of death or serious injury in car accidents, but it isn’t close to preventing all death or injury in car accidents. Air bags can also reduce risk, crumple zones decrease risk, and things like good brakes and tires ad to your driving defense-in-depth.
In addition to antivirus software there are personal firewalls, automatic and manual updating of software to increase security, a myriad of corporate products that include intrusion prevention and detection, and there is education. An educated user will make significantly better decisions and dramatically reduce risk. If you know to never give your password out, then when you get an email that says it is from Hotmail Support and you must give them your password or your account will be terminated, you aren’t going to be a victim of that phishing attack. If you know that pirated software is likely to contain viruses and trojans, and armed with that knowledge do not download pirated software it will not infect you.
So, if in the case of this particular trojan in the study, antivirus is reducing risk by 23%, then I would say as a part of a defense in depth strategy the antivirus software is making a significant contribution to security.
Antivirus software is not a good defense all by itself, but used in conjunction with other products and techniques it does carry its own weight.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
When is Updating a Bad Thing?
I often advise people to keep their software up-to-date by applying patches and using the most current versions of software. This advice is sound, but you need to understand when a new version of software is a bad idea.
One of the common attacks involves a user to a webpage with a video on it. When the user tries to run the video a dialog box appear that tells the user they need to install a codec to view the video. A codec is a piece of software that allows your media player to understand how to play the video. The most commonly used codecs are built into the media players such as QuickTime, Real Player, and Windows Media player, as well as most others. While there are times that a user might actually need a codec that is built in, it is very rare and virtually every time you see a popup that claims you need to install a codec it is not a codec at all, it is malicious software. Whenever you see a popup that says you need to install software, such as a codec, it is almost always going to be a scam to install malicious software. There are a few exceptions, but you should only install software from highly trusted webs sites. Social networking sites, such as Facebook, MySpace, Hi5, and Linked in are not good sites to place much trust in. YouTube is not a site to trust when it comes to installing software.
Another common attack involves telling the user that they need a new version of Flash. As often as Adobe has been updating Flash to fix security problems, the likelihood that you need a new version of Flash is really high. The bad guys know this and they not only craft web pages that say you need a new version, but then a file download box pops up offering to install it for you. You should never install Flash, or other software from anywhere other than the developer’s web page. If I need a new version of Flash I go to http://www.adobe.com/ to download the latest version.
Remember, keeping your software up-to-date is a great idea, but always update the software from the developer’s website and not when a web page says “Here’s the version you need”.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Spot the Phish
I recently received the following email:
----------------------------------
From: Google Mail Team [mailto:verifyscess@googledesk.com]
Sent: Sunday, September 13, 2009 2:11 PM
Subject: Warning Code:VX2G99AAJ
Dear Account User,
This Email is from Gmail customer care and we are sending it to every Gmail accounts owner for safety. We are having congestion due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted. We are sending this email to you so that you can verify and let us know if you still want to use this account. If you are still interested please confirm your account by filling the space below.Your User name, password, date of birth and your country information would be needed to verify your account.
Due to the congestion in all Gmail users and removal of all unused Gmail Accounts. Gmail would be shutting down all unused Accounts, you will have to confirm your E-mail by filling out your Login Information below after clicking the reply button or your account will be suspended within 24 hours for security reasons.
* User name: ............................
* Password: ................................
* Date of Birth: ............................
* Country Or Territory: ....................
Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.
Thank you for usingGmail!
The Gmail Team
GMAILBETA
---------------------------------------------
Notice that the email came from “googledesk.com, not google.com. This is one sign that it is a phish. The email came to an address that I never provided to Google as a backup email address, which is another sign. The subject line is unlikely for such a notification, but some might believe it. The grammar and spelling have errors. The fact that I am being asked for my password is a dead giveaway. Never, ever, ever give out your email password. If the email had you fooled and you thought that googledesk.com belonged to Google and was legitimate, the request for your password should be enough for you to either dismiss the email as a phishing attack or else forward the email to support@google.com and ask if it is legitimate. Google, Hotmail, Yahoo, and all other legitimate businesses will never ask you to disclose your password. If a legitimate business does ask you to disclose your password then realize that they may be legitimate, but far too ignorant to be doing business with.
If I had fallen for this, the attackers could do many things with my email account. They could use it to send spam, they could use it to send my contacts links to malicious software, and they could impersonate me and try to convince my contacts that I am in trouble and need financial assistance immediately. If I had information, such as banking, or passwords, then other accounts could be compromised. If I used the same password for other email accounts the attacker may try to hack those accounts as well.
Any request for your password should always be refused.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Who Do You Trust?
One of the biggest problems we are seeing in the security industry is something we call “Rogue Antivirus”. Rogue antivirus products scare and annoy users into paying for a product that does little or nothing. The common scenario is that you go to a web page and it looks like you’re your computer is being scanned. The web page, which may look like a real program” will tell you that your computer is infected, when it really is not infected. Typically the pop up that says you are infected will not be easy to get rid off and people are annoyed into buying the fake antivirus product. In some cases the rogue product actually will detect some malicious software so as to attempt a claim that they are real antivirus.
Real antivirus products will never scan your computer if you did not install the product or if you did not specifically choose to perform an online scan. If you go to a web site and see something that automatically starts scanning your machine then close down your browser.
In some cases if your computer is already infected, the malicious software will download the fake antivirus software and make it look like you are infected. Sometimes the fake antivirus software will download malicious software to detect as well.
Before you pay money for an antivirus product you should do a little research to make sure you are buying a legitimate product.
Virus Bulletin has a large list of security vendors. While the list doesn’t tell you which is the best, if you are considering a product and it isn’t on the list you really should do a bit more research before you spend your money.
The list can be found at http://www.virusbtn.com/resources/links/index?ven
If you know someone who has fallen for the fake antivirus scam there is some good news. This particular breed of crook doesn’t want undue attention. In many cases a simple demand for a refund will work. These crooks know it is better to refund the money than to initiate complaints that result in credit card chargeback and law enforcement attention.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
May I Read Your Email?
Well, of course I can if you access your email from a wireless connection that is not using encryption. There are several different scenarios and if you do not understand them then you will not be able to decide what risk is acceptable to you.
Let’s start with the ISP scenarios. The ISP is the company that provides your home or business with internet service. Comcast, Cox, Warner, Roadrunner, and Verizon are some of the ISPs. When you get home internet service you get email accounts as well. There are a couple of ways you might read your email.
When you use your web browser, like Internet Explorer or Firefox, to read your email you log into your email account and the ISP protects your username and password by using and HTTPS web page. Take a look at the web address next time you log into your email and see if it starts with HTTPS://. I bet it does! The problem is that after you are logged in the email is displayed in a web page that starts with http:// instead of https://. The difference is that with https the information coming and going to and from your computer is encrypted. That means that if you are using a wireless connection I might be able to intercept the information, but it will be jumbled. The email you read has no such protection from most, if not all ISPs. This means that if you are using wireless, and do not have encryption, then someone near you can read your email also.
You might use Outlook, Outlook Express, or another program, other than a web browser to read your email. By default, ISPs tell you to configure your program to reveal your username and password. Yes, that’s right, ISPs, such as Comcast really want you to send your username and password so that any hacker can easily hijack your email account. From what I have seen from Cox and Verizon, they also default to insecurity.
Perhaps you use something like Gmail or Yahoo email, or Hotmail. Gmail is the only webmail provider I know of that has a clue about privacy. Yahoo and Microsoft have no option to read your email securely with a web browser. Gmail does allow you to configure your account to always use https, which protects your privacy.
Both Gmail and Hotmail allow you to use Outlook and other POP3 email clients. Yahoo leads industry in disregard for security and privacy.
There are good reasons to use an email client for your email. With an email client you can download your email and store it on your computer. This means you can also keep a copy and delete what is on the server. The advantage is that if your email account is compromised the attacker will not have access to all of your archives. You can also read your email when you are offline and even compose replies to messages.
If you are not sure how to configure Outlook, Outlook Express, or another email program to send and receive your email with encryption, then you probably are not using encryption. When I asked Comcast how to do this they claimed it was not supported. I figured out how to make it work even though.
If enough people tell their ISP that they need all email to be protected with encryption then they ISPs will finally decide to learn a little about privacy and security. Today the landscape in general is ugly on the ISP level. The odds are that if you use public wireless access, or have a wireless connection at home without encryption turned on, your email can easily be intercepted and potentially your user name and pass word can be intercepted as well.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
What’s Your Mother’s Maiden Name?
Don’t tell me, just tell me where you live and I can probably figure it out from there. There are genealogy websites that may have that information. I also can buy stolen identities that could have that information as well. What high school did you go to? That information is probably online as well. Classmates.com has lots of people indexed. What am I getting at?
When you sign up for an account online, such as Yahoo mail or Hotmail, they often have a “secret” question in case you forget your password. The problem is that the question isn’t secret and the answers are generally not secret. You may recall that Sarah Palin’s email account was hacked. This was done by a kid who knew her email address, tried to log in, got the password wrong and then correctly answered the password reset questions.
When you have to use password reset questions there is only one correct answer to the question, but there are unlimited incorrect answers. For your security you should always use an incorrect answer. It is much harder for an attacker to guess the wrong answer. The problem is you need to remember what is was that you gave as an answer. There are some tricks to help you remember, and you can write the answers down as long as you store them correctly.
A favorite movie can provide memorable answers for you. Perhaps for your mother’s maiden name you could use “Skywalker”. Your favorite dog? A Wookie. Your first car? The Millenium Falcon.
Maybe you are a fan of Egyptian culture. Your mother’s maiden name was Cleopatra, you attended Cairo High School, and your first car was a Camel.
Perhaps not quite as secure, but probably good enough, you can jumble the answers. Use your first car as your mother’s maiden name, and your mother’s maiden name as your high school.
Regardless of the technique you find most easy to remember, it is a really good idea to use the wrong answer for your password reset questions.
If your email account gets hacked, it can be used to trick friends into installing malicious software. Another attack involves sending an email that says you are stranded and need money immediately to get home. The email actually comes from your email address and account, so it looks very believable. Finally, sometimes the accounts are not actually taken, as in you are not denied access, but then your email account is used to send spam. This can cause your legitimate emails to be flagged as spam.
Now is probably a good time to change the answers to your password reset questions if you answered them truthfully.
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Has Your Web Mail Account Been Hacked?
Recently Microsoft reported an increase in the number of hijacked Hotmail accounts. In these cases the attackers are not changing the passwords to take control of the accounts, they are simply using the accounts to send spam. The user doesn’t generally know that someone else is using their account as well.
The most common way that the hackers get the passwords is through a phishing attack. Many users have received emails that appear to come from “Hotmail Technical Support” and claim that they must know the password or the account will be terminated. This is never true. Hotmail, Gmail, Yahoo mail, and all other legitimate email providers with never ask you to disclose your password. When you get an email from “technical support”, or anyone, it is always a good idea to look at the email address itself, not just the friendly name. Even if the email comes from the right place, if they ask for information it is a good idea to go to email support, for example support@hotmail.com if you have any question about the validity of the email. If the email asks for personal information, or says there is a problem with your account, then you should question if the email is legitimate.
It is a very good idea to change your password from time to time. If a hacker is using your account, and it isn’t only Hotmail, then you will cut off their access by changing the password. For accounts that have password reset questions, be sure you don’t answer the questions truthfully. For most people it isn’t hard to find their mother’s maiden name, the high school they attended, etc. Another common way to hijack accounts is to change the password using the password reset questions.
Next week I will go into more detail about password reset questions and how to effectively deal with them. For now, if you haven’t changed the password on your email account for a long, long time, it is probably a good time to change it now!
If you have any general security questions, or topics you would like to see covered here, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Router Security
So, we talked about patching the operating system and the applications, but there is still one thing left… the router. I hope you have a router.
A router allows you to share an Internet connection with multiple computers. Some routers provide wireless networking as well. Most routers include a basic firewall, and that is a good thing. However you still want to have a personal firewall, like the kind included with antivirus suites or other software providers.
From time to time there are vulnerabilities discovered in the routers as well. Routers today rarely, if ever, have the ability to automatically update themselves. You need to look up the model of the router you have and go to the vendor’s website to see if there is a firmware update available. If you do not use the most current firmware, then a remote attacker can potentially take over your router and that is really bad news. When a remote attacker controls your router they can control what websites you go to and may be able to penetrate your network.
Many routers have built in DNS capabilities. DNS is what translates www.eset.com to 72.3.254.86. These numbers (IP addresses) are how the computers know where to find www.eset.com. If an attacker can control your DNS then when you type in your bank’s website they can make your computer go somewhere else, like to an online fake bank that allows them to capture your account information when you think you are actually logging on to your online banking.
You should also take other steps to secure your router. Brand new routers have a default administrator account and the password is the same for all of them of the same brand. If I know you have a Linksys router, then I can easily find the default password on the web. Having the administrator account information can allow an attacker to control your router as well. Make sure you change the default password on your router. You can even write it down and put the paper in the box your router came in. Do save the box, or at least the instructions that came with the router.
Most routers have the ability to be remotely controlled. Newer routers usually have remote administration turned off, but it is a good idea to check and see that yours is turned off.
If you don’t have a router, it is a really good idea to get one. It doesn’t have to be fancy or expensive - even the cheap ones provide some additional protection.
Wireless routers allow you to encrypt the information sent between your computer and the router. This also is used to control access to the router. If you do not have the security enabled, then anyone can use the router. When you enable the security, a password is required to connect. This helps keep the bad guys off of your network.
If you have a wireless router that is more than a few years old, it is a good idea to get a newer one. The old routers used a security protocol called WEP. WEP has been found to be easily crackedand the newer routers use a protocol called WPA-2. There was WPA, but WPA-2 adds some extra security.
To recap: Make sure you have a router. Make sure you have the most current firmware. Make sure that remote administration is turned off, or if you require it, then use a really good password to protect it. Make sure you have changed the default password, and make sure that you are using WPA or WPA-2 for security. These are the absolute basics for router security.
Randy Abrams
Director of Technical Education
ESET LLC
The Identity Theft Problem
It was recently reported that three men were indicted in the largest identity theft bust in US history http://www.reuters.com/article/topNews/idUSTRE57G4GC20090817. There are steps you can take to reduce your chances of being a victim of identity theft and credit card fraud, but in this case most of those steps would not have helped.
One of the ways that ID theft and credit card fraud occur is by malicious software stealing information off of infected computers. The defenses against this type of attack include keeping your operating system and application software current. The use of Microsoft Update and the Secunia scanner (http://www.secunia.com) can help you with this. Another way that information gets compromised is through the use of public computers and wireless access points. If you are using a public computer or a wireless access point that is not at home or at work, then never use it for anything that requires a password, a PIN, or other confidential information. Public computers can have malicious software installed on them and wireless access pints that are not properly secured can be “sniffed”, which means others can see what you are doing. Even at home your wireless access point needs to be secured, but that is material for a future article.
In the case of the recent bust, there was little you could do to protect your information, other than not use credit or debit cards. The companies that process the information were hacked and that is how so many credit card numbers were compromised. Although no unauthorized charges were made, both my wife and I had credit/debit cards that had been potentially compromised and we had to get replacements for them.
For some people, not using plastic is a choice they make. I personally like the convenience and recognize that there is risk in our lives every day. The key is to do what you can to reduce risk at a reasonable price and then live your life. No matter what security precautions you take, there will always be some level of risk. It is when you think that you have eliminated risk that you have a false sense of security.
Randy Abrams
Director of Technical Education
ESET LLC
A Tiny URL Can Be a Big Problem
A URL is the address of a website. http://www.eset.com is a URL. Sometimes URLs get quite long and it is convenient to have a shorter URL, so some smart folks came up with something called “redirection.” In a nutshell, redirection means you go to one URL and it redirects you to another one. This happens all of the time on the net for a variety of reasons. One reason may be that a web address had changed. For example, when Chase Bank was given Washington Mutual for a song and a dance, they became the “owners” of Washington Mutual’s depositors. One day Chase may no longer want to support Washington Mutual’s website, so I envision the day when you type in www.wamu.com and you will be redirected to http://www.chase.com since that is where you need to be at anyway.
Twitter is a popular social networking site that limits “tweets” (messages) to 140 characters, which happens to be the standard length of an SMS, or text message. People often share URLs that are quite long, so in order to keep the message short they use a service called “TinyURL”. Now, I could go into great detail about TinyURL, but I think in this case the best way to learn is to try it out yourself.
Go to www.tinyurl.com and try pasting in a long URL and see what happens. I used http://www.pcworld.com/article/169790/why_attack_twitter.html and came back with http://tinyurl.com/l9csx7 for my new URL. These URLs lead to an article about Twitter.
The problem with TinyURL and related services is that you no longer can see the real website you are going to. The bad guys know this, so they use Twitter to trick people into clicking on URLs that take them to websites they normally would not visit.
There is a solution to the problem. At http://tinyurl.com/preview.php?enable=1 you can make TinyURL show you a preview of the URL you are going to be redirected to before you actually get there. Knowing where a URL is truly leading you to is an important part of computer security.
Try out TinyURL and the preview feature so you can see what is happening. If you still have questions, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (5 of 5)
This is the last one in this series. Not that there isn’t enough content for another dozen articles, mind you. It holds true that the best way to protect yourself from bots is exactly the same way you protect yourself from all other malicious software (malware).
There are some more advanced tools and techniques that are very effective, but they require you to learn a bit more about computers. If you learn a little more, you will be much more effective in using your computer safely, and you will probably be more efficient in using it from day to day.
One of my favorite programs is called SandboxIE. Sandboxing is a way of isolating things from the rest of your computer. It can be very similar to a virtual computer, but isn’t always. The way SandboxIE works is that it keeps everything your browser does away from the normal parts of the computer. If you download something bad and it runs it will not mess up the rest of your computer. All you have to do is empty the sandbox. Where a little more education is required to use it involves downloading files, saving preferences, updating your browser, and deleting the sandbox. You also have to know to delete the sandbox before you do something like online banking. You need to know to run the browser outside of the sandbox when you want to install updates to it, otherwise each time you delete the sandbox you will have to update the browser.
Firefox has an add-on called NoScript. This can be very effective in preventing bad stuff from running on your computer, but you need to understand when to allow scripts and when not to. A script is a program that runs on your computer. Almost all websites use scripts, so if you disallow all scripts, the Web is pretty useless. If you allow all scripts then there is no extra protection.
One of the mental obstacles people put up is that sometimes a program can look quite intimidating. However, you don’t have to learn all of the programs at once to reap some benefits
It is quite helpful if you understand something called “the path”. No, I am not talking about a spiritual path, but rather understanding where your computer stores files and how to find them and move them around. If you try Firefox with NoScript you will soon learn that when you go to a website it may often include content from many websites.
Since these tools are so useful I’ll address some of the things you need to learn to use them effectively in future columns!
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (4 of many)
Last week I promised some examples of the types of emails used to trick people into installing bots and other malicious software. This week I’ll make good on that promise!
On Halloween I received the following email.
----------------------------------------------------------------------------------
From: HappyHalloween [hairremoval@requisiteimpart.net]
To: AskEset@eset.com
Subject: Your Friend Has Sent You a Scary Halloween E-Card
----------------------------------------------------------------------------------
Inside the email there was a link to a website. If I have clicked on the link I would have been prompted to download a program that was not really an “E-card” at all!
Notice the "From" field. The friendly name is “HappyHalloween”, but the address is hairremoval@requisiteimpart.net. This is not the email address of a friend of mine or a known legitimate E-card company. That’s enough to know the email was fake.
The subject line is another clue. Legitimate E-Card companies use the name of the person who sent it, not something like “A friend”, or “Your mother”, or “A secret admirer”.
Here is another email example…
----------------------------------------------------------------------------------
From: lisao@wagged.com
To: Randy Abrams
Subject: Mail System Error - Returned Mail
Attachment: eset.com.zip
Dear user abrams@eset.com,
Your account was used to send a huge amount of junk e-mail messages during the last week.
Most likely your computer had been compromised and now runs a trojan proxy server.
Please follow our instruction in order to keep your computer safe.
Sincerely yours,
eset.com technical support team.
----------------------------------------------------------------------------------
Again, the "From" line was a great giveaway. It dos not make sense for the sender to be sending me this information.
If my computer had been sending spam, my IT department would have contacted me personally.
The IT department would not send an email from lisao@wagged.com and the technician would have signed his name to the email. If everything but one of these items looks right, then it is still wrong.
A final example:
----------------------------------------------------------------------------------
From: Prince Bradshaw [p.tarin@keraben.com]
To: Randy Abrams
Subject: DHL Tracking number #04HAP39708CICS5
Attachment: dhl_n756512.zip (71 KB)
Hello!
We were not able to deliver postal package you sent on the 14th of March in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your personal manager: Prince Bradshaw,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.
----------------------------------------------------------------------------------
I’ll bet you already looked at the “From” address. Even though the email purports to be from “Your personal manager: Prince Bradshaw” the domain “keraben.com” is wrong. It should have been from DHL.com, except that DHL would not email me a file (attachment), so it is all wrong.
In fact, our IT manager sent an email warning to all of us. In the warning he stated:
If you do receive this email, you should easily distinguish that it is not from DHL with the following clues:
-the sender address is not from DHL. Anybody contacting you would have a @DHL.com address.
-DHL does not send invoice for you to print out so you can pick up a package
-There are no personal managers for consumer packages, this email pretends there is one
-Email notification from DHL will always be texted base with NO attachments.
-DHL would not contact your business email address for personal packages
One other thing… It says that they could not deliver the postal package I sent... I didn’t send a package!!!
If there was any doubt I would have looked up DHL’s phone number and called them.
Other attacks have included PDF files that claimed to be invoices, a past due bill, and so on.
Paying attention to the details and knowing what they should be is a very effective way to prevent bots and other malware from being installed on your computer.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (3 of many)
So far I’ve written about patching and using basic security software. There are many other topics that need to be discussed when protecting yourself from bots. Did you know that you might need to patch your router? I’ll write about that in another column. Understanding URLs is really important as well. If you haven’t done so, go back to the archives and look at the “Duke of URL” series. Understanding where your web browser is taking you to is very important when deciding whether or not to trust a web site. Education is a critical component of protecting yourself from bots. A basic understanding of what computers can do, especially how they can lie to you, is really important.
One of the most common means of infection is from email that bots send. The primary means of tricking users is to include a link to a web site or an attachment. Many times the attachment trick will not work if your computer is patched, but it is not a good idea to open the attachments, even if your computer is patched.
The types of emails that I have seen used to spread bots include the following. In some cases the email may appear to come from someone you know. It is always a good idea to check with a known sender before you click on a link in email or open an attachment.
When there is a big news event or a holiday, always be suspicious of emails that talk about these things. One of the most common tricks is for the email to claim to show you a video of a disaster. The Storm worm got its name because it talked about a deadly and devastating storm that killed many people in Europe. The email included a link to a web site. Later the storm worm claimed to be eCards for many different occasions, Halloween comes to mind. One common attack is to take you to a web page and then a dialog box pops up and says you need a new “codec” to see the video. There isn’t a video worth downloading a “codec” for. Codecs are included with Windows Media Player, Real Media player, QuickTime, and all legitimate media players. If a new codec is really needed then you probably have an outdated media player and should go to the Microsoft, Apple, Real, or other legitimate web site and download a newer version. If you are not signed up to received emails about news events, then do not trust any emails you receive a bout news events. If you do normally receive such emails, always check to see that they really came from the source you expect them from.
Another trick is to send a PDF file that claims to be an invoice for an overdue bill, lottery winnings, a court summons, etc. The important thing is not to say “Ah, Randy warned me about the UPS delivery notice”, the important thing it is to get the concept. If you are not expecting an email with an attachment, then do not open it until you have verified that it really is legitimate. Sometimes the attachments are Word documents, and sometimes they are programs, but are designed to look like something else.
Typically if you look at the email address the emails come from you will see that they are not legitimate, if you understand email addresses.
In the coming weeks I’ll provide real examples of the scam emails. Please keep in mind that you want to understand the concepts, the actual emails are always changing, but with a little practice you can learn to spot the bad ones quickly and easily.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (2 of many)
Asking what is the most important thing for security is like asking what is most important on the car. Are the brakes most important? The steering wheel? Crumple zones? The list goes on and the most important item really depends upon what is happening. The same goes for computers. Patching your programs will proactively protect against many security problems, but there are many threats that do not require a vulnerability to cause problems. There are also some vulnerabilities that might not be a problem for you if you have additional security measures in place.
The use of security software is another part of protecting against bots. There are three basic programs and one piece of hardware that you shouldn’t be without. The software programs are antivirus, anti-spam, and a firewall. The hardware device is called a router. These are bare minimums, not an exhaustive list.
Antivirus is really no longer an accurate title. Malware is a combination of the words “Malicious” and “Software”. Viruses, trojans, bots, adware, spyware, rootkits, and other such programs are included in the term malware. Almost all antivirus software also protects against malware in general, however in some cases free antivirus products may not cover all of these different types of malicious programs.
It is important to understand that no antivirus product can or ever will detect everything. If someone thinks that since they have antivirus software they can use their computer however they like and be protected, find them a good therapist, but first take their computer away until their delusional behavior has effectively been treated. No security software protects against everything. When you see something like “Detects 100%” it means 100% of a small set of viruses and not anywhere even close to 100% of all threats. Still, most of the infected computers out there are infected with malware that most antivirus products have protected against for quite a while.
Anti-spam software is also good for security. At first thought one might be tempted to think that anti-spam isn’t for security, it is to prevent annoying email from coming in. The fact is that a lot of email designed to trick users into installing malware looks a lot like spam and the anti-spam can prevent these emails from getting into your inbox.
There are both hardware and software firewalls. In general, hardware firewalls are too expensive for the average home or very small business user to consider. However, a software firewall is essential. Windows XP and Vista include basic firewalls that are much better than nothing. Many security suites, such as ESET Smart Security (full disclosure: I work for ESET), includes antivirus, anti-spam, and a firewall that is more advanced than the stock firewall that comes with Windows. Firewalls block many malicious attacks from the Internet. There are programs on the Internet that randomly attack computers many times each second of every day. Many of these attacks are thwarted simply with a firewall.
A router is a hardware device that goes between your computer and your cable modem, DSL modem, or even telephone line. Most routers include a simple firewall also. The firewall in these devices is rarely suitable for replacing a software firewall, but these devices are still a very important part of keeping your Internet connection secure. These devices also will usually allow you to use multiple computers with a single Internet connection. Common brands include Linksys, D-Link, Netgear, and Belkin, but there are many others. Personally I think it should be illegal to sell high-speed Internet access without a router.
When installing a router it is essential that you change the default username and password. There are some more advanced configuration options that it might make sense to change, but changing the default username and password is essential. In many cases it doesn’t even matter if you put the new username and password on a sticky note and leave it on the router… as long as you do not have remote administration enabled and do not use that password anywhere else.
There are other types of security software that can be very helpful, but typically they require a bit more than a novice level of computing expertise to use effectively.
Feel free to email me at askeset@eset.com with any security-related questions or topics you would like to see addressed in future columns.
Randy Abrams
Director of Technical Education
ESET LLC
Protecting Yourself from Bots (One of many)
I recently received the following from a reader:
Thanks for your info on the Chamber newsletter...it was very informative and, for me, scary. What can I do about 'bot' not infecting my computer?
The simple answer is that you do the same things that you would do to prevent anything from infecting your computer, but that probably doesn’t help much.
The hard answer is that you really need to educate yourself about computers. There are many tools to help keep your computer safe, and of all the tools, knowledge is the most important one. Knowledge allows you to properly use all of the other tools.
In the coming weeks I’ll go through many of the things you need to do to keep your computer safe.
Patching is probably one of the most overlooked safety tools at your disposal. Patching means fixing problems with programs by updating or replacing them. You are probably familiar with Microsoft automatic updates. When there are security vulnerabilities in Windows or Office, Microsoft will create a fix and you will then become protected when automatic updates downloads and installs the new program. You do have automatic updates enabled, don’t you? Did you turn it off because it kept rebooting your computer and you lost work? I hope not. You can tell Windows update to prompt you before it installs patches (updates) and reboots your computer.
There are many, many other programs that also can contain security vulnerabilities and need to be patched as well. It is common for bots to be installed by exploiting non-Microsoft programs too. A company called Secunia offers a free scan for home users so you can see what programs you might have installed that need to be patched. The scanner is at http://secunia.com/vulnerability_scanning/online/.
For businesses, Secunia sells their product and services. Shavlik (http://www.shavlik.com) is another company offering such a service and has free trial versions of their software.
In the coming weeks I’ll give you a bunch of tips to help prevent your computer from becoming infected with a bot or other malicious software. For right now, why don’t you run the Secunia scan and make sure that al of your software has the latest fixes. In some cases you may need to download a new version of the software.
Feel free to email me at askeset@eset.com with any security related questions or topics you would like to see addressed in future columns.
Randy Abrams
Director of Technical Education
ESET LLC
Do You Know What a Bot Is?
One of the problems I face in trying to teach people about computer security is they often feel it is not important. Thoughts like “I don’t have anything of value on my computer” are common. When I am able to convey what the threats are and why it does matter to them, it becomes a lot easier for people to find security a little more interesting and personally worthwhile.
One of the most common threats out there is called a bot. This is short for robot and the type of program was named before there were PCs. Bots were programs that UNIX systems administrators used to automate boring repetitive tasks. Today bots have a much more nefarious job.
In today’s world, the common bot is a program that gives a remote attacker complete programmable control over the infected computer. Perhaps you have seen programs like “PC Anywhere” that will allow you to remotely control your home computer from almost anywhere in the world. A computer with a bot on it can be controlled by someone who should not control your computer.
If you think there is nothing of value on your computer, you might want to think again. Your computer itself is of value and you do have something to lose. A bot can record your keystrokes, so if you log into your email account a remote attacker can get your username and password. Once they have this, they can send massive amounts of spam from your email address. This can result in your email account being blocked so you cannot send email to anyone. When this happens it can be very difficult to get your email account restored. The attacker also has your contacts, so they can send email to your friend and make it look like it is coming from you. There are many unkind things attacker can do when they pose as you, and it can cost your friends money or cause your friend’s computer to get infected.
When a bot is installed, an attacker can control tens of thousands of computers all at the same time. The attacker can simply type in a command and all of the sudden your computer and thousands of others might start attacking a computer that is trying to block spam. The attacker can make you computer download child pornography or other illegal software.
There are many harmful things that can be done with your computer, even if you never buy anything online with it. I’ll tell you about some more of the different types of threats in the coming weeks.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Travel Tips, Part 2
This week’s additional travel tip highlights the difficulties of security done right. Recently the government announced that passengers on airline flight will need to use their full names as it appears on their government issued documents.
A few days ago my wife booked an international flight on United Airlines, who incidentally sent out a communication advising me of the new requirement. When my wife booked the flight online, United would only allow her to enter her middle initial!!! US passports contain a full middle name.
If you Google the following phrase (without quote marks) you will find that many airlines have not changed their systems to allow for compliance with TSA requirements.
Search “airplane ticket name must match” but do not use the “ ” symbols.
If you book an airline ticket, be sure to notice if you are allowed to enter your full name as it matches your driver’s license or passport. You may need to call the airline, repeatedly, to get the reservation fixed.
On a personal note… a TSA-approved lock seems to mean that it is a lock the TSA can steal. I’ve lost two in the last 6 months!!!
One More Thing…
Last week I forget to mention an important note in the travel security tech tip. I said it is a good idea to use a Kensington lock, but there is a specific step than must be taken or you may render the lock worthless.
Most Kensington style locks use a combination rather than a key. It is essential that as soon as you unlock your laptop computer you move the numbers on the combination. If you fail to do this then someone may see the lock with the valid combination. It is the equivalent of the sticky note on the monitor.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Travel Security
I travel frequently and I am often amazed by the security mistakes I see. There are a few basics that can help ensure that you will be less likely to be a victim when you travel with your computer.
Let’s start at the airport with your laptop going through the x-ray machine. There have been thefts that happened when a person went through the body x-ray too soon before their laptop went through the x-ray machine, or too late after their laptop went through the X-Ray machine. Whenever possible, wait with your laptop until you have seen it go into the x-ray machine and until there is not a line of people ahead of you before you can join your laptop at the other end. This may not always be possible, but generally it is very doable.
On a side note, put everything but your shoes and laptop through first. Put your shoes through last. Why? The odds of you forgetting anything before your shoes come through are very small. If your laptop is after your shoes and you are in a hurry, then you may forget there was one more item! Do remember that a hard drive can still be stolen out of a locked laptop. Sometimes I actually remove my hard drive from my laptop and take it with me. It all depends on what the data is worth and how secure I believe the hotel room is.
Virtually every laptop had a slot for a lock called a “Kensington style lock”. This type of lock will secure your laptop. It is essential that you use it because it doesn’t help to have one and not use it. When I leave my laptop in my hotel room, it is always locked to something. I’ve locked my laptop to desks, dressers, heaters, lamps, etc. I’ve heard of people locking them to the pipes under the bathroom sink, or even the toilet. Yes, someone with a pair of bolt cutters can probably snip the cable and steal the laptop, but generally hotel thieves want in and out quick. You can make your laptop less attractive than the laptop in the room next door! I also lock my laptop to my chair when I am at a conference and get up for coffee.
Privacy filters may be a good idea at the airport, on the plane or train, and at conferences. 3M makes a privacy filter (not to be confused with glare filters) that makes it very hard for a person sitting next to you to look over your shoulder. If you have data that others should not see then the privacy filter is a very effective tool for keeping your data confidential.
Finally, encryption software can make it so that if your laptop is stolen at least a thief can’t get to your data. Regularly backing up can mean that if your laptop is stolen, at least you didn’t lose much data!
If you have any questions about this Tech Tip or any general security questions, feel free to email me at askeset@eset.com
Can I Own Your Email Account?
Many websites have password reset questions. Oftentimes these questions have answers that are public knowledge. If someone knows the answers to the password reset questions and they know your login name, then they can reset the password and gain control of your account.
Websites with poor security practices will use questions like “What is your mother’s maiden name”. This is generally public information. Another question I have seen is “What was your first car?” Have you ever written what it was on a web site? No? By guessing the most common cars one can often make a lucky guess. By using social engineering tactics one can probably learn the answer.
There are two defenses against this type of attack. The primary line of defense is deception. Use the wrong answer. Make up a name that is not your mother’s maiden name. Make sure you will remember the name though. Maybe your first car was “The Space shuttle”. Maybe your high school was Harvard University. Perhaps you met your wife on the moon.
It is very hard to guess the correct wrong answer!
The second approach is more damage control than prevention. If you use something like Gmail you can download your emails to your computer. By deleting the emails off of the web you minimize the amount of information available if your account is hijacked.
For web based email accounts that do not allow you to download, such as the free Yahoo email accounts, you can forward messages to an account that you use to download email from. It is important that you delete emails from the web based account if there is anything personal or confidential.
For maximum security and privacy use both of these techniques.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Are You Patient or A Patient?
Twitter is a popular social network. Because of its popularity it is an attractive target for the criminal element. The curiosity of users is such that anyone can follow someone and have a very good idea that the person being followed will want to find out who is following them. This trick works very well to lure users into clicking on links in “tweets” or going to malicious pages that infect visitors, phishing web sites, or porn web sites.
As a rule of thumb, if you get a twitter announcement that someone is following you, it is a good idea to wait a couple of days before you check it out. If you are a little patient you can often avoid making your computer an antivirus patient!
Hide Viruses?
Microsoft operating systems, since Windows 95, have had a strange “feature” that assists viruses in hiding from you. By default Microsoft hides the extension of common files, critical files and any file anyone wants to hide. The problem is that viruses and other malicious software can use these mechanisms to hide and trick you.
On a normal Windows system, if I name a file “Picture.jpg.exe” you will see “Picture.jpg” and might likely think the file is a picture instead of the program file it truly is. Virus writers have been exploiting this trick for years. For critical operating system files you won’t see anything at all and it is trivial to make a file appear to be a critical system file, even if it is not.
There are three completely mindless default settings that Microsoft uses. I call these settings the Microsoft “Hide viruses” feature. I was using this terminology when I was teaching users at Microsoft about security. I recommend you fix the incorrect settings. I don’t have a Windows Vista system in front of me as I write, so email me at askeset@eset.com if you want instructions for Vista. For now I’ll tell you how to fix the problem with Windows XP.
First open up Windows Explorer. This is different than Internet Explorer. Once you have Windows Explorer open, go to the tools menu and choose folder options. From there select the “view” tab, there are three settings to select here. Under “Hidden files and folders” make sure you have selected “Show hidden files and folders”. For the selection “Hide extensions for known file types” uncheck the box. The line that says “Hide protected operating system files (Recommended) should be unchecked. The only reason this is recommended is that a person completely ignorant of security recommended it. The final step is to click the button that says “Apply to all folders”.
Now when you use Explorer you will see a lot of files you didn’t know were there. You will also see extensions like “.exe”, “.txt”, “.xls”, “.doc”, and so on. Information is your friend. Windows is the enemy of information.
You don’t have to know what every extension means. All you need to know is that if you do not know what the extension means you do not want to click on it!
It is an inconvenient truth, but you cannot safely use the Internet if you don’t learn a bit about the computer accessing it. The operating system is not the issue, although Microsoft goes to great lengths to hide the fact that you really do need some knowledge.
If you have any topics you would like to see addressed in the weekly Tech Tip, send an email at askeset@eset.com and let me know it is for the SD Chamber Tech Tip column. I’d be delighted to explore any tech topics you find interesting!
Randy Abrams
Director of Technical Education
ESET LLC
NoScript
Recently there was a big uproar in the Firefox community over a battle between two authors of programs (plugins) for Firefox. One of the plugins is called “NoScript”. The purpose of NoScript initially was to prevent scripts, such as JavaScript and Visual Basic script, from running when you visit a web page, unless you authorize the website to run scripts. Scripts on websites are responsible for many computer infections. Later NoScript was updated to add protection for things called “cross-site scripting” and “clickjacking”. For information on these attacks, please see http://en.wikipedia.org/wiki/Cross-Site_Scripting and http://en.wikipedia.org/wiki/Clickjacking.
One of the problems with scripts is that they can download programs without your knowledge. This means that your computer can get infected if the web site you visit has a bad script. The Miami Dolphins hosted the Superbowl a couple of years ago. Hackers placed a script on their site to infect visitors. Increasingly, good websites contain advertisements that come from different websites. Sometimes these ads contain scripts that download malicious software. As of this morning, the Technet.com web site had a page that linked to another website that contained a malicious file. Sites like MySpace and Facebook have often been attacked with scripts that infect users.
NoScript can add a significant amount of security to your web browsing experience, but, like all tools, it needs to be used properly to be effective. And like all security products, it won’t be foolproof.
There are two ways to use NoScript “properly”. The first is to deny scripting on all websites. This will make many websites non-functional. Realistically this isn’t an option. The other way is to be selective about what sites are allowed to run scripts. This is where NoScript becomes useless for users who are not computer savvy. If you don’t already have a good idea what sites should be allowed to run scripts and what sites should not, then you can’t make educated decisions.
Even with this limitation, I believe it is useful for Firefox users to try NoScript for a little while. Many people do not realize just how many websites are running scripts (programs) on their computers when they visit them.. When you click the “Options” NoScript will ask you which sites to allow scripts to run from. For example, when you go to www.espn.com, there are three websites trying to run scripts. www.cnn.com runs scripts from four websites, including itself.
It is an eye opener to see how many places are trying to run scripts each time you visit a site. NoScript is easy to remove if you don’t want to keep it.
If you have any topics you would like to see addressed in the weekly tech tip, send me an email at askeset@eset.com and let me know it is for the SD Chamber tech tip column. I’d be delighted to explore any tech topics you find interesting!
Randy Abrams
Director of Technical Education
ESET LLC
All You Need to Spell “Swine” is in “Swindle”
As news of a new deadly outbreak of the swine flu (now called S1N1 virus) breaks, the dregs of humanity are at work exploiting misery for profit. This is really nothing new. For years it has been the practice to exploit news stories as a means of social engineering. When hurricanes hit, we in the security space see domains registered to cash in on tragedy. When a tsunami hits, the same thing happens. Even news that may be perceived as good is exploited. Many people were elated that Obama was elected president. It doesn’t matter your political views, it was news and so, of course the bad guys created malware for it.
There is a take-away from all of these events. The takeaway has nothing to do with God, fate, or anything philosophical. Don’t believe everything (or much of anything) that comes to you in email. There are really, really sick people out there. As a percentage, it may be no more than it was 50 or 100 years ago, but with the Internet they can reach millions of more people.
Always get your news from a reputable source. OK, I understand that on the whole the US media, the BBC, Pravda, and other mainstream news sources can be criticized for being dishonest on their best days, but still, they are not trying to infect your computer and there are lots of news stories they do cover these events objectively. The one thing about legitimate news organizations is that they don’t email you the news without you asking them to.
Whenever you get email about a current event assume the email is some kind of attack unless you know for a fact that you signed up for emails from the sender.
General security questions and suggestions for topics for this column can be submitted to askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
Knowledge is Power
The most serious security vulnerability is not in a Microsoft product. The vulnerability has nothing to do with hackers in China or Russia or in our own backyard. The vulnerability is the uneducated user. It may be unfortunate, but it is not possible to securely use the iInternet without getting some education. I predict that in about 20 years the basic level of Internet security education will be much higher because as it becomes part of the curriculum in schools it will become part of our culture, but for today you need to make an effort to learn more. Without education, a user on the Internet is a digital Pearl Harbor waiting to be attacked.
Very soon you will start seeing information about a program called “Securing our e-City” (securingourecity.org) and education will be the driving force behind this initiative. For today there are some really good resources out there with understandable information. As a starting point, I highly recommend that you check out http://www.staysafeonline.org. This website is put together by the National Cyber Security Alliance. “NCSA is a collaborative effort among experts in the security, non-profit, academic and government field established to provide free resources to help secure cyberspace”, as they put it on the web site.
There is great information up there for virtually everyone. Home users, Small businesses, and educators alike will find use information to help improve their online security. So check them out today, but check back with the Chamber real soon to learn more about “Securing our e-City”.
If you have any topics you would like to see addressed in the weekly tech tip, send me an email at askeset@eset.com and let me know it is for the SD Chamber tech tip column. I’d be delighted to explore any tech topics you find interesting!
Randy Abrams
Director of Technical Education
ESET LLC
Cutting Through the Hype
2009 has been a banner year for security hype, and we are barely into the second quarter. It isn’t that there haven’t been important security stories, but the problem is that people are getting caught up in the details and forgetting to look at the big picture.
If there is a hole in our roof, is the problem that a big storm is coming or is the problem that any storm can pour water into your living room? Is it a problem that pigeons may roost in your attic and squirrels may take up residence in your walls, or is it just the big storm that a meteorologist with a .200 batting average is saying may dump between three drops and four feet of water over the next 24 hours?
If the hole in the roof is fixed, you don’t worry about the next storm, if it isn’t then there are plenty of other problems to worry about as well. So it goes with security. For a couple of months now we have seen story after story about the Conficker worm. Speculation about what might happen is great for selling coke, popcorn, and advertising space, and even security software, but it is really irrelevant to the user. What is relevant to you is that there are security vulnerabilities that tens of thousands of malicious programs can exploit. If you take the steps to protect against the thousands of other threats out there, then Conficker is truly nothing special. Yes, you still need to use smart security practices, but there is nothing special, from a defensive point of view, about Conficker or most other over-hyped threats.
Whenever there is a serial criminal out there the cops worry about the copycats. If you only look out for the serial criminal you are still vulnerable to the copycats. In the computer world copycats are much more like drone armies many thousand strong. In the computer world there is little risk associated with crime, so we see a much larger scale of certain types of criminal activities than we do when it comes to traditional physical crimes. Fortunately, when it comes to computers it is a class of crime and not an individual criminal that you are defending against. This means that good defenses are far more effective overall, but it takes some education to defend against computer attacks.
The next time you see a headline about the latest and most dangerous threat, take a step back and think for a moment… The same things that make this over-hyped up threat possible make thousands of other attacks possible. If you protect against the underlying problem, then the specific attack is not going to be an issue for you.
As always, if you have any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Tools of the Trade (Password Corral)
OK, this time the tool isn’t for techies.
I have already written about how important it is to have good strong passwords. I have mentioned that you need to use different passwords for different places. You should not use the same password for different email accounts. The password you use to log on to your bank account should not be the same as you use anywhere else.
After awhile, even with easy-to-remember passwords, the sheer number of passwords makes it difficult to remember all of your passwords and you will need some sort of system to keep track of them all.
If you write down your passwords then either you may not have them when you are traveling, or you risk potentially losing them all at once. If they are with your wallet, that could be a problem.
To help me with my passwords I use a program called Password Corral. You can download this program at http://www.cygnusproductions.com/freeware/pc.asp
Password Corral can help you to keep track of your passwords. The program is easy to use. About the only thing that might be tricky for some users is the choice of what type of encryption to use. The answer is that either it doesn’t matter or your data is so important that you need to hire a professional if you don’t know the answer. For most people it really doesn’t matter.
There are two important things to remember. First, you need to use a very good password for password corral. Your password should be at least 16 characters long and something you can easily remember.
Here are a couple of examples of good passwords that are easy to remember.
This password will keep 100 passwords safe
My parents met in 1955
Really, rover 8 my homework
Remembering my password is 50% of the problem
Really, the important thing is that you have a long password that is not a single word or common phrase. “The woods are lovely, dark and deep” isn’t such a good password or passphrase. Make sure you can remember it. Write it down and put it somewhere safe, but don’t carry it around with you. Your webmail account is not a safe place.
Use the password 5 to 10 times a day for a week or so and you will probably remember it for a long time. Remember to use it every week or so after to keep it fresh. This is a really important password for you to memorize.
It is still a good idea to change it every year or so, assuming it is a long password. If the password is short, then change it more often.
The second thing to remember is to always back up your passwords after you have added a new one. I recommend that you back them up to at least two different locations that are not on your hard drive. Password corral has the backup functionality in it. You just have to do it.
As a safety precaution, when you close Password Corral, it wipes the clipboard of anything you have copied. So if you copy a password to paste it into a form, then paste it before you close Password Corral.
There is no such thing as security…there is only risk management. If your computer gets infected with a keystroke logger, it is possible the password you type into Password corral could be captured. When you weigh the risks of using bad passwords, the risk isn’t so great after all.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
How Good is your Password?
One of the biggest security related mistakes people make is in dealing with passwords. The biggest password blunders are unchanged passwords, poor quality passwords, inappropriately re-used passwords, and inappropriately stored passwords.
Let’s start with inappropriate storage. We’ve all been told not to write the password on a sticky note and put it on the monitor. The truth is that it really depends upon the environment. I’m not particularly worried about someone seeing my password on my monitor since I work from home. I still don’t leave it there, but it really wouldn’t be a problem for me to write it down and have it handy. Leaving your PIN, which is a type of password, in your purse or wallet with the associated debit or credit card is not a good idea. Keeping your passwords in a file on your computer only makes sense if the file is well encrypted, which probably means you have a password for the file. I use this method. There is a free program called “Password Corral” that I use to store my passwords. I have a very strong password that I have memorized specifically for that program, and it is not used anywhere else.
The reason I do not use my Password Corral password anywhere else is that if someone discovered my password somewhere else, I would not want them to be able to access my other passwords that I store. I also back up my password corral data every time I add a password. There are only a few exceptions where it makes sense to re-use a password. If the password is not used to protect anything of value to you, then it doesn’t matter if you have a good password, a bad password, or you use the same password for similar things. An example of this is a news web site that I have to register on to read articles. There is a caveat here… it has to be a site where registering doesn’t mean I can comment. If someone gets my password and then can impersonate me and leave damaging comments, the password has value. I would never use the same password for my bank account as for my stock brokerage account, or anything else.
The problem of password reuse is greatly amplified by the use of poor quality passwords. If I can guess your password, and you use the same password everywhere, then all I have to do is learn one password to cause considerable harm. It turns out that computers are very, very good at guessing passwords. So, what is a good password and what is a bad password?
Let’s start with bad passwords. A word is a bad password. There are about a million words in the English language. It doesn’t take a computer long to try all of the words in an attempt to guess a password that is a word. Names are words. Words with a short number at the end, less than 4 digits, are generally bad, except when you increment the number and then it becomes a terrible password. Words with special characters, such as @pple, or dollar$, are not good since they are effectively a single word and the bad guys know to check these minor modifications. Dates tend to also be pretty bad passwords. Birthdays, anniversaries, and holidays are all easy to guess based upon public information and personal information that you might not think is public or in the possession of criminals. Assume that all of the bad guys know your social security number, your birthday, your entire immediate and extended family’s birthdays, your anniversary, and your pet’s names. Short passwords are also bad passwords. No matter what special characters you use, there is no way to make an 8 or 10 character password hard to crack.
The reason you need a long password is that it makes it take too long for a computer to guess it. A computer can crank through a few trillion tries in a reasonable amount of time, unless you change your password very, very frequently. If you have to use a short password because a social networking site doesn’t understand security, or for other reasons, then it becomes important to use upper and lowercase letters, numbers, and other characters. If you can use a long password it is far less important that the password is complex. Here is the reason why. There are about 5.4 trillion possible combinations of letters in a 9 character password. There are about 634,000 trillion combinations possible for a 9 character password that contains letters, numbers and special characters, such as a dollar sign, etc. when you get to a 15 character password there are more than 1.6 billion trillion combinations of lower case letters alone!
A 15 character password, that is not a single word, is far better than any 9 character password, no matter what characters you use in it. It will take even a very powerful computer a while to crank through 1.6 billion trillion possible passwords, but then it doesn’t have to go through all of them, it can stop when it gets it right. A 15 character password with letters and numbers is even better. One of the most unfortunate things about passwords is that there has been so little education about how to make a good password that is also fairly easy to remember. So, I‘ll give you some tips for making memorable passwords. A birthday may be a bad password all by itself, but it can be a part of a good password. Consider the following.
I was born on 4/17/60
At 21 characters (and yes, you often can use spaces) this password is very strong and I can remember my birthday. OK, the password is not strong because I have published it, but it was once a good password. “Ilove2eatchocolate” is a fine password and easy to remember. “Rover is my dog’s name” is a strong password. One of my favorite tricks is to use math. No, I never really much enjoyed math, but it has its place. Can you remember “3 Hundred + 5 = 305”? Perhaps “4000*seven=28000”? “1Hundred+200=300”? “One hundred times 5 = zero”. As long as you will remember it, you can use the wrong answer to the equation! There are an infinite number of wrong answers to any equation.
No matter how long you make a password, it can eventually be cracked. If you use a strong password and change it every three to six months, then by the time a computer can guess what the password is you will have changed your password, and knowing the old password will be useless. If you use the same weak password in multiple places you have virtually no security. If you must use a short password, the it becomes more important to use uppercase, lowercase, numbers and symbols, and to change the password at least every 3 months or so.
For some more really good tips on passwords I recommend a book by Mark Burnett called “Perfect Passwords”. Jesper Johansson formerly with Microsoft also has some excellent advice at http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Tools of the Trade (Autoruns)
Last week I wrote about a cool little utility (program) called ESET SysInspector. This week I’ll highlight another really cool diagnostic program called Autoruns.
Autoruns is one of many free programs in the SysInternals suite of programs. SysInternals was an independent project that was eventually bought by Microsoft. The utilities have long been regarded as some of the best Windows programs in their class, and at “free” you can’t complain about the price.
When a computer gets infected, the malicious software (malware) will usually try to position itself to start when the computer is booted. This allows the malware to embed itself quite deeply in the system, making it difficult to find and remove. A lot of people know about the run key in the Windows registry, but there are many other places that malware can hide and be caused to launch at or near boot time.
Autoruns shows you all of the locations that a program may reside in to be automatically started. This is not a tool for the faint of heart as it contains a ton of details, but it is very valuable for diagnostics. As is the case with SysInspector, the results can be saved and sent to an expert user to help diagnose the problems. Like SysInspector, it takes a little time for Autoruns to inventory the system, but after doing so, the file menu has an option to save the log file or export it. If you need help from an expert, the SysInspector log, the Autoruns log, or both come in really handy. Both programs are easy for a novice to run and provide essential information that a skilled user needs to effectively diagnose problems.
Autoruns can also disable certain programs to help clean the computer. This is not always effective, but can be quite useful. If you are a novice aspiring to learn more about the nitty gritty of your computer, the tool can be a great resource to help you learn what to learn more about. Autoruns shows a lot more than just the locations that automatically start programs. For example, the registry keys for little programs called “Browser Helper Objects” (BHOs) that add functionality to Internet Explorer are also displayed. BHOs are often abused by adware and spyware. In addition to BHOs, Autoruns provides registry locations for AppInit, KnownDLLs, Winlogon, Winsock Providers, Print Monitors, LSA Providers, Network Providers, Logon, Explorer, Internet Explorer, Scheduled Tasks, Services, Drivers, Boot Execute, and Image Hijacks. That’s a lot of really technical stuff. You don’t have to understand all of it to get some excellent use from the tool.
You can learn more about this program at http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx. The article also links to another article describing some of the advanced usage of Autoruns. It also contains a link to a forum where you can get help with the program, and there is also a link to download the program. I would provide the link, but I never teach bad computing habits. Always get your software directly from the developer’s website. If you search for Autoruns you will have many hits and many places that claim you can download it from them. I recommend that you always go to the Microsoft site to get the most current version of Autoruns, and to know you are getting a legitimate copy. Another site may be a hacked copy that will actually infect your computer! You do not have to register or provide any personal information for this program.
Along with ESET SysInspector, Autoruns is a must-have in the techie’s toolkit. It’s not just a program, but an education as well!
If you have any questions about this Tech Tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Tools of the Trade (SysInspector)
Problems with computers are a fact of life. Diagnosing exactly what is wrong, however, can be a challenge.
There are a number of tools that can help a skilled user resolve problems, or help an unskilled user provide information that a skilled user can utilize to assist. In this week’s Tech Tip I’ll start with a tool that ESET provides for free. In the coming weeks I’ll talk about programs other vendors provide.
Many people are aware of a program called “HijackThis”. HijackThis was created by a Dutch program named Merijin Bellekom to help rid people of spyware. It would inventory a computer and report everything that was on it. The log file was very useful for tech support and other skilled users to identify what bad software was on a computer. For a long time this was one of the diagnostic tools that many antivirus vendors used when assisting customers who had undetected malware on their computer. When the program was sold to antivirus vendor Trend Micro, it presented a conflict of interest to send users to a competitor, so other solutions were developed.
ESET’s response is a free program called “SysInspector.”
ESET SysInspector is an advanced utility that is easy-to-use, intelligent, thorough, and free of charge. ESET SysInspector helps technical support, network administrators and first responders by providing a detailed snapshot of an ailing system - much like an MRI image is used by doctors to gain greater insight into health problems undetected through visual inspection.
So what’s the difference? Where HijackThis gave a report of what was running on a system, SysInspector adds some very unique and helpful features, such as:
* Option to exclude private, personal information from being saved in logs
Some of the information included in log files may be of a private nature that a user might not wish to divulge. The ability to send a log that excludes much of the information that may be considered private is quite useful to some people
* Integrated Anti-Stealth technology allows discovering hidden objects (e.g. rootkits) in Master Boot Record, registry entries, drivers, services and processes
In the age of rootkits, it has become much more difficult to identify all of the programs running on a computer. The anti-stealth technology uncovers information that rootkits would normally hide from such programs. This can be essential in identifying the source of problems
* Ability to compare two existing logs for differences makes it easy to detect changes over time
This is pretty self-explanatory. If you can track what has changed over time, then the amount of data you need to be concerned with becomes much more manageable.
* Log entries are assigned a color code risk level for easy filtering. A normal computer has a lot of things running and installed. The vast majority of programs, processes, and registry entries are perfectly legitimate. By allowing a user to filter out the things we are sure are not a problem, the task of finding the bad stuff becomes much more manageable.
* Intuitive hierarchical navigation of logs
When dealing with massive amounts of information, organization is critical. Skilled users know where to begin looking for problems. Their task is compounded if the information is not logically organized.
* Fast and compact single file executable, ideal for first responders to run from a USB drive without lengthy installation
This is a big feature. SysInspector is a standalone program that does not require additional components, such as the Microsoft .NET Framework, Visual Basic runtime DLLs and so on. You don’t want to clutter the hard drive with even more files and registry entries when you already have a huge pile of data to sift through.
Because the program has to inventory the entire system, it can take a little while to finish running, but after that, there is a wealth of useful information to help resolve problems caused by hard-to-find spyware, adware, bots, and other malicious programs.
You can obtain a free copy of ESET SysInspector at http://www.eset.com/download/sysinspector.php.
I would ask that you do not share copies of the program with other people, and I ask this for one reason.. It is a best practice to always obtain programs from a reputable developer. Sharing executable files is a bad habit to get into, and definitely not a best security practice. Whenever I come across a really cool program that I think another person would find useful, I tell them where they can download it for themselves!
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Antivirus Testing
Many people look to antivirus tests for assistance in deciding which product is “best.” The history of antivirus testing is filled with truly gross incompetence and most of the tests are more beneficial to marketing than to users. There are very few exceptions. I recently had a conversation with someone who thought that because a lab was ISO 9001 certified it meant that the test results could be trusted. The truth about ISO 9001 certification is that it tells you processes are documented and followed, but speaks nothing to the quality of the good or service produced. You can document a process to reliably produce garbage and be ISO 9001 certified.
Even the best tests out there have limitations. For antivirus products the most respected tests and certifications are done by a small group of companies. Virus Bulletin (www.virusbulletin.com) is the oldest, most respected, and most scientifically valid testing organization, but the testing covers a small subset of the things we expect products to detect. Still, it is a test that all of the companies know the answers to in advance and should thus pass the test virtually every time.
ICSA Labs (http://www.icsalabs.com/icsa/main.php?pid=b31a$6140dfe3-4a851ebd$eaa4-72b) has been around for quite a while and they certify security products for a number of criteria. A key difference between ICSA Labs and Virus Bulletin is that with the Virus Bulletin VB 100 award a company has to pass the first time… there are no retires for each test. With ICSA labs if a company fails, they get a retry. The ICSA also uses a limited set of threats.
West Coast Labs (http://www.westcoastlabs.com/) like ISCA Labs also is a respected organization that certifies security products. As is the case with Virus Bulletin and ICSA Labs, the test sets are fairly limited, but testing is competently performed.
AV-Test.org and AV-Comparatives.org are pretty well respected and use massive test sets, but with that comes some problems. There isn’t time to check all of the samples, so most of the tests include files that shouldn't be included in the test. This can result in rewarding products that generate false positives, while penalizing others who correctly identify the file as uninfected. Even with the massive test sets of a million or more samples, the tests contain far fewer threats than actually exist. The combination of garbage files and limited sample size can skew results by 10% or more.
No one test will tell you what product is best. The only way to determine that is to look at the history of test results from a variety of organizations. You want a product that consistently performs well across the board. All products will have tests in which they underperform on occasion, but the measure of a quality antivirus product is the ability to consistently place near the top in many different tests. You wouldn’t pick a stock based upon a one-day performance. The same goes for security products. History is the critical element in evaluating the products you are considering.
If you have any questions about this Tech Tip or any general security questions, feel free to email me at askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
The Duke of URL (Part 3)
Aside from the tricks I have shown in the past couple of tech tips, there are also some other aspects of URLs that are worth noting.
Did you know that http://www.%6D%69%63%72%6F%73%6F%66%74.com is the same thing as http://www.microsoft.com? Each letter and number has a hexadecimal equivalent that can be expressed as %## for a web browser. %20 is the numerical representation of the space character. The use of these codes is another way that is sometimes used to trick people. This technique does not always work correctly with Firefox, but in most cases it will.
A phishing site that attacked Bank of America customers included the following as part of its URL:
/images/treatments/bankofamerica_1_%5b1%5d.com.zip
This would normally display as /images/treatments/bankofamerica_1_[1].com.zip
bankofamerica_1_[1].com.zip is the name of a file that was downloaded by victims of the phishing attack. This was an unusual example in that the use of the hex codes may have actually made the deception less effective. Using “.com.zip” was probably intended to make people think that it was a Bank of America web site, but the use of the hex codes possibly made the “.com” less obvious.
The codes are also useful for legitimate purposes. Sometimes spaces and other special characters may be interpreted different ways by different programs, but their hexadecimal (hex) representation is more widely uniform. Interoperability is at least part of the reason why the hex notation is supported.
Do you ever have email problems where a URL is wrapped (put on two lines) and so it doesn’t work correctly? Usually it will look something like this
http://smokeys.wordpress.com/2008/11/30/matousec-and-his-firewall-challenges-hall-of-shame-2008-awardee/
You click on the link and usually get a page not found error or the wrong page. The way to make sure that doesn’t happen to the links you share, at least in email, is to put the link in angle brackets < >
< http://smokeys.wordpress.com/2008/11/30/matousec-and-his-firewall-challenges-hall-of-shame-2008-awardee/>
Another trick with URLs is something called “redirects.” Redirection is both a feature and vulnerability. Redirection allows one web site to send you to another. This is handy for advertisers, but even more useful to phishing attacks. Google has historically been one of the most abused sites for redirection. Most companies that care about security do not let their web sites be used for redirection by unauthorized people. Here is an example of a URL that used redirection. I have modified it slightly from its original form since it was a real phishing link.
http://www.google.com/url?q=%68%74%74%70%3a%2f%2fh36.net33.rxvtf.us/images/logon/user.htm
This URL uses both hex characters and Redirection!!! If we “translate” the hex the URL looks like
http://www.google.com/url?q=http://h36.net33.rxvtf.us/images/logon/user.htm
The browser will take you to the second part of the URL, the http://h36.net33... part. If Google didn’t let the phishers use google.com to deceive users, the attack wouldn’t work.
We’ll finish up this part of the “Duke of URL” series with one final URL trick. There may be more on URLs in the future, but for now this is the last in the series.
Tinyurl (www.tinyurl.com) is a web site that lets you convert long URLs to short ones. It is realty handy, but it also masks where the web address really is.
http://tinyurl.com/co28a4 is really a link to:
http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_January_2009.pdf, which is a PDF file.
This can be really handy, but can also be abused by the bad guys to hide the fact that they are trying to make you open a document or a picture, etc.
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com Randy Abrams
Director of Technical Education
ESET LLC
The Duke of URL (Part 2)
Last week I provided a little information on URLs and why you need to understand a bit about them. This week let’s take a look at some real examples of how they are used in phishing attacks and for fake ecards that are used to install malicious software (malware) on your computer.
The most common trick involves showing you a real URL, but what you see is not what the URL really is. The reason this works is because you can give a link a title. If you click on http://www.eset.com you would expect to be taken to the ESET web site, but in this case it simply takes you to http://www.sdchamber-members.org/TechTip.htm If you hold your mouse over the link it will show you where the link really points to. Here is an example of how this technique was used in a fake Chase bank email .
You can see the link really points to http://211.148.143.130/credit_card_online/chase(sm)index.html/.
If you remember from last week, the 211.148.143.130 is the web site. The rest of the link has nothing whatsoever to do with Chase. Links to email addresses and to websites can be spoofed in this manner, so always be sure to look at the URL in your browser’s address bar to be sure the link took you where you intended to go.
Here is another example of URL trickery.
http://219.95.137.132/https:3DSecureCard.wamu.com/?enroll=EwNj5vsz87RT
Http://219.95.137.132/ was the actual website. https:3DSecureCard.wamu.com?enroll=EwNj5vsz87RT is the name of a location that is not related to WaMu (Washington Mutual) other than being part of a phishing attack against Washington Mutual’s customers. The https:3d does not make this an https (secure) URL. In fact, https:3DSecureCard.wamu.com?enroll=EwNj5vsz87RT was only put there to trick people into thinking it is a Washington Mutual web page. If you understand a little about URLs this trick becomes obvious.
Here is an example that shows trickery in the email sender’s name and URL. This is a typical fake eCard.
Notice the sender’s name says “AMERICANGREETINGS”, but the email address is Terra@nimbler.net. The email address is clearly not from AmericanGreetings.com! Additionally, the link that purports to be at americangreetings.com is a façade and actually takes the victim to a web page at http://americangeetingsc.org.
This is a nasty trick for two reasons. First of all at a quick glance you might not notice the letter c at the end of americangreetings, so it appears to be americangreetings at a casual glance. Secondly, the .org is a different site than .com. Not all companies that own a .com web site also own the same .org web site.
Another variation on this trick is the use of inverted letters. www.myspace.com is not the same as www.mysapce.com! The bad guys actively register web site with these inverted letters so as to trick people either into believing they are going to a different web site, or to catch people when they make a typing error while entering a URL manually. My favorite personal example of this type of mistake was when I accidentally typed www.untied.com in when I was trying to go to the United Airlines web site. Untied.com is actually a site where people complain about United airlines.
If you are going to stay safe online, you really need to pay attention to email addresses and URLs. The details really do matter!
If you have any questions about this tech tip or any general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
The Duke of URL (Part 1)
If you haven’t already, it is time for you to command a little knowledge of the subject “Uniform Resource Locator”, often simply called “URL”. URLs are the friendly names for the locations of web pages. Just like when someone asks you where the airport is, “The airport” is a friendly name for an address that defines a specific location.
HTTP://www.eset.com/ is a URL that describes the address 72.3.254.86. You can type 72.3.254.86 into your address bar in your browser and it will take you to http://www.eset.com.
So, why do you need to know more about URLs? The reason is that tricks can be played with URLs to fool people into going to phishing sites and fool them into thinking things are not what they really are.
A normal URL looks something like this:
http://www.eset.com/podcasts/. The http:// tells the browser what type of protocol to use, and everything before the next forward slash “/” is the website. The part after the forward slash tells the location of the web page on the website. How can I use this to trick you? There are a few ways.
The username and password trick is one of the oldest. If you go to a web site that requires a username and password, you can put those into the address bar as well. The format is http://USERNAME:PASSWORD@www.eset.com.
(The following are examples. Clicking them may take you to search engines. I recommend you don’t click them)
So, I want to trick you into coming to my fake web site that you are supposed to think is the Bank of America. I send you a link to
http://www.BankOfAmerica.com:FraudPrevention@www.BaknOfAmerica..com/securelogin.php
If we break this URL up into parts here is what it really says.
Www.BankOfAmerica.com:FraudPrevention@ is the username “www.BankOfAmerica.com” and the password for that user is “FraudPrevention”. Www.BaknOfAmerica.com is the actual website and has nothing to do with the Bank of America. The part “/securelogin.php” is the web page that the link is supposed to take you to if this link actually worked at all. The whole point is to trick you into thinking you are going to a legitimate Bank of America web site when you are not. Generally this type of attack comes in an email telling you that you need to log in to solve a problem with your account or to get paid for a survey. The page you end up at will ask for account information so a criminal can use your credit card, empty your checking account, or steal your identity for a variety of purposes, such as obtaining more credit in your name.Microsoft has disabled the username/password behavior in the URL for http and https sites in Internet Explorer version 7 and possibly in Internet Explorer version 6, service pack 1, but not for ftp. Ftp means File Transfer Protocol. An attack using ftp would generally download a file to your computer. Here is another trick to get users to think they are going to a legitimate web site.
http://www.a.com/www.BankOfAmerica.com/FraudPrevention.html
Notice that the actual website is www.a.com and has nothing at all to do with the Bank of America or fraud prevention!!! The part after http://www.a.com/ is www.BankOfAmerica.com/FraudPrevention.html and this specifies a specific web page on www.a.com.
In the coming weeks I’ll explore this topic more fully and show you some examples of how the bad guys are using these tricks for phishing attacks and to install viruses and Trojan horse programs on your computer.
It isn’t very hard to learn just enough to protect yourself without having to understand all of the technicalities of URLs.
For questions on this or other security topics, feel free to contact me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
Get Rid of Auto-Infect
It is the longest standing un-patched Microsoft vulnerability and Microsoft calls it a “feature”. Microsoft calls it “autorun”, I call it “auto-infect”. The idea of autorun is to attempt to make it so that a person can use a computer with a minimum amount of knowledge. This emphasis away from education is part of the reason why cybercrime is so effective and so widespread. The way autorun works is that when you use removable media, such as a USB key, a CD, etc., Windows will automatically look for a file called “autorun.inf” and if it is there then Windows will do what the file says to do. The idea was that a user doesn’t have to know how to double click on setup.exe, they just put a CD or USB key in and the program runs itself. The problem is that the bad guys know that and often use autorun to install malicious software as soon as a USB drive is plugged in.
In 2008 more than 1 out of every 15 threats we detected were using autorun.inf to help infect users. In January, nearly 1 out of every 10 threats we detected at ESET used autorun. Microsoft does not provide a truly effective solution for disabling autorun and the partial solution they suggest is cumbersome. My friend, Michael Horowitz, who blogs at http://blogs.computerworld.com/horowitz, recently shared a real solution with me. You can read more about it on his blog from January 30th (http://blogs.computerworld.com/the_best_way_to_
disable _autorun_to_be_protected_from_infected_usb_flash_
drives). The fix works with XP and Vista.
Here’s where it gets a little bit techie. The fix involves creating a registry key. Michael provides a link to a program to do this on his blog, but I’ll tell you how to create the file here.
You need to use something like notepad, or if you use Word, then you must save the file as a plain text file, not a document. The file extension must be .reg. alternately, you can create the registry key by hand if you are so inclined.
Here are the contents of the registry file. You can copy and paste everything between the dashed lines into your file. You might name it, noautorun.reg, but the name isn’t as important as the final extension.
Please note, the second line wraps, but it is really a single line.
--------------------------------------------------------------------------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
--------------------------------------------------------------------------------------
When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist.
For extra security you can go to the new autorun.inf key and set some special permissions. I go into the special permissions, add “everyone” and then deny all access except to read and query the key. This should prevent malicious software from changing the value of the key in almost all cases.
The Microsoft solution is ineffective and breaks Windows Media Player. When you use Microsoft’s solution, each time you change a CD for Media player you have to close and re-open Windows Media player for it to recognize the new disk. With the solution I am suggesting Windows media player still recognizes when you change a disc.
Giving credit where it is due, a guy named Emin Atac came up with this approach. There are few known side effects of this approach and none are as bad as the side effects of allowing auto-infect, er… autorun.
To undo the modification you can manually delete the key that was created, or use the same reg file, but place a minus sign in front of the second line… right before [HKEY….
General security questions and suggestions for topics for this column can be submitted to askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
The Cone of Silence
You have security software, but do you listen to it? One of the most overlooked aspects of security is auditing. Everything from Windows to your antivirus software logs a variety of activities. Sometimes the applications are screaming for attention, but almost as comically as the cone of silence in the old “Get Smart” TV show, nobody hears anything at all.
I was recently reminded of this when I visited the logs of my antivirus product. I discovered that somehow a setting had been changed and my virus samples arriving via email were being deleted. Fortunately this had only been happening for two days, but if I didn’t check my logs it could have gone undetected for a long time.
Oftentimes the logs will reveal situations that need attention. The event viewer in Windows can reveal a variety of problems that may be impacting system performance. The antivirus logs can reveal changes in settings, abnormal levels of detection, or that something is not working at all. Firewall logs can reveal potential intrusions, data leaving your site, and so on.
Testing is also important. By testing your security products and verifying the logs contain the expected information, you can ensure your security software is properly functioning. For antivirus software it can be very dangerous to test with viruses, but there is safe way to test. Many years ago the EICAR test file was created so that users can verify their antivirus software is functioning. Some people call this the EICAR test virus, but the file is not a virus at all and has no harmful properties.
You can download the file in a variety of formats from http://www.eicar.org/anti_virus_test_file.htm. You can also create the file by pasting the following into a text file:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Use notepad because RTF, Word, PDF’s and other document types are not really plain text files, they have other program information. The EICAR test file contents have to be the first thing in the file or it should not be detected.
Detection of the test file does not say anything at all about the quality of a product. It is possible to write a program that detects EICAR and nothing else. The test file is simply used to verify that your antivirus product is functioning at all. This file is a safe and simple way to make sure that something hasn’t disabled your protection. There are some more advanced types of tests that can be done with the file, such as determining what compression types your scanner supports, and how many layers of recursive compression are supported. You can email the file to yourself to see if your email scanner is working.
Once you see the results, be sure to check the log files to ensure that desired action was taken. You might think you have your scanner set to quarantine infected files, but check your logs to verify that even after detection, the proper action is taken.
Deploying security software is only part of safe computing. You still need to listen to what it has to say and verify that it is working as expected.
General security questions and suggestions for topics for this column can be submitted to askeset@eset.com.
Randy Abrams
Director of Technical Education
ESET LLC
_________________________________________________________
Do You Want to Know a Secret?
New year, new administration…new password? Since I’ve long held that passwords need to be changed from time to time, perhaps a reminder is in order.
There are a few key ingredients to great passwords. One of the most important aspects is that passwords need to be changed from time to time. Even with an excellent password there is the possibility it could fall into the wrong hands. Changing your password from time to time limits the amount of exposure if your password is surreptitiously acquired.
Good passwords are also strong. There are some misconceptions about what makes a great password and even how to handle them. The length of the password is far more important than the amount of funny characters you put in it. You might think that X1@5#.rQz is a better password than “Listen, Do You Want to Know a Secret”, but the truth is, that line from the Beatles song will keep your secrets far more secure than X1@5#.rQz. Where the special characters are important is when you have a very limited length password. If all you have is 8 characters, or even 15, be sure to use numbers, upper and lower case letters, and special characters like the #$%^, and so on. Also, remember that the space character is valid for most passwords. Some web sites will not allow good passwords, so you need to change those ones more often. When you change a password, incrementing a number is not a good idea… it is too easy to guess.
Another important aspect of a good password is secrecy. If your secret is “I’m in love with you” and you tell the world, as the Beatles did, then the password is useless. Nobody should ever be asking you for your password. An interesting trick to get people to reveal their passwords is when a person calls, claims to be from helpdesk, and asks the user to change their password to one provided by “helpdesk”. If you change your password to one that someone told you to change it to, then you have revealed your secret.
It is also important that you do not use the same password for multiple things that are important. For example, your banking account and your computer log on should not share the same password. This is for damage control. Identity theft is much easier for the bad guys when one password buys them the keys to the kingdom.
For general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC
_________________________________________________________
Did Your Data Return From the Holidays?
I hope you all had a happy holiday season. Many of us travel for the holidays and take our work with us. A hotel business center can appear to be a convenient way to get a little work done while not having to lug around the laptop and accessories, but there are some hidden dangers to using business center computers.
There are a couple of significant risks associated with the use of business center computers. The amount of risk will vary depending upon how well the hotel or other business controls their computers. It is not uncommon for these computers to be fairly uncontrolled with outdated security software, or even fake security software on them.
One of the risks is that a criminal has installed malicious software that captures any usernames and passwords you might enter as you VPN into your company or log into your web-based email account. This type of attack is likely to go unnoticed, but occasionally it is reported.
A more common risk is associated with using Microsoft Office products on these computers. When you use Microsoft Word it stores a temporary copy of the document on the PC. Oftentimes this copy is not deleted when you finish. This means that if you are working on something confidential, the information is left behind for others to see. In one case I found a confidential document relating to US cyber-security on a hotel business center in New Zealand!
Hotels are starting to get better about security on their business center computers, but there are still many business center computers that allow anyone to install any software they wish. This practice makes it unsafe to even type in your password for a Yahoo, Windows Live, Gmail, or other we based account. Do you use USB devices? Malicious software that copies itself to and from these devices is one of the most common threats today. Unsecured business center computers can easily copy such malicious software to the USB drive you plug into the computer to access your files that you wish to work on.
Business center computers are really handy for checking in for your flight, looking up maps, and other tasks that do not involve the use of passwords or confidential information. For sensitive tasks, it is best to use your own laptop, or wait until you can use a secure device.
For general security questions, feel free to email me at askeset@eset.com
Randy Abrams
Director of Technical Education
ESET LLC |
